More Info:

Ensure that “log_duration” server parameter is enabled for all PostgreSQL database servers created in your Microsoft Azure cloud account. Once enabled, the “log_duration” parameter allows recording the duration of each completed PostgreSQL statement. Only users with administrative privileges can change this setting within Azure PostgreSQL server configuration. For database clients using extended query protocol, the duration of the “Parse”, “Bind”, and “Execute” steps is logged independently.

Risk Level

Medium

Address

Security

Compliance Standards

HITRUST, SOC2, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

To remediate the “LOG_DURATION” parameter misconfiguration for PostgreSQL Servers in Azure, you can follow the below steps:
  1. Log in to the Azure portal (https://portal.azure.com/).
  2. Navigate to the PostgreSQL server for which you want to enable the “LOG_DURATION” parameter.
  3. Click on the “Configuration” tab from the left-hand side menu.
  4. Scroll down to the “Parameters” section and search for the “log_duration” parameter.
  5. If the “log_duration” parameter is not present, click on the ”+ Add parameter” button and add the parameter.
  6. Set the value of the “log_duration” parameter to “on” to enable it.
  7. Click on the “Save” button to save the changes.
After following the above steps, the “LOG_DURATION” parameter will be enabled for the PostgreSQL server in Azure.

To remediate the misconfiguration of enabling the “LOG_DURATION” parameter for PostgreSQL servers in AZURE using AZURE CLI, you can follow the below steps:
  1. Open the AZURE CLI and log in to your AZURE account.
  2. Run the below command to get the list of all the PostgreSQL servers in your subscription: 
    az postgres server list
  3. Select the PostgreSQL server for which you want to enable the “LOG_DURATION” parameter and note down its resource group name and server name.
  4. Run the below command to enable the “LOG_DURATION” parameter for the selected PostgreSQL server: 
    az postgres server configuration set --resource-group <resource_group_name> --server-name <server_name> --name log_duration --value on
    Replace <resource_group_name> and <server_name> with the actual values of the resource group name and server name noted down in step 3.
  5. Verify that the “LOG_DURATION” parameter is enabled for the PostgreSQL server by running the below command: 
    az postgres server configuration list --resource-group <resource_group_name> --server-name <server_name> --query "[?name=='log_duration']"
    If the output shows the value of “value” parameter as “on”, then the “LOG_DURATION” parameter is enabled for the PostgreSQL server.
By following the above steps, you can remediate the misconfiguration of enabling the “LOG_DURATION” parameter for PostgreSQL servers in AZURE using AZURE CLI.
To enable the “LOG_DURATION” parameter for PostgreSQL servers in Azure using python, you can follow the below steps:
  1. Import the necessary libraries:
from azure.common.credentials import ServicePrincipalCredentials
from azure.mgmt.rdbms.postgresql import PostgreSQLManagementClient
  1. Set the credentials for authentication:
TENANT_ID = '<your tenant id>'
CLIENT = '<your client id>'
KEY = '<your client secret>'
SUBSCRIPTION_ID = '<your subscription id>'

credentials = ServicePrincipalCredentials(
    client_id=CLIENT,
    secret=KEY,
    tenant=TENANT_ID
)
  1. Create a PostgreSQL management client object:
client = PostgreSQLManagementClient(
    credentials=credentials,
    subscription_id=SUBSCRIPTION_ID
)
  1. Get the PostgreSQL server you want to enable the “LOG_DURATION” parameter for:
RESOURCE_GROUP_NAME = '<your resource group name>'
SERVER_NAME = '<your server name>'

server = client.servers.get(
    resource_group_name=RESOURCE_GROUP_NAME,
    server_name=SERVER_NAME
)
  1. Update the server configuration to enable the “LOG_DURATION” parameter:
CONFIGURATION_NAME = 'postgresql.conf'
CONFIGURATION_VALUE = 'log_duration = on'

parameters = {
    'name': CONFIGURATION_NAME,
    'value': CONFIGURATION_VALUE
}

client.configurations.create_or_update(
    resource_group_name=RESOURCE_GROUP_NAME,
    server_name=SERVER_NAME,
    configuration_name=CONFIGURATION_NAME,
    parameters=parameters
)
  1. Verify that the configuration has been updated:
configuration = client.configurations.get(
    resource_group_name=RESOURCE_GROUP_NAME,
    server_name=SERVER_NAME,
    configuration_name=CONFIGURATION_NAME
)

print(configuration.value)
This should enable the “LOG_DURATION” parameter for the PostgreSQL server in Azure.