More Info:

Ensure that all your Microsoft Azure PostgreSQL servers have a sufficient log retention period, i.e. greater than 3 days, configured for reliability and compliance purposes. The retention period, represented by the “log_retention_days” parameter, is the number of days to retain log data for the databases hosted on Azure PostgreSQL servers. The compliant value for the retention period is 4 to 7 days

Risk Level

Medium

Address

Security

Compliance Standards

CISAZURE, CBP

Triage and Remediation

Remediation

Using Console

Sure, I can provide you with the steps to remediate PostgreSQL Log Retention Period misconfiguration in Azure using the Azure console. Here are the steps:
  1. Login to the Azure portal and navigate to the Azure Database for PostgreSQL service.
  2. Select the PostgreSQL server for which you want to remediate the Log Retention Period misconfiguration.
  3. In the left-hand menu, select “Configuration”.
  4. Scroll down to the “Logging” section and locate the “retention_days” parameter.
  5. Update the value of “retention_days” to the desired log retention period (in days).
  6. Click the “Save” button to save the changes.
  7. Verify the changes by checking the “Overview” page of the PostgreSQL server and ensuring that the new retention period is reflected.
That’s it! You have successfully remediated the PostgreSQL Log Retention Period misconfiguration in Azure using the Azure console.

Sure, here are the step-by-step instructions to remediate the PostgreSQL Log Retention Period misconfiguration in Azure using Azure CLI:
  1. Open the Azure CLI and log in to your Azure account.
  2. Run the following command to set the retention period for logs in your PostgreSQL database: 
    az postgres server-logs retention update --days <number_of_days> --resource-group <resource_group_name> --server-name <server_name>
    Replace <number_of_days> with the number of days for which you want to retain the logs, <resource_group_name> with the name of the resource group containing your PostgreSQL server, and <server_name> with the name of your PostgreSQL server. For example, to set the retention period to 30 days for a PostgreSQL server named “myserver” in a resource group named “myresourcegroup”, run the following command: 
    az postgres server-logs retention update --days 30 --resource-group myresourcegroup --server-name myserver
  3. Once the command is executed successfully, the retention period for logs in your PostgreSQL database will be updated to the specified number of days.
That’s it! By following these simple steps, you can remediate the PostgreSQL Log Retention Period misconfiguration in Azure using Azure CLI.
To remediate the PostgreSQL Log Retention Period misconfiguration in Azure using Python, you can follow these steps:
  1. Import the necessary libraries:
from azure.identity import DefaultAzureCredential
from azure.mgmt.rdbms import postgresql
  1. Set the subscription ID, resource group name, server name, and database name:
subscription_id = 'your-subscription-id'
resource_group_name = 'your-resource-group-name'
server_name = 'your-server-name'
database_name = 'your-database-name'
  1. Create a credential object to authenticate with Azure:
credential = DefaultAzureCredential()
  1. Create a PostgreSQLManagementClient object:
client = postgresql.PostgreSQLManagementClient(credential, subscription_id)
  1. Get the current log retention period:
log_retention_days = client.configurations.list_by_server(resource_group_name, server_name, database_name, 'postgresqlconf').as_dict().get('log_retention_days')
  1. If the log retention period is set to a value greater than 7 days, update the configuration:
if log_retention_days > 7:
    client.configurations.create_or_update(resource_group_name, server_name, database_name, 'postgresqlconf', {'log_retention_days': 7})
This will update the PostgreSQL log retention period to 7 days if it is currently set to a value greater than 7 days.