PostgreSQL Log Statement Stats Flag Should Be Set Appropriately

More Info:

The log_statement_stats flag controls the inclusion of end to end performance statistics of a SQL query in the PostgreSQL logs for each query. This cannot be enabled with other module statistics (log_parser_stats, log_planner_stats, log_executor_stats). Default value for log_statement_stats flag is off. The log_statement_stats flag enables a crude profiling method for logging end to end performance statistics of a SQL query. This can be useful for troubleshooting but may increase the amount of logs significantly and have performance overhead.

Risk Level

Low

Address

Reliability, Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the PostgreSQL Log Statement Stats Flag misconfiguration in GCP using GCP CLI, follow these steps:

Open the Cloud Shell in your GCP project.
Run the following command to list all the instances in your project:
```
gcloud sql instances list
```
Identify the instance that has PostgreSQL database engine.
Run the following command to update the PostgreSQL flags for the identified instance:
```
gcloud sql instances patch [INSTANCE_NAME] --database-flags log_statement_stats=on
```
Replace [INSTANCE_NAME] with the name of the identified instance.
Verify the PostgreSQL flags by running the following command:
```
gcloud sql instances describe [INSTANCE_NAME]
```
Replace [INSTANCE_NAME] with the name of the identified instance. The output of the command should show that the log_statement_stats flag is set to on.

By following these steps, you have successfully remediated the PostgreSQL Log Statement Stats Flag misconfiguration for GCP using GCP CLI.

Using Python

To remediate the PostgreSQL Log Statement Stats Flag misconfiguration in GCP using Python, follow these steps:

Install the google-cloud-secret-manager and google-cloud-secret-manager libraries using pip:

pip install google-cloud-secret-manager google-auth

Authenticate to GCP using a service account:

from google.oauth2 import service_account

credentials = service_account.Credentials.from_service_account_file('/path/to/service_account.json')

Retrieve the PostgreSQL instance connection string and credentials from GCP Secret Manager:

from google.cloud import secretmanager

client = secretmanager.SecretManagerServiceClient(credentials=credentials)
name = client.secret_version_path('<project-id>', '<secret-name>', '<version>')
response = client.access_secret_version(name)
secrets = response.payload.data.decode('UTF-8')

# Extract the connection string and credentials from the secrets
connection_string = secrets['connection_string']
username = secrets['username']
password = secrets['password']

Connect to the PostgreSQL instance using the psycopg2 library:

import psycopg2

conn = psycopg2.connect(connection_string, user=username, password=password)

Set the log_statement_stats parameter to on:

cur = conn.cursor()
cur.execute("SET log_statement_stats TO on;")
conn.commit()

Close the database connection:

cur.close()
conn.close()

By following these steps, you will have successfully remediated the PostgreSQL Log Statement Stats Flag misconfiguration in GCP using Python.

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

PostgreSQL Log Statement Stats Flag Should Be Set Appropriately

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation