PostgreSQL Enable PGAudit Database Flag Should Be On
More Info:
As numerous other recommendations in this section consist of turning on flags for logging purposes, your organization will need a way to manage these logs. You may have a solution already in place. If you do not, consider installing and enabling the open source pgaudit extension within PostgreSQL and enabling its corresponding flag of cloudsql.enable_pgaudit. This flag and installing the extension enables database auditing in PostgreSQL through the open-source pgAudit extension. This extension provides detailed session and object logging to comply with government, financial, & ISO standards and provides auditing capabilities to mitigate threats by monitoring security events on the instance. Enabling the flag and settings later in this recommendation will send these logs to Google Logs Explorer so that you can access them in a central location. to This recommendation is applicable only to PostgreSQL database instances.Risk Level
LowAddress
Reliability, SecurityCompliance Standards
CISGCP, CBPTriage and Remediation
Remediation
Using Console
Using Console
To remediate the PostgreSQL Enable PGAudit Database Flag Should Be On misconfiguration for GCP using GCP console, follow the below steps:
- Open the Google Cloud Console and select the project in which your PostgreSQL instance is running.
- Navigate to the Cloud SQL Instances page and click on the name of the PostgreSQL instance you want to remediate.
- In the instance details page, select the Configuration tab.
- In the Configuration tab, click on Edit Configuration.
- In the Edit Configuration page, scroll down to the Flags section.
- In the Flags section, click on Add item.
-
In the Add item dialog box, enter the flag name as
pgaudit.enabledand set the value toon. - Click on Save to save the configuration changes.
- Once the configuration changes are saved, restart the PostgreSQL instance for the changes to take effect.
Using CLI
Using CLI
To remediate the PostgreSQL Enable PGAudit Database Flag Should Be On misconfiguration in GCP using GCP CLI, follow these steps:Replace INSTANCE_NAME with the name of your PostgreSQL instance and USER_NAME with the username for the database.Replace DATABASE_NAME with the name of the database for which you want to enable the PGAudit flag.This should return “all” indicating that all audit events are being logged.By following these steps, you can remediate the PostgreSQL Enable PGAudit Database Flag Should Be On misconfiguration in GCP using GCP CLI.
- Open the Cloud Shell in the GCP console.
- Connect to your PostgreSQL instance using the following command:
- Once connected to the PostgreSQL instance, run the following command to enable the PGAudit flag:
- Verify that the PGAudit flag is enabled by running the following command:
- Exit the PostgreSQL instance by running the following command:
Using Python
Using Python
To remediate the PostgreSQL Enable PGAudit Database Flag Should Be On misconfiguration on GCP using Python, you can follow these steps:By following these steps, you should be able to remediate the PostgreSQL Enable PGAudit Database Flag Should Be On misconfiguration on GCP using Python.
- First, ensure that you have the necessary permissions to make changes to the PostgreSQL instance.
-
Next, use the
google-cloud-sqllibrary to connect to the PostgreSQL instance. You can install this library using pip:
- Once you have connected to the instance, you can use the
patchmethod of theDatabaseInstanceobject to update thesettings.settingsVersionfield with the latest version. This will ensure that you are making changes to the latest version of the settings.
- Next, you can use the
patchmethod again to update thesettings.databaseFlagsfield with thepgaudit.logflag set toon. This will enable PGAudit database flag.
- Finally, you can verify that the changes have been made by querying the
settingsfield of theDatabaseInstanceobject: