Logo of Trend Micro

Enable "log_connections" Parameter for PostgreSQL Database Instances

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: AlibabaCloud-RDS-006

Ensure that "log_connections" database parameter is enabled for all PostgreSQL database instances provisioned with RDS in your Alibaba Cloud account. The "log_connections" parameter allows each attempted connection to the database instance to be logged, including successful client authentication requests. By default, the "log_connections" parameter is disabled.

Security

The logging data generated by the "log_connections" database parameter can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance for your RDS PostgreSQL database instances.

Audit

To determine if "log_connections" parameter is enabled for your RDS PostgreSQL database instances, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Relational Database Services (RDS) console at https://rdsnext.console.aliyun.com/dashboard.

03 In the left navigation panel, under ApsaraDB RDS, choose Instances.

04 Click on the ID (link) of the PostgreSQL database instance that you want to examine, listed in the Instance ID/Name column. Check the Database Engine column to ensure that the selected resource is a PostgreSQL database.

05 In the RDS resource navigation panel, choose Parameters to access the list of the database parameters configured for the selected PostgreSQL instance.

06 Select the Modifiable Parameters tab and use the Search by parameter name box to find the log_connection database parameter. Check the Running Value column to determine the current status of the log_connection parameter. If Running Value is set to off, the "log_connections" database parameter is not enabled for the selected PostgreSQL database instance.

07 Repeat steps no. 4 – 6 for each PostgreSQL instance provisioned by RDS in your Alibaba Cloud account.

Using Alibaba Cloud CLI

01 Run DescribeDBInstances command (OSX/Linux/UNIX) with custom output filters to list the ID and the database engine of each RDS database instance available within your Alibaba Cloud account: 

aliyun rds DescribeDBInstances
  --output cols=DBInstanceId,Engine

02 The command output should return a list with the requested instance identifiers: 

DBInstanceId         | Engine
------------         | ------
pgm-abcd1234abcd1234 | PostgreSQL
pgm-1234abcd1234abcd | PostgreSQL

03 Run DescribeParameters command (OSX/Linux/UNIX) with the name of the RDS PostgreSQL database instance that you want to examine as the identifier parameter, to describe the parameters configured for the selected database instance: 

aliyun rds DescribeParameters
  --DBInstanceId pgm-abcd1234abcd1234

04 The command output should return the list with the database parameters available for the instance: 

{
	"RunningParameters": {
		"DBInstanceParameter": [
			{
				"ParameterValue": "Europe/London",
				"ParameterName": "timezone",
				"ParameterDescription": "timezone"
			},
			{
				"ParameterValue": "32",
				"ParameterName": "cron.max_running_jobs",
				"ParameterDescription": "Maximum number of jobs that can run concurrently."
			},

			...

			{
				"ParameterValue": "off",
				"ParameterName": "log_connections",
				"ParameterDescription": "Logs each successful connection."
			},

			...

			{
				"ParameterValue": "100",
				"ParameterName": "default_statistics_target",
				"ParameterDescription": "Sets the default statistics target."
			},
			{
				"ParameterValue": "on",
				"ParameterName": "enable_nestloop",
				"ParameterDescription": "Enables the planner's use of nested-loop join plans."
			}
		]
	},
	"EngineVersion": "16.0",
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD",
	"ConfigParameters": {
		"DBInstanceParameter": []
	},
	"Engine": "PostgreSQL"
}

Identify the parameter with the "ParameterName" value set to "log_connections". Check the "ParameterValue" attribute value to determine the current status of the log_connection parameter. If "ParameterValue" is set to off, the "log_connections" database parameter is not enabled for the selected PostgreSQL database instance.

05 Repeat steps no. 3 and 4 for each database instance created with RDS within your Alibaba Cloud account.

Remediation / Resolution

To enable the "log_connections" database parameter for your RDS PostgreSQL database instances, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Relational Database Services (RDS) console at https://rdsnext.console.aliyun.com/dashboard.

03 In the left navigation panel, under ApsaraDB RDS, choose Instances.

04 Click on the ID (link) of the PostgreSQL database instance that you want to configure, listed in the Instance ID/Name column. Check the Database Engine column to ensure that the selected resource is a PostgreSQL database.

05 In the RDS resource navigation panel, choose Parameters to access the list of the database parameters configured for the selected PostgreSQL instance.

06 Select the Modifiable Parameters tab and use the Search by parameter name box to find the log_connection database parameter.

07 After the log_connection parameter is found, click on the Edit button (pencil icon) next to the actual value, in the Running Value column, replace off with on to enable the parameter, then select OK to save the changes.

08 In theModify Parameters confirmation box, choose Apply Changes to make the parameter modifications take effect. Select OK to confirm the changes.

09 Repeat steps no. 4 – 8 for each PostgreSQL instance provisioned by RDS in your Alibaba Cloud account.

Using Alibaba Cloud CLI

01 Run ModifyParameter command (OSX/Linux/UNIX) with --Parameters set "{'log_connection':'on'}" to enable the "log_connections" database parameter for the selected PostgreSQL database instances: 

aliyun rds ModifyParameter
  --DBInstanceId pgm-abcd1234abcd1234
  --Parameters "{'log_connection':'on'}"

02 If successful, the output should return the command request ID: 

{
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD"
}

03 Repeat steps no. 1 and 2 for each database instance created with RDS within your Alibaba Cloud account.

References

Publication date Feb 27, 2024

Related AlibabaCloud-RDS rules