Enable “log_checkpoints” Parameter for PostgreSQL Flexible Servers

Risk Level: Medium (should be achieved)

Rule ID: PostgreSQL-013

Ensure that "log_checkpoints" server parameter is enabled for all PostgreSQL flexible database servers available within your Microsoft Azure cloud account. The "log_checkpoints" parameter allows checkpoints and restart points to be logged in the Azure PostgreSQL server log.

This rule resolution is part of the Conformity solution.

Security

Reliability

Operational
excellence

Checkpoints can disrupt your Azure PostgreSQL database performance and can cause connections to stall for up to a few seconds while they occur. By enabling the "log_checkpoints" parameter you can get verbose logging of the checkpoint process for your Azure PostgreSQL database servers. This logging data can be used to identify and troubleshoot sub-optimal PostgreSQL database performance.

Audit

To determine if the "log_checkpoints" parameter is enabled for your Azure PostgreSQL flexible database servers, perform the following operations:

Using Azure Portal

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure cloud resources.

03 From the Type filter box, select Equals, choose Azure Database for PostgreSQL flexible server, and select Apply to list the PostgreSQL flexible servers available within your Azure account.

04 Click on the name (link) of the PostgreSQL flexible database server that you want to examine.

05 In the navigation panel, under Settings, select Server parameters to access the configuration parameters for the selected PostgreSQL server.

06 On the Server parameters page, find the log_checkpoints parameter entry using the Search to filter items… search box. Once the log_checkpoints parameter is found, check its configuration value available within the Value column. If the parameter value is set to OFF, the "log_checkpoints" server parameter is not enabled for the selected Azure PostgreSQL flexible database server.

07 Repeat steps no. 4 – 6 for each PostgreSQL flexible database server provisioned in the current Azure subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run postgres flexible-server list command (Windows/macOS/Linux) using custom query filters to list the name of each PostgreSQL flexible database server (and the name of the associated resource group) available within the current Azure subscription:

az postgres flexible-server list
  --output table
  --query '[*].{name:name, resourceGroup:resourceGroup}'

02 The command output should return a table with requested PostgreSQL server information:

Name                ResourceGroup
------------------  ------------------------------
cc-project5-server  cloud-shell-storage-westeurope

03 Run postgres server configuration show command (Windows/macOS/Linux) using the name of the Azure PostgreSQL flexible server that you want to examine and its associated resource group as the identifier parameters, to describe the "log_checkpoints" parameter value configured for the selected database server:

az postgres flexible-server parameter show
  --server-name "cc-project5-server"
  --resource-group "cloud-shell-storage-westeurope"
  --name log_checkpoints
  --query 'value'

04 The command output should return the requested database parameter value:

"Off"

If the postgres server configuration show command output returns "OFF", as shown in the output example above, the "log_checkpoints" server parameter is not enabled for the selected Azure PostgreSQL flexible database server.

05 Repeat steps no. 3 and 4 for each Azure PostgreSQL flexible server available in the selected subscription.

06 Repeat steps no. 1 – 5 for each subscription available within your Microsoft Azure cloud account.

Remediation / Resolution

To enable the "log_checkpoints" server parameter for all your Azure PostgreSQL flexible database servers, perform the following operations:

Using Azure Portal

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure cloud resources.

03 From the Type filter box, select Equals, choose Azure Database for PostgreSQL flexible server, and select Apply to list the PostgreSQL flexible servers available within your Azure account.

04 Click on the name (link) of the PostgreSQL flexible database server that you want to reconfigure.

05 In the navigation panel, under Settings, select Server parameters to access the configuration parameters available for the selected PostgreSQL flexible server.

06 On the Server parameters configuration page, find the log_checkpoints parameter entry using the Search to filter items… search box.

07 Once the log_checkpoints server parameter is found, enable the parameter by selecting ON in the VALUE column.

08 Choose Save to apply the changes.

09 Repeat steps no. 4 – 8 for each PostgreSQL flexible database server provisioned in the selected subscription.

10 Repeat steps no. 3 – 9 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run postgres server configuration set command (Windows/macOS/Linux) using the name of the Azure PostgreSQL flexible database server that you want to reconfigure as the identifier parameter, to enable the "log_checkpoints" parameter for the selected PostgreSQL server:

az postgres flexible-server parameter set
  --server-name "cc-project5-server"
  --resource-group "cloud-shell-storage-westeurope"
  --name log_checkpoints
  --value on

02 The command output should return the information available for the reconfigured server parameter:

{
  "allowedValues": "on,off",
  "dataType": "Boolean",
  "defaultValue": "on",
  "description": "Logs each checkpoint.",
  "id": "/subscriptions/abcdabcd-abcd-1234-abcd-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DBforPostgreSQL/servers/cc-project5-server/configurations/log_checkpoints",
  "name": "log_checkpoints",
  "resourceGroup": "cloud-shell-storage-westeurope",
  "source": "system-default",
  "type": "Microsoft.DBforPostgreSQL/servers/configurations",
  "value": "on"
}

03 Repeat steps no. 1 and 2 for each PostgreSQL flexible database server available in the selected subscription.

04 Repeat steps no. 1 – 3 for each subscription created within your Microsoft Azure cloud account.

References

Azure Official Documentation
Monitor and tune Azure Database for PostgreSQL - Single Server
Logs in Azure Database for PostgreSQL - Single Server
Security Control V2: Logging and Threat Detection

CIS Security Documentation
Securing Microsoft Azure

Azure Command Line Interface (CLI) Documentation
az postgres flexible-server
az postgres flexible-server list
az postgres flexible-server parameter show
az postgres flexible-server parameter set

Publication date Aug 2, 2022

Audit

Using Azure Portal

Using Azure CLI

Remediation / Resolution

Using Azure Portal

Using Azure CLI

References

Related PostgreSQL rules