More Info:

Ensure that “log_checkpoints” server parameter is enabled for all PostgreSQL flexible database servers available within your Microsoft Azure cloud account. The “log_checkpoints” parameter allows checkpoints and restart points to be logged in the Azure PostgreSQL server log.

Risk Level

Medium

Address

Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

To enable the log_checkpoints parameter for PostgreSQL Flexible Servers in Azure, you can follow the below steps:
  1. Open the Azure portal and go to your PostgreSQL Flexible Server resource.
  2. In the left-hand menu, click on the “Configuration” option.
  3. In the “Configuration” blade, click on the “Edit” button located at the top.
  4. In the “Edit configuration” blade, search for the log_checkpoints parameter in the “Parameters” section.
  5. If the parameter is not present, click on the “Add parameter” button and enter the following details:
    • Name: log_checkpoints
    • Value: on
  6. If the parameter is already present, click on the parameter and change its value to “on”.
  7. Click on the “Save” button to save the changes.
  8. Once the changes are saved, the PostgreSQL Flexible Server will be restarted to apply the new configuration.
  9. After the server is restarted, the log_checkpoints parameter will be enabled and the server will start logging checkpoint activities.
This will remediate the misconfiguration of not having the log_checkpoints parameter enabled for PostgreSQL Flexible Servers in Azure.

To remediate the misconfiguration “Enable log_checkpoints Parameter for PostgreSQL Flexible Servers” for Azure using Azure CLI, you can follow the below steps:Step 1: Open Azure CLI and login to your Azure account using the command:
az login
Step 2: Once you are logged in, select the Azure subscription where your PostgreSQL Flexible Server is running using the command:
az account set --subscription <subscription_id>
Step 3: Now, enable the log_checkpoints parameter for your PostgreSQL Flexible Server using the following command:
az postgres flexible-server configuration set --name log_checkpoints --resource-group <resource_group_name> --server-name <server_name> --value on
Make sure to replace <resource_group_name> and <server_name> with the actual resource group name and server name where your PostgreSQL Flexible Server is running.Step 4: Verify that the parameter has been enabled successfully using the following command:
az postgres flexible-server configuration show --name log_checkpoints --resource-group <resource_group_name> --server-name <server_name>
This will display the current value of the log_checkpoints parameter.That’s it! You have now successfully remediated the misconfiguration “Enable log_checkpoints Parameter for PostgreSQL Flexible Servers” for Azure using Azure CLI.
To enable the log_checkpoints parameter for PostgreSQL Flexible Servers on Azure using Python, you can follow these steps:
  1. Install the azure-mgmt-postgresql Python package using pip:
pip install azure-mgmt-postgresql
  1. Import the necessary modules:
from azure.identity import DefaultAzureCredential
from azure.mgmt.postgresql import PostgreSQLManagementClient
from azure.mgmt.postgresql.models import ServerConfiguration
  1. Set up the credentials for authentication:
credential = DefaultAzureCredential()
subscription_id = '<subscription_id>'
resource_group_name = '<resource_group_name>'
server_name = '<server_name>'
  1. Create the PostgreSQLManagementClient object:
client = PostgreSQLManagementClient(credential, subscription_id)
  1. Get the current server configurations:
server_configurations = client.configurations.list_by_server(resource_group_name, server_name)
  1. Check if the log_checkpoints parameter is already enabled:
log_checkpoints_enabled = False
for configuration in server_configurations:
    if configuration.name == 'log_checkpoints':
        if configuration.value == 'on':
            log_checkpoints_enabled = True
        break
  1. If the log_checkpoints parameter is not enabled, create a new configuration object and update the server configuration:
if not log_checkpoints_enabled:
    new_configuration = ServerConfiguration(name='log_checkpoints', value='on')
    client.configurations.create_or_update(resource_group_name, server_name, 'log_checkpoints', new_configuration)
  1. Verify that the log_checkpoints parameter is now enabled:
server_configurations = client.configurations.list_by_server(resource_group_name, server_name)
for configuration in server_configurations:
    if configuration.name == 'log_checkpoints':
        if configuration.value == 'on':
            print('log_checkpoints parameter is now enabled')
        break
The complete code snippet to enable the log_checkpoints parameter for PostgreSQL Flexible Servers on Azure using Python is as follows:
from azure.identity import DefaultAzureCredential
from azure.mgmt.postgresql import PostgreSQLManagementClient
from azure.mgmt.postgresql.models import ServerConfiguration

credential = DefaultAzureCredential()
subscription_id = '<subscription_id>'
resource_group_name = '<resource_group_name>'
server_name = '<server_name>'

client = PostgreSQLManagementClient(credential, subscription_id)

server_configurations = client.configurations.list_by_server(resource_group_name, server_name)

log_checkpoints_enabled = False
for configuration in server_configurations:
    if configuration.name == 'log_checkpoints':
        if configuration.value == 'on':
            log_checkpoints_enabled = True
        break

if not log_checkpoints_enabled:
    new_configuration = ServerConfiguration(name='log_checkpoints', value='on')
    client.configurations.create_or_update(resource_group_name, server_name, 'log_checkpoints', new_configuration)

server_configurations = client.configurations.list_by_server(resource_group_name, server_name)
for configuration in server_configurations:
    if configuration.name == 'log_checkpoints':
        if configuration.value == 'on':
            print('log_checkpoints parameter is now enabled')
        break