Control: Ensure 'log_hostname' database flag for Cloud SQL PostgreSQL instance is set appropriately
Description
PostgreSQL logs only the IP address of the connecting hosts. The log_hostname flag controls the logging of hostnames in addition to the IP addresses logged. The performance hit is dependent on the configuration of the environment and the host name resolution setup. This parameter can only be set in the postgresql.conf file or on the server command line.
Usage
Run the control in your terminal:
powerpipe control run gcp_compliance.control.sql_instance_postgresql_log_hostname_database_flag_configured
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run gcp_compliance.control.sql_instance_postgresql_log_hostname_database_flag_configured --share
SQL
This control uses a named query:
select self_link resource, case when database_version not like 'POSTGRES%' then 'skip' when database_flags @> '[{"name":"log_hostname","value":"on"}]' then 'ok' else 'alarm' end as status, case when database_version not like 'POSTGRES%' then title || ' not a PostgreSQL database.' when database_flags is null or not (database_flags @> '[{"name":"log_hostname"}]') then title || ' ''log_hostname'' database flag not set.' when database_flags @> '[{"name":"log_hostname","value":"on"}]' then title || ' ''log_hostname'' database flag set to ''on''.' else title || ' ''log_hostname'' database flag set to ''off''.' end as reason , location as location, project as projectfrom gcp_sql_database_instance;