Configure “log_min_error_statement” Flag for PostgreSQL Database Instances

Risk Level: Medium (should be achieved)

Rule ID: CloudSQL-013

Ensure that "log_min_error_statement" database flag configured for your Google Cloud PostgreSQL database instances has the appropriate level of severity in accordance with your organization's logging policy. The "log_min_error_statement" configuration flag defines the minimum message severity level considered an error statement. The severity levels available are DEBUG5, DEBUG4, DEBUG3, DEBUG2, DEBUG1, INFO, NOTICE, WARNING, ERROR, LOG, FATAL, and PANIC. ERROR level is considered the best practice setting. Prior to running this conformity rule, you need to specify the name of the minimum message severity level used by the "log_min_error_statement" flag within your organization, in the rule settings, on your Trend Micro Cloud One™ – Conformity account console.

This rule resolution is part of the Conformity Security & Compliance tool for GCP.

Security

PostgreSQL database auditing can help in troubleshooting operational issues and permit administrators to perform forensic analysis. If the "log_min_error_statement" configuration flag is not set to the correct value, messages may not be classified as error messages appropriately, therefore the flag value should be set in accordance with your organization`s logging protocols.

Note: Some database flag settings can affect instance availability and/or stability, and eventually remove the PostgreSQL instance from the Google Cloud SQL Service Level Agreement (SLA).

Audit

To determine if the "log_min_error_statement" flag set for your Cloud PostgreSQL database instances has the appropriate configuration, perform the following operations:

Using GCP Console

01 Sign in to your Trend Micro Cloud One™ – Conformity account, access the Configure "log_min_error_statement" Flag for PostgreSQL Database Instances rule, and note the severity level configured for the "log_min_error_statement" database flag.

02 Sign in to Google Cloud Management Console.

03 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

04 Navigate to Cloud SQL Instances dashboard at https://console.cloud.google.com/sql/instances.

05 Click inside the Filter tree box, select Type and PostgreSQL then press Enter, to list only the PostgreSQL database instances provisioned for the selected GCP project.

06 Click on the name (ID) of the database instance that you want to examine.

07 In the navigation panel, select Overview to access the configuration details available for the selected instance.

08 In the Configuration section, under Database flags, check the name of the severity level set for the log_min_error_statement database flag. If log_min_error_statement is not available in the Database flags list, or the flag value (i.e. severity level) is different than the one identified at step no. 1, the "log_min_error_statement" flag configuration for the selected Google Cloud PostgreSQL database instance is not compliant.

09 Repeat step no. 6 – 8 to check the "log_min_error_statement" flag configuration for other PostgreSQL database instances available within the selected project.

10 Repeat steps no. 2 – 8 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Sign in to your Trend Micro Cloud One™ – Conformity account, access the Configure "log_min_error_statement" Flag for PostgreSQL Database Instances rule, and note the severity level configured for the "log_min_error_statement" database flag.

02 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the Google Cloud Platform (GCP) projects available in your Google Cloud account:

gcloud projects list
	--format="table(projectId)"

03 The command output should return the requested GCP project identifiers:

PROJECT_ID
cc-web-project-112233
cc-gov-project-123123

04 Run sql instances list command (Windows/macOS/Linux) using custom filtering to describe the name of each PostgreSQL database instance provisioned for the selected Google Cloud project:

gcloud sql instances list
	--project cc-web-project-112233
	--filter='DATABASE_VERSION:POSTGRES*'
	--format="(NAME)"

05 The command output should return the requested database instance name(s):

NAME
cc-app-postgres-instance
cc-web-postgres-instance

06 Run sql instances describe command (Windows/macOS/Linux) using the name of the PostgreSQL database instance that you want to examine as identifier parameter and custom query filters to describe the "log_min_error_statement" flag configuration value set for the selected database instance:

gcloud sql instances describe cc-app-postgres-instance
--format=json | jq '.settings.databaseFlags[] | select(.name=="log_min_error_statement")|.value'

07 The command output should return the requested flag configuration value:

"fatal"

If the sql instances describe command output returns null or the flag value (i.e. severity level) is different than the one promoted by your organization and identified at step no. 1, the "log_min_error_statement" flag configuration for the selected Google Cloud PostgreSQL database instance is not compliant.

