More Info:

The log_statement_stats flag controls the inclusion of end to end performance statistics of a SQL query in the PostgreSQL logs for each query. This cannot be enabled with other module statistics (log_parser_stats, log_planner_stats, log_executor_stats). Default value for log_statement_stats flag is off. The log_statement_stats flag enables a crude profiling method for logging end to end performance statistics of a SQL query. This can be useful for troubleshooting but may increase the amount of logs significantly and have performance overhead.

Risk Level

Low

Address

Reliability, Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “PostgreSQL Log Statement Stats Flag Should Be Set Appropriately” for GCP using GCP console, you can follow the below steps:
  1. Open the Cloud SQL instances page in the GCP console.
  2. Select the instance for which you want to remediate the misconfiguration.
  3. Click on the “Edit” button at the top of the page.
  4. In the “Flags” section, click on the “Add item” button.
  5. Enter the flag name “log_statement_stats” and set its value to “on”.
  6. Click on the “Save” button to save the changes.
This will remediate the misconfiguration “PostgreSQL Log Statement Stats Flag Should Be Set Appropriately” for GCP using GCP console.

To remediate the PostgreSQL Log Statement Stats Flag misconfiguration in GCP using GCP CLI, follow these steps:
  1. Open the Cloud Shell in your GCP project.
  2. Run the following command to list all the instances in your project: 
    gcloud sql instances list
  3. Identify the instance that has PostgreSQL database engine.
  4. Run the following command to update the PostgreSQL flags for the identified instance: 
    gcloud sql instances patch [INSTANCE_NAME] --database-flags log_statement_stats=on
    Replace [INSTANCE_NAME] with the name of the identified instance.
  5. Verify the PostgreSQL flags by running the following command: 
    gcloud sql instances describe [INSTANCE_NAME]
    Replace [INSTANCE_NAME] with the name of the identified instance. The output of the command should show that the log_statement_stats flag is set to on.
By following these steps, you have successfully remediated the PostgreSQL Log Statement Stats Flag misconfiguration for GCP using GCP CLI.
To remediate the PostgreSQL Log Statement Stats Flag misconfiguration in GCP using Python, follow these steps:
  1. Install the google-cloud-secret-manager and google-cloud-secret-manager libraries using pip:
pip install google-cloud-secret-manager google-auth
  1. Authenticate to GCP using a service account:
from google.oauth2 import service_account

credentials = service_account.Credentials.from_service_account_file('/path/to/service_account.json')
  1. Retrieve the PostgreSQL instance connection string and credentials from GCP Secret Manager:
from google.cloud import secretmanager

client = secretmanager.SecretManagerServiceClient(credentials=credentials)
name = client.secret_version_path('<project-id>', '<secret-name>', '<version>')
response = client.access_secret_version(name)
secrets = response.payload.data.decode('UTF-8')

# Extract the connection string and credentials from the secrets
connection_string = secrets['connection_string']
username = secrets['username']
password = secrets['password']
  1. Connect to the PostgreSQL instance using the psycopg2 library:
import psycopg2

conn = psycopg2.connect(connection_string, user=username, password=password)
  1. Set the log_statement_stats parameter to on:
cur = conn.cursor()
cur.execute("SET log_statement_stats TO on;")
conn.commit()
  1. Close the database connection:
cur.close()
conn.close()
By following these steps, you will have successfully remediated the PostgreSQL Log Statement Stats Flag misconfiguration in GCP using Python.