PostgreSQL Log Disconnections Flag Should Be Disabled

More Info:

Ensure that the log_disconnections database flag for Cloud SQL PostgreSQL instance is set to on.

Risk Level

Medium

Address

Security

Compliance Standards

CISGCP, CBP, SOC2, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the PostgreSQL Log Disconnections Flag Should Be Disabled misconfiguration in GCP using GCP CLI, you can follow the below steps:

Open the Cloud Shell in the GCP console.
Run the following command to authenticate the gcloud CLI tool:

gcloud auth login

Set the project where the PostgreSQL instance is located:

gcloud config set project [PROJECT_ID]

Get the instance name of the PostgreSQL instance:

gcloud sql instances list

Get the current value of the log_disconnections flag for the PostgreSQL instance:

gcloud sql instances describe [INSTANCE_NAME] --format="value(settings.userVariables.log_disconnections)"

If the output of the above command is ON, then run the following command to disable the flag:

gcloud sql instances patch [INSTANCE_NAME] --database-flags log_disconnections=off

Verify that the log_disconnections flag is disabled by running the following command:

gcloud sql instances describe [INSTANCE_NAME] --format="value(settings.userVariables.log_disconnections)"

The output of the above command should be OFF, which indicates that the flag has been successfully disabled.

Using Python

To remediate the PostgreSQL Log Disconnections Flag Should Be Disabled misconfiguration on GCP using Python, you can follow these steps:

Import the necessary libraries:

from google.cloud import logging_v2
from google.cloud.logging_v2 import enums
from google.protobuf import field_mask_pb2

Initialize the Logging client:

client = logging_v2.LoggingServiceV2Client()

Define the project ID and the log name:

project_id = "your-project-id"
log_name = "cloudsql.googleapis.com%2Fpostgres.log"

Define the filter to search for the log entries related to the disconnections flag:

filter_str = 'resource.type="cloudsql_database" AND log_name="{}" AND textPayload:"disconnection".format(log_name)

Retrieve the log entries that match the filter:

entries = client.list_log_entries(
    project_id,
    filter_=filter_str,
    order_by=field_mask_pb2.FieldMask(paths=["timestamp"]).serialize(),
).entries

For each log entry, extract the instance ID and the zone:

for entry in entries:
    instance_id = entry.resource.labels["database_id"]
    zone = entry.resource.labels["zone"]

Disable the PostgreSQL log disconnections flag for each instance:

instances_client = client.instances_client()
instance_path = instances_client.instance_path(project_id, zone, instance_id)

update_mask = field_mask_pb2.FieldMask(paths=["settings"])
settings = instances_client.get(instance_path).settings
settings.database_flags = [
    flag for flag in settings.database_flags if not flag.startswith("log_disconnections=")
]
instances_client.update(instance_path, {"settings": settings}, update_mask)

Note that you will need to authenticate with GCP and have the necessary permissions to perform these actions. Also, make sure to test this remediation in a non-production environment before applying it to your production environment.

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

PostgreSQL Log Disconnections Flag Should Be Disabled

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation