turbot/steampipe-mod-gcp-compliance

Control: Ensure 'log_hostname' database flag for Cloud SQL PostgreSQL instance is set appropriately

Description

PostgreSQL logs only the IP address of the connecting hosts. The log_hostname flag controls the logging of hostnames in addition to the IP addresses logged. The performance hit is dependent on the configuration of the environment and the host name resolution setup. This parameter can only be set in the postgresql.conf file or on the server command line.

Usage

Run the control in your terminal:

powerpipe control run gcp_compliance.control.sql_instance_postgresql_log_hostname_database_flag_configured

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run gcp_compliance.control.sql_instance_postgresql_log_hostname_database_flag_configured --share

SQL

This control uses a named query:

select
self_link resource,
case
when database_version not like 'POSTGRES%' then 'skip'
when database_flags @> '[{"name":"log_hostname","value":"on"}]' then 'ok'
else 'alarm'
end as status,
case
when database_version not like 'POSTGRES%'
then title || ' not a PostgreSQL database.'
when database_flags is null or not (database_flags @> '[{"name":"log_hostname"}]')
then title || ' ''log_hostname'' database flag not set.'
when database_flags @> '[{"name":"log_hostname","value":"on"}]'
then title || ' ''log_hostname'' database flag set to ''on''.'
else title || ' ''log_hostname'' database flag set to ''off''.'
end as reason
, location as location, project as project
from
gcp_sql_database_instance;

Tags