PostgreSQL Log Parser Stats Flag Should Be Off

More Info:

Ensure that the log_parser_stats database flag for a Cloud SQL PostgreSQL instance is set to off.

Risk Level

Low

Address

Reliability, Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the PostgreSQL Log Parser Stats Flag Should Be Off misconfiguration in GCP using GCP CLI, you can follow these steps:

Open the Cloud Shell in the GCP console.
Run the following command to list all the Cloud SQL instances in your project:
```
gcloud sql instances list
```
Identify the instance that has the PostgreSQL Log Parser Stats Flag Should Be Off misconfiguration.
Run the following command to update the instance settings:
```
gcloud sql instances patch [INSTANCE_NAME] --database-flags log_parser_stats=off
```
Replace [INSTANCE_NAME] with the name of the instance that you identified in step 3.
Verify that the log_parser_stats flag is set to off by running the following command:
```
gcloud sql instances describe [INSTANCE_NAME]
```
Replace [INSTANCE_NAME] with the name of the instance that you identified in step 3. Look for the following line in the output:
```
databaseFlags:
  log_parser_stats: off
```
If you see this line, the misconfiguration has been remediated successfully.

That’s it! You have successfully remediated the PostgreSQL Log Parser Stats Flag Should Be Off misconfiguration for the specified GCP instance using GCP CLI.

Using Python

To remediate the PostgreSQL Log Parser Stats Flag Should Be Off misconfiguration in GCP using python, follow these steps:

Install the google-cloud-secret-manager and google-cloud-logging python packages using pip.
```
pip install google-cloud-secret-manager google-cloud-logging
```

Import the necessary libraries.

from google.cloud import secretmanager_v1beta1
from google.cloud import logging_v2

Retrieve the value of the POSTGRES_STATS_FLAG secret from Google Secret Manager.

client = secretmanager_v1beta1.SecretManagerServiceClient()
name = client.secret_version_path('<PROJECT_ID>', '<SECRET_NAME>', '<SECRET_VERSION>')
response = client.access_secret_version(name)
postgres_stats_flag = response.payload.data.decode('UTF-8')

Replace <PROJECT_ID>, <SECRET_NAME>, and <SECRET_VERSION> with the appropriate values.

Update the log sink for PostgreSQL to disable the log parser stats flag.

client = logging_v2.LoggingServiceV2Client()
parent = client.project_path('<PROJECT_ID>')
resource = {
    "type": "gce_instance",
    "labels": {
        "instance_id": "<INSTANCE_ID>",
        "zone": "<ZONE>"
    }
}
filter = 'resource.type="gce_instance" AND resource.labels.instance_id="<INSTANCE_ID>" AND logName="projects/<PROJECT_ID>/logs/postgresql.log"'
sinks = client.list_sinks(parent)
for sink in sinks:
    if sink.filter == filter:
        sink.destination.update_gcs_bucket = None
        sink.destination.disable_log_entry_types = ["LOG_ENTRY_TYPE_UNSPECIFIED", "PROTO_PAYLOAD"]
        sink.destination.enable_log_entry_types = []
        sink.filter = 'resource.type="gce_instance" AND resource.labels.instance_id="<INSTANCE_ID>" AND logName="projects/<PROJECT_ID>/logs/postgresql.log" AND NOT jsonPayload.message:("LOG: statement stats:")'
        client.update_sink(sink)
        break

Replace <PROJECT_ID>, <INSTANCE_ID>, and <ZONE> with the appropriate values.

Verify that the log sink has been updated successfully.
```
gcloud logging sinks describe <SINK_NAME> --project=<PROJECT_ID>
```
Replace <SINK_NAME> and <PROJECT_ID> with the appropriate values.

That’s it! The PostgreSQL Log Parser Stats Flag Should Be Off misconfiguration has been remediated for GCP using python.

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

PostgreSQL Log Parser Stats Flag Should Be Off

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation