Azure Introduction
Azure Pricing
Azure Threats
Enable log_checkpoints Parameter for PostgreSQL Flexible Servers
More Info:
Ensure that “log_checkpoints” server parameter is enabled for all PostgreSQL flexible database servers available within your Microsoft Azure cloud account. The “log_checkpoints” parameter allows checkpoints and restart points to be logged in the Azure PostgreSQL server log.
Risk Level
Medium
Address
Security
Compliance Standards
CBP
Triage and Remediation
Remediation
To enable the log_checkpoints parameter for PostgreSQL Flexible Servers in Azure, you can follow the below steps:
-
Open the Azure portal and go to your PostgreSQL Flexible Server resource.
-
In the left-hand menu, click on the “Configuration” option.
-
In the “Configuration” blade, click on the “Edit” button located at the top.
-
In the “Edit configuration” blade, search for the
log_checkpointsparameter in the “Parameters” section. -
If the parameter is not present, click on the “Add parameter” button and enter the following details:
- Name: log_checkpoints
- Value: on
-
If the parameter is already present, click on the parameter and change its value to “on”.
-
Click on the “Save” button to save the changes.
-
Once the changes are saved, the PostgreSQL Flexible Server will be restarted to apply the new configuration.
-
After the server is restarted, the
log_checkpointsparameter will be enabled and the server will start logging checkpoint activities.
This will remediate the misconfiguration of not having the log_checkpoints parameter enabled for PostgreSQL Flexible Servers in Azure.
To remediate the misconfiguration “Enable log_checkpoints Parameter for PostgreSQL Flexible Servers” for Azure using Azure CLI, you can follow the below steps:
Step 1: Open Azure CLI and login to your Azure account using the command:
az login
Step 2: Once you are logged in, select the Azure subscription where your PostgreSQL Flexible Server is running using the command:
az account set --subscription <subscription_id>
Step 3: Now, enable the log_checkpoints parameter for your PostgreSQL Flexible Server using the following command:
az postgres flexible-server configuration set --name log_checkpoints --resource-group <resource_group_name> --server-name <server_name> --value on
Make sure to replace <resource_group_name> and <server_name> with the actual resource group name and server name where your PostgreSQL Flexible Server is running.
Step 4: Verify that the parameter has been enabled successfully using the following command:
az postgres flexible-server configuration show --name log_checkpoints --resource-group <resource_group_name> --server-name <server_name>
This will display the current value of the log_checkpoints parameter.
That’s it! You have now successfully remediated the misconfiguration “Enable log_checkpoints Parameter for PostgreSQL Flexible Servers” for Azure using Azure CLI.
To enable the log_checkpoints parameter for PostgreSQL Flexible Servers on Azure using Python, you can follow these steps:
- Install the
azure-mgmt-postgresqlPython package using pip:
pip install azure-mgmt-postgresql
- Import the necessary modules:
from azure.identity import DefaultAzureCredential
from azure.mgmt.postgresql import PostgreSQLManagementClient
from azure.mgmt.postgresql.models import ServerConfiguration
- Set up the credentials for authentication:
credential = DefaultAzureCredential()
subscription_id = '<subscription_id>'
resource_group_name = '<resource_group_name>'
server_name = '<server_name>'
- Create the
PostgreSQLManagementClientobject:
client = PostgreSQLManagementClient(credential, subscription_id)
- Get the current server configurations:
server_configurations = client.configurations.list_by_server(resource_group_name, server_name)
- Check if the
log_checkpointsparameter is already enabled:
log_checkpoints_enabled = False
for configuration in server_configurations:
if configuration.name == 'log_checkpoints':
if configuration.value == 'on':
log_checkpoints_enabled = True
break
- If the
log_checkpointsparameter is not enabled, create a new configuration object and update the server configuration:
if not log_checkpoints_enabled:
new_configuration = ServerConfiguration(name='log_checkpoints', value='on')
client.configurations.create_or_update(resource_group_name, server_name, 'log_checkpoints', new_configuration)
- Verify that the
log_checkpointsparameter is now enabled:
server_configurations = client.configurations.list_by_server(resource_group_name, server_name)
for configuration in server_configurations:
if configuration.name == 'log_checkpoints':
if configuration.value == 'on':
print('log_checkpoints parameter is now enabled')
break
The complete code snippet to enable the log_checkpoints parameter for PostgreSQL Flexible Servers on Azure using Python is as follows:
from azure.identity import DefaultAzureCredential
from azure.mgmt.postgresql import PostgreSQLManagementClient
from azure.mgmt.postgresql.models import ServerConfiguration
credential = DefaultAzureCredential()
subscription_id = '<subscription_id>'
resource_group_name = '<resource_group_name>'
server_name = '<server_name>'
client = PostgreSQLManagementClient(credential, subscription_id)
server_configurations = client.configurations.list_by_server(resource_group_name, server_name)
log_checkpoints_enabled = False
for configuration in server_configurations:
if configuration.name == 'log_checkpoints':
if configuration.value == 'on':
log_checkpoints_enabled = True
break
if not log_checkpoints_enabled:
new_configuration = ServerConfiguration(name='log_checkpoints', value='on')
client.configurations.create_or_update(resource_group_name, server_name, 'log_checkpoints', new_configuration)
server_configurations = client.configurations.list_by_server(resource_group_name, server_name)
for configuration in server_configurations:
if configuration.name == 'log_checkpoints':
if configuration.value == 'on':
print('log_checkpoints parameter is now enabled')
break