PostgreSQL Log Connections Flag Should Be On

More Info:

PostgreSQL does not log attempted connections by default. Enabling the log_connections setting will create log entries for each attempted connection as well as successful completion of client authentication which can be useful in troubleshooting issues and to determine any unusual connection attempts to the server. This recommendation is applicable to PostgreSQL database instances.

Risk Level

Medium

Address

Security

Compliance Standards

CISGCP, CBP, SOC2, PCIDSS, NISTCSF

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the PostgreSQL Log Connections Flag Should Be On misconfiguration for GCP using GCP CLI, follow these steps:

Open the Cloud Shell in the GCP Console.
Run the following command to list the available PostgreSQL instances in your project:
```
gcloud sql instances list
```
Note down the instance name of the PostgreSQL instance you want to remediate.
Run the following command to enable the log_connections flag for the PostgreSQL instance:
```
gcloud sql instances patch [INSTANCE_NAME] --database-flags log_connections=on
```
Replace [INSTANCE_NAME] with the name of your PostgreSQL instance.
Confirm that the log_connections flag has been enabled by running the following command:
```
gcloud sql instances describe [INSTANCE_NAME] | grep log_connections
```
Replace [INSTANCE_NAME] with the name of your PostgreSQL instance. The output should show that the log_connections flag is set to “on”.
```
log_connections: on
```
Your PostgreSQL instance is now remediated with the log_connections flag enabled.

Using Python

To remediate the PostgreSQL log connections flag misconfiguration in GCP using Python, follow these steps:

Install the google-cloud-secret-manager and google-auth Python libraries using pip:
```
pip install google-cloud-secret-manager google-auth
```

Import the necessary libraries and authenticate to the GCP project:

from google.cloud import secretmanager
from google.oauth2 import service_account

credentials = service_account.Credentials.from_service_account_file('/path/to/key.json')
client = secretmanager.SecretManagerServiceClient(credentials=credentials)

Replace /path/to/key.json with the path to your GCP service account key file.

Retrieve the value of the postgres-config secret:

secret_name = "postgres-config"
project_id = "my-project-id"
version = "latest"

name = f"projects/{project_id}/secrets/{secret_name}/versions/{version}"
response = client.access_secret_version(request={"name": name})
config = response.payload.data.decode("UTF-8")

Update the postgresql.conf file to enable logging of connections:

config_lines = config.split("\n")
new_config_lines = []

for line in config_lines:
    if line.startswith("#log_connections = off"):
        new_config_lines.append("log_connections = on")
    else:
        new_config_lines.append(line)

new_config = "\n".join(new_config_lines)

Write the updated configuration back to the secret:

parent = f"projects/{project_id}"
payload = {"data": new_config.encode("UTF-8")}
response = client.update_secret(request={"secret": {"name": secret_name, "payload": payload}, "update_mask": {"paths": ["payload"]}, "parent": parent})

This will update the postgres-config secret with the new configuration that enables logging of connections.

Verify that the configuration was updated successfully by checking the postgresql.conf file on the PostgreSQL server.

# Connect to the PostgreSQL server
psql -h <hostname> -U <username> -d <database>

# Check the value of the log_connections parameter
SHOW log_connections;

The output should be on.

Additional Reading:

https://cloud.google.com/sql/docs/postgres/flags

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

PostgreSQL Log Connections Flag Should Be On

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: