Enable “log_duration” Parameter for PostgreSQL Database Instances

Risk Level: Medium (should be achieved)

Rule ID: AlibabaCloud-RDS-008

Ensure that "log_duration" database parameter is enabled for all PostgreSQL database instances provisioned with RDS in your Alibaba Cloud account. The "log_duration" parameter allows recording the duration of each completed PostgreSQL statement. Only users with administrative privileges can change this setting within PostgreSQL database instance configuration.

Security

If "log_duration" parameter is enabled, your PostgreSQL database instances can log the duration of each completed SQL statement, which in turn generates query and error logs if any issues are detected. Database query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance for your PostgreSQL database instances.

Audit

To determine if "log_duration" parameter is enabled for your RDS PostgreSQL database instances, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Relational Database Services (RDS) console at https://rdsnext.console.aliyun.com/dashboard.

03 In the left navigation panel, under ApsaraDB RDS, choose Instances.

04 Click on the ID (link) of the PostgreSQL database instance that you want to examine, listed in the Instance ID/Name column. Check the Database Engine column to ensure that the selected resource is a PostgreSQL database.

05 In the RDS resource navigation panel, choose Parameters to access the list of the database parameters configured for the selected PostgreSQL instance.

06 Select the Modifiable Parameters tab and use the Search by parameter name box to find the log_duration database parameter. Check the Running Value column to determine the current status of the log_duration parameter. If Running Value is set to off, the "log_duration" database parameter is not enabled for the selected PostgreSQL database instance.

07 Repeat steps no. 4 – 6 for each PostgreSQL instance provisioned by RDS in your Alibaba Cloud account.

Using Alibaba Cloud CLI

01 Run DescribeDBInstances command (OSX/Linux/UNIX) with custom output filters to list the ID and the database engine of each RDS database instance available within your Alibaba Cloud account:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899

aliyun rds DescribeDBInstances
  --output cols=DBInstanceId,Engine

02 The command output should return a list with the requested instance identifiers:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899

DBInstanceId         | Engine
------------         | ------
pgm-abcd1234abcd1234 | PostgreSQL
pgm-1234abcd1234abcd | PostgreSQL

03 Run DescribeParameters command (OSX/Linux/UNIX) with the name of the RDS PostgreSQL database instance that you want to examine as the identifier parameter, to describe the parameters configured for the selected database instance:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899

aliyun rds DescribeParameters
  --DBInstanceId pgm-abcd1234abcd1234

04 The command output should return the list with the database parameters available for the instance:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899

{
	"RunningParameters": {
		"DBInstanceParameter": [
			{
				"ParameterValue": "Europe/London",
				"ParameterName": "timezone",
				"ParameterDescription": "timezone"
			},
			{
				"ParameterValue": "on",
				"ParameterName": "log_connections",
				"ParameterDescription": "Logs each successful connection."
			},

			...

			{
				"ParameterValue": "off",
				"ParameterName": "log_duration",
				"ParameterDescription": "Logs the duration of each completed SQL statement."
			},

			...

			{
				"ParameterValue": "on",
				"ParameterName": "log_disconnections",
				"ParameterDescription": "Logs end of a session, including duration."
			},
			{
				"ParameterValue": "on",
				"ParameterName": "synchronize_seqscans",
				"ParameterDescription": "Enable synchronized sequential scans."
			}
		]
	},
	"EngineVersion": "16.0",
	"RequestId": "1234ABCD-1234-ABCD-1234-ABCD1234ABCD",
	"ConfigParameters": {
		"DBInstanceParameter": []
	},
	"Engine": "PostgreSQL"
}

Identify the parameter with the "ParameterName" value set to "log_duration". Check the "ParameterValue" attribute value to determine the current status of the log_duration parameter. If "ParameterValue" is set to off, as shown in the example above, the "log_duration" database parameter is not enabled for the selected PostgreSQL database instance.

05 Repeat steps no. 3 and 4 for each database instance created with RDS within your Alibaba Cloud account.

Remediation / Resolution

To enable the "log_duration" database parameter for your RDS PostgreSQL database instances, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Relational Database Services (RDS) console at https://rdsnext.console.aliyun.com/dashboard.

03 In the left navigation panel, under ApsaraDB RDS, choose Instances.

04 Click on the ID (link) of the PostgreSQL database instance that you want to configure, listed in the Instance ID/Name column. Check the Database Engine column to ensure that the selected resource is a PostgreSQL database.

05 In the RDS resource navigation panel, choose Parameters to access the list of the database parameters configured for the selected PostgreSQL instance.

06 Select the Modifiable Parameters tab and use the Search by parameter name box to find the log_duration database parameter.

07 After the log_duration parameter is found, click on the Edit button (pencil icon) next to the actual value, in the Running Value column, replace off with on to enable the parameter, then select OK to save the changes.

08 In the Modify Parameters confirmation box, choose Apply Changes to make the parameter modifications take effect. Select OK to confirm the changes.

09 Repeat steps no. 4 – 8 for each PostgreSQL instance provisioned by RDS in your Alibaba Cloud account.

Using Alibaba Cloud CLI

01 Run ModifyParameter command (OSX/Linux/UNIX) with --Parameters set "{'log_duration':'on'}" to enable the "log_duration" database parameter for the selected PostgreSQL database instances:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899

aliyun rds ModifyParameter
  --DBInstanceId pgm-abcd1234abcd1234
  --Parameters "{'log_duration':'on'}"

02 If successful, the output should return the command request ID:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899

{
	"RequestId": "1234ABCD-1234-ABCD-1234-ABCD1234ABCD"
}

03 Repeat steps no. 1 and 2 for each database instance created with RDS within your Alibaba Cloud account.

References

Alibaba Cloud Documentation
Modify the parameters of an ApsaraDB RDS for PostgreSQL instance
Use a parameter template to configure the parameters of ApsaraDB RDS for PostgreSQL instances

Alibaba Cloud CLI Documentation
DescribeDBInstances
DescribeParameters
ModifyParameter

Publication date Feb 27, 2024

Audit

Using Alibaba Cloud Console

Using Alibaba Cloud CLI

Remediation / Resolution

Using Alibaba Cloud Console

Using Alibaba Cloud CLI

References

Related AlibabaCloud-RDS rules