PostgreSQL Log Hostname Flag Should Be On

More Info:

Logging hostnames allows for the association of hostname to IP address at the time of connection. This information can aid with incident response efforts particularly in an environment that utilized dynamic IP addresses. Logging hostnames may incur overhead on server performance as for each statement logged, DNS resolution will be required to convert IP address to hostname. Depending on the setup, this may be non-negligible. This recommendation is applicable to PostgreSQL database instances.

Risk Level

Low

Address

Reliability, Security

Compliance Standards

CISGCP, CBP

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the PostgreSQL Log Hostname Flag Should Be On misconfiguration for GCP using GCP CLI, you can follow the below steps:Step 1: Open the Cloud Shell in your GCP console.Step 2: Run the below command to set the log_hostname flag to on for the PostgreSQL instance:

gcloud sql instances patch [INSTANCE_NAME] --database-flags log_hostname=on

Note: Replace [INSTANCE_NAME] with the name of your PostgreSQL instance.Step 3: Verify the configuration change by running the below command:

gcloud sql instances describe [INSTANCE_NAME] | grep log_hostname

Note: Replace [INSTANCE_NAME] with the name of your PostgreSQL instance.This command should return the output “log_hostname: on” which indicates that the flag has been set to on.Step 4: Repeat the above steps for all the PostgreSQL instances in your GCP project to ensure that the misconfiguration is remediated.By following the above steps, you can remediate the PostgreSQL Log Hostname Flag Should Be On misconfiguration for GCP using GCP CLI.

Using Python

To remediate the PostgreSQL Log Hostname Flag Should Be On misconfiguration in GCP using Python, you can follow these steps:

Create a service account with the necessary permissions to access the PostgreSQL instance.
Install the google-cloud-sql library using pip.
Use the following Python code to update the PostgreSQL instance configuration to enable the log_hostname flag:

from google.cloud import sql_v1beta4
from google.oauth2 import service_account

# Set the project ID, instance name, and configuration name
project_id = 'your-project-id'
instance_name = 'your-instance-name'
config_name = 'your-config-name'

# Set the service account credentials
credentials = service_account.Credentials.from_service_account_file('path/to/credentials.json')

# Create the SQL Admin API client
client = sql_v1beta4.CloudSqlInstancesServiceClient(credentials=credentials)

# Get the current configuration settings
instance_path = f'projects/{project_id}/instances/{instance_name}'
instance = client.get(instance_path)
settings = instance.settings

# Update the configuration settings to enable the log_hostname flag
settings.database_flags['log_hostname'] = 'on'
settings.settings_version += 1

# Update the instance configuration
config_path = f'projects/{project_id}/configs/{config_name}'
update_mask = {'paths': ['database_flags']}
operation = client.patch(instance_path, instance, update_mask=update_mask)

# Wait for the operation to complete
operation.result()

Note: Replace your-project-id, your-instance-name, and your-config-name with your actual values. Also, replace path/to/credentials.json with the path to your service account credentials file.This code will update the PostgreSQL instance configuration to enable the log_hostname flag.

Additional Reading:

https://cloud.google.com/sql/docs/postgres/flags

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

PostgreSQL Log Hostname Flag Should Be On

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: