More Info:

Ensure that “log_checkpoints” server parameter is enabled for all PostgreSQL database servers available within your Microsoft Azure cloud account. The “log_checkpoints” parameter allows checkpoints and restart points to be logged in the Azure PostgreSQL server log.

Risk Level

Medium

Address

Security

Compliance Standards

CISAZURE, CBP, HITRUST, SOC2, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration of enabling “LOG_CHECKPOINTS” parameter for PostgreSQL servers in Azure, you can follow the below steps:
  1. Open the Azure portal and navigate to the Azure Database for PostgreSQL service.
  2. Select the PostgreSQL server for which you want to enable the “LOG_CHECKPOINTS” parameter.
  3. Click on the “Configuration” option in the left-hand menu.
  4. Under the “Settings” tab, scroll down to the “Custom” section and click on the ”+ Add” button.
  5. In the “Add Configuration Parameter” window, enter “log_checkpoints” in the “Name” field and “on” in the “Value” field.
  6. Click on the “OK” button to save the configuration parameter.
  7. Restart the PostgreSQL server for the changes to take effect.
After completing these steps, the “LOG_CHECKPOINTS” parameter will be enabled for the PostgreSQL server in Azure.

To remediate the “LOG_CHECKPOINTS” parameter misconfiguration for PostgreSQL servers in Azure using Azure CLI, you can follow these steps:
  1. Open the Azure CLI on your local machine or through the Azure portal.
  2. Run the following command to log in to your Azure account: 
az login
  1. Once you are logged in, run the following command to list all the available PostgreSQL servers in your Azure account:
az postgres server list
  1. Choose the server that you want to remediate and run the following command to get the current configuration settings:
az postgres server configuration list --resource-group <resource-group-name> --server-name <server-name>
Make sure to replace <resource-group-name> and <server-name> with the actual names of your resource group and server.
  1. Identify whether the “LOG_CHECKPOINTS” parameter is set to “off” or not in the output of the above command.
  2. If the “LOG_CHECKPOINTS” parameter is set to “off”, run the following command to update the configuration and enable it: 
az postgres server configuration set --resource-group <resource-group-name> --server-name <server-name> --name log_checkpoints --value on
Again, replace <resource-group-name> and <server-name> with the actual names of your resource group and server.
  1. Verify the updated configuration by running the command in step 4 again.
  2. Repeat steps 5-7 for any other PostgreSQL servers that have the “LOG_CHECKPOINTS” parameter misconfiguration.
By following these steps, you can remediate the “LOG_CHECKPOINTS” parameter misconfiguration for PostgreSQL servers in Azure using Azure CLI.
To remediate the misconfiguration of enabling the “LOG_CHECKPOINTS” parameter for PostgreSQL servers in Azure using Python, you can follow the below steps:
  1. First, you need to connect to the Azure PostgreSQL server using the psycopg2 library in Python. You can install it using the following command: 
    !pip install psycopg2-binary
  2. Once you have installed the psycopg2 library, you can use the following code snippet to connect to the Azure PostgreSQL server: 
    import psycopg2

conn = psycopg2.connect(
    host="your_server_name.postgres.database.azure.com",
    database="your_database_name",
    user="your_username@your_server_name",
    password="your_password"
)
    Replace the <your_server_name>, <your_database_name>, <your_username>, and <your_password> with your actual server details.
  3. After connecting to the Azure PostgreSQL server, you can execute the following SQL query to enable the “LOG_CHECKPOINTS” parameter: 
    with conn.cursor() as cur:
    cur.execute("ALTER SYSTEM SET log_checkpoints = on;")
    conn.commit()
    This query will enable the “LOG_CHECKPOINTS” parameter for the Azure PostgreSQL server.
  4. Finally, you can close the connection to the Azure PostgreSQL server using the following code: 
    conn.close()
    This will close the connection to the Azure PostgreSQL server.
By following the above steps, you can remediate the misconfiguration of enabling the “LOG_CHECKPOINTS” parameter for PostgreSQL servers in Azure using Python.