08 Repeat step no. 5 and 6 to verify the "log_min_error_statement" flag configuration value for other PostgreSQL database instances created for the selected project.

09 Repeat steps no. 3 – 7 for each project available within your Google Cloud account.

Remediation / Resolution

To configure the "log_min_error_statement" flag severity level in accordance with your organization`s logging policy, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Cloud SQL Instances dashboard at https://console.cloud.google.com/sql/instances.

04 Click inside the Filter tree box, select Type and PostgreSQL then press Enter, to display only the PostgreSQL database instances available for the selected project.

05 Click on the name/ID of the database instance that you want to reconfigure.

06 In the navigation panel, select Overview to access the configuration details of the selected instance.

07 Click on the Edit button from the dashboard top menu to enter the instance edit mode.

08 In the Configuration options section, click on Flags to expand the panel with the database flags configured for the selected PostgreSQL instance.

09 Find the log_min_error_statement flag and select the appropriate severity level, in accordance with your organization's logging policy, from the flag configuration dropdown list. If the flag has not been set on the selected instance before, click Add item, choose the log_min_error_statement flag from the Choose one dropdown menu, and set its value accordingly. Click Close to close the panel.
IMPORTANT: Configuring the "log_min_error_statement" flag restarts automatically the selected database instance.

10 Click Save to apply the configuration changes.

11 Repeat step no. 5 – 10 to configure the required flag for other PostgreSQL database instances available within the selected project.

12 Repeat steps no. 2 – 11 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Run sql instances patch command (Windows/macOS/Linux) using the name of the PostgreSQL database instance that you want to reconfigure as identifier parameters (see Audit section part II to identify the right resource), to set the right severity level, in accordance with your organization's logging policy, for the "log_min_error_statement" database flag configured for the selected instance. The supported levels are "debug5", "debug4", "debug3", "debug2", "debug1", "info", "notice", "warning", "error", "log" and "fatal", "panic". The following command request example, sets the "log_min_error_statement" severity level to "error":

gcloud sql instances patch cc-app-postgres-instance
	--database-flags log_min_error_statement=error

IMPORTANT: Configuring the "log_min_error_statement" flag restarts automatically the selected database instance.

02 Type Y to confirm the database configuration change:

The following message will be used for the patch API method.
{"name": "cc-app-postgres-instance", "project": "cc-web-project-112233", "settings": {"databaseFlags": [{"name": "log_min_error_statement", "value": "error"}]}}
WARNING: This patch modifies database flag values, which may require your instance to be restarted. Check the list of supported flags - https://cloud.google.com/sql/docs/postgres/flags - to see if your instance will be restarted when this patch is submitted.
Do you want to continue (Y/n)? Y

03 The output should return the sql instances patch command request status:

Patching Cloud SQL instance...done.
Updated [https://sqladmin.googleapis.com/sql/v1beta4/projects/cc-web-project-112233/instances/cc-app-postgres-instance].

04 Repeat step no. 1 – 3 to configure the required flag for other PostgreSQL database instances provisioned for the selected project.

05 Repeat steps no. 1 – 4 for each project created within your Google Cloud account.

References

Google Cloud Platform (GCP) Documentation
Cloud SQL for PostgreSQL documentation
Configuring database flags
Edit instances

CIS Security Documentation
Securing Google Cloud Computing Platform

PostgreSQL Database Documentation
19.8. Error Reporting and Logging

GCP Command Line Interface (CLI) Documentation
gcloud projects list
gcloud sql instances list
gcloud sql instances describe
gcloud sql instances patch

Publication date Apr 12, 2021

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

Configure "log_min_error_statement" Flag for PostgreSQL Database Instances

Risk Level: Medium

Audit

Using GCP Console

Using GCP CLI

Remediation / Resolution

Using GCP Console

Using GCP CLI

References

Related CloudSQL rules