Enable log_checkpoints Parameter for PostgreSQL Flexible Servers

More Info:

Ensure that “log_checkpoints” server parameter is enabled for all PostgreSQL flexible database servers available within your Microsoft Azure cloud account. The “log_checkpoints” parameter allows checkpoints and restart points to be logged in the Azure PostgreSQL server log.

Risk Level

Medium

Address

Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration “Enable log_checkpoints Parameter for PostgreSQL Flexible Servers” for Azure using Azure CLI, you can follow the below steps:Step 1: Open Azure CLI and login to your Azure account using the command:

az login

Step 2: Once you are logged in, select the Azure subscription where your PostgreSQL Flexible Server is running using the command:

az account set --subscription <subscription_id>

Step 3: Now, enable the log_checkpoints parameter for your PostgreSQL Flexible Server using the following command:

az postgres flexible-server configuration set --name log_checkpoints --resource-group <resource_group_name> --server-name <server_name> --value on

Make sure to replace <resource_group_name> and <server_name> with the actual resource group name and server name where your PostgreSQL Flexible Server is running.Step 4: Verify that the parameter has been enabled successfully using the following command:

az postgres flexible-server configuration show --name log_checkpoints --resource-group <resource_group_name> --server-name <server_name>

This will display the current value of the log_checkpoints parameter.That’s it! You have now successfully remediated the misconfiguration “Enable log_checkpoints Parameter for PostgreSQL Flexible Servers” for Azure using Azure CLI.

Using Python

To enable the log_checkpoints parameter for PostgreSQL Flexible Servers on Azure using Python, you can follow these steps:

Install the azure-mgmt-postgresql Python package using pip:

pip install azure-mgmt-postgresql

Import the necessary modules:

from azure.identity import DefaultAzureCredential
from azure.mgmt.postgresql import PostgreSQLManagementClient
from azure.mgmt.postgresql.models import ServerConfiguration

Set up the credentials for authentication:

credential = DefaultAzureCredential()
subscription_id = '<subscription_id>'
resource_group_name = '<resource_group_name>'
server_name = '<server_name>'

Create the PostgreSQLManagementClient object:

client = PostgreSQLManagementClient(credential, subscription_id)

Get the current server configurations:

server_configurations = client.configurations.list_by_server(resource_group_name, server_name)

Check if the log_checkpoints parameter is already enabled:

log_checkpoints_enabled = False
for configuration in server_configurations:
    if configuration.name == 'log_checkpoints':
        if configuration.value == 'on':
            log_checkpoints_enabled = True
        break

If the log_checkpoints parameter is not enabled, create a new configuration object and update the server configuration:

if not log_checkpoints_enabled:
    new_configuration = ServerConfiguration(name='log_checkpoints', value='on')
    client.configurations.create_or_update(resource_group_name, server_name, 'log_checkpoints', new_configuration)

Verify that the log_checkpoints parameter is now enabled:

server_configurations = client.configurations.list_by_server(resource_group_name, server_name)
for configuration in server_configurations:
    if configuration.name == 'log_checkpoints':
        if configuration.value == 'on':
            print('log_checkpoints parameter is now enabled')
        break

The complete code snippet to enable the log_checkpoints parameter for PostgreSQL Flexible Servers on Azure using Python is as follows:

from azure.identity import DefaultAzureCredential
from azure.mgmt.postgresql import PostgreSQLManagementClient
from azure.mgmt.postgresql.models import ServerConfiguration

credential = DefaultAzureCredential()
subscription_id = '<subscription_id>'
resource_group_name = '<resource_group_name>'
server_name = '<server_name>'

client = PostgreSQLManagementClient(credential, subscription_id)

server_configurations = client.configurations.list_by_server(resource_group_name, server_name)

log_checkpoints_enabled = False
for configuration in server_configurations:
    if configuration.name == 'log_checkpoints':
        if configuration.value == 'on':
            log_checkpoints_enabled = True
        break

if not log_checkpoints_enabled:
    new_configuration = ServerConfiguration(name='log_checkpoints', value='on')
    client.configurations.create_or_update(resource_group_name, server_name, 'log_checkpoints', new_configuration)

server_configurations = client.configurations.list_by_server(resource_group_name, server_name)
for configuration in server_configurations:
    if configuration.name == 'log_checkpoints':
        if configuration.value == 'on':
            print('log_checkpoints parameter is now enabled')
        break

Azure Introduction

Azure Pricing

Azure Threats

Azure Misconfigurations

Enable log_checkpoints Parameter for PostgreSQL Flexible Servers

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Azure Introduction

Azure Pricing

Azure Threats

Azure Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation