Ensure that "log_temp_files" database flag is set to 0 (enabled) for all your Google Cloud PostgreSQL database instances. PostgreSQL database engine can create temporary files for actions such as sorting, hashing and temporary query results, when these operations exceed the amount of memory specified for the "work_mem" setting. Setting "log_temp_files" flag to 0 causes all temporary file information to be logged, while positive configuration values log only files whose size is greater than or equal to the specified number of kilobytes.
This rule resolution is part of the Conformity Security & Compliance tool for GCP.
A value of -1 disables temporary file information logging. By default, the "log_temp_files" flag is set to -1 within the Google Cloud PostgreSQL instances configuration. When temporary files are not logged at all, it may be difficult to identify potential performance issues that can be created by poor programming practices or deliberate resource starvation attempts.
Note: Some database flag settings can affect instance availability and/or stability, and eventually remove the PostgreSQL instance from the Google Cloud SQL Service Level Agreement (SLA).
Audit
To determine if "log_temp_files" flag is enabled for your Cloud PostgreSQL database instances, perform the following operations:
Remediation / Resolution
To turn on the "log_temp_files" database flag for your Google Cloud Platform (GCP) PostgreSQL database instances, perform the following operations:
References
- Google Cloud Platform (GCP) Documentation
- Cloud SQL for PostgreSQL
- Configuring database flags
- Editing instances
- CIS Security Documentation
- Securing Google Cloud Computing Platform
- PostgreSQL Database Documentation
- 19.8. Error Reporting and Logging
- GCP Command Line Interface (CLI) Documentation
- gcloud projects list
- gcloud sql instances list
- gcloud sql instances describe
- gcloud sql instances patch