Check for PostgreSQL Log Retention Period

More Info:

Ensure that all your Microsoft Azure PostgreSQL servers have a sufficient log retention period, i.e. greater than 3 days, configured for reliability and compliance purposes. The retention period, represented by the “log_retention_days” parameter, is the number of days to retain log data for the databases hosted on Azure PostgreSQL servers. The compliant value for the retention period is 4 to 7 days

Risk Level

Medium

Address

Security

Compliance Standards

CISAZURE, CBP

Triage and Remediation

Remediation

Using Console

Using CLI

Sure, here are the step-by-step instructions to remediate the PostgreSQL Log Retention Period misconfiguration in Azure using Azure CLI:

Open the Azure CLI and log in to your Azure account.
Run the following command to set the retention period for logs in your PostgreSQL database:
```
az postgres server-logs retention update --days <number_of_days> --resource-group <resource_group_name> --server-name <server_name>
```
Replace <number_of_days> with the number of days for which you want to retain the logs, <resource_group_name> with the name of the resource group containing your PostgreSQL server, and <server_name> with the name of your PostgreSQL server. For example, to set the retention period to 30 days for a PostgreSQL server named “myserver” in a resource group named “myresourcegroup”, run the following command:
```
az postgres server-logs retention update --days 30 --resource-group myresourcegroup --server-name myserver
```
Once the command is executed successfully, the retention period for logs in your PostgreSQL database will be updated to the specified number of days.

That’s it! By following these simple steps, you can remediate the PostgreSQL Log Retention Period misconfiguration in Azure using Azure CLI.

Using Python

To remediate the PostgreSQL Log Retention Period misconfiguration in Azure using Python, you can follow these steps:

Import the necessary libraries:

from azure.identity import DefaultAzureCredential
from azure.mgmt.rdbms import postgresql

Set the subscription ID, resource group name, server name, and database name:

subscription_id = 'your-subscription-id'
resource_group_name = 'your-resource-group-name'
server_name = 'your-server-name'
database_name = 'your-database-name'

Create a credential object to authenticate with Azure:

credential = DefaultAzureCredential()

Create a PostgreSQLManagementClient object:

client = postgresql.PostgreSQLManagementClient(credential, subscription_id)

Get the current log retention period:

log_retention_days = client.configurations.list_by_server(resource_group_name, server_name, database_name, 'postgresqlconf').as_dict().get('log_retention_days')

If the log retention period is set to a value greater than 7 days, update the configuration:

if log_retention_days > 7:
    client.configurations.create_or_update(resource_group_name, server_name, database_name, 'postgresqlconf', {'log_retention_days': 7})

This will update the PostgreSQL log retention period to 7 days if it is currently set to a value greater than 7 days.

Azure Introduction

Azure Pricing

Azure Threats

Azure Misconfigurations

Check for PostgreSQL Log Retention Period

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Azure Introduction

Azure Pricing

Azure Threats

Azure Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation