Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable "LOG_CONNECTIONS" Parameter for PostgreSQL Servers

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: PostgreSQL-003

Ensure that "log_connections" server parameter is enabled for all PostgreSQL database servers available in your Microsoft Azure cloud account. The "log_connections" parameter allows each attempted connection to the database server to be logged, including successful client authentication requests. Only Azure users with administrative privileges can change this parameter at session start, and it cannot be changed during an access session.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

The logging data generated by "log_connections" parameter can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance for your Microsoft Azure PostgreSQL database servers.

Audit

To determine if "log_connections" parameter is enabled for your Azure PostgreSQL servers, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 From the Type filter box, select Azure Database for PostgreSQL server to list all the PostgreSQL servers available in your Azure account.

04 Click on the name of the PostgreSQL database server that you want to examine.

05 In the navigation panel, under Settings, select Server parameters to access the configuration parameters available for the selected PostgreSQL server.

06 On Server parameters page, find the log_connections parameter using the Search to filter items search box. Once the parameter is found, check its configuration value available within the VALUE column. If the parameter value is set to OFF, the "log_connections" server parameter is not enabled for the selected Azure PostgreSQL database server.

07 Repeat steps no. 4 – 6 for each PostgreSQL database server provisioned in the current Azure subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure PowerShell

01 Run postgres server list command (Windows/macOS/Linux) using custom query filters to list the names of all PostgreSQL database servers (and the name of their associated resource groups) available in the current Azure subscription: 

az postgres server list
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

02 The command output should return a table with requested PostgreSQL server information: 

Name                ResourceGroup
------------------  ------------------------------
cc-postgres-server  cloud-shell-storage-westeurope
cc-project5-server  cloud-shell-storage-westeurope

03 Run postgres server configuration show command (Windows/macOS/Linux) using the name of the Azure PostgreSQL server that you want to examine and its associated resource group as identifier parameters, with custom query filters, to get the "log_connections" parameter value for the selected database server: 

az postgres server configuration show
	--server-name "cc-postgres-server"
	--resource-group "cloud-shell-storage-westeurope"
	--name log_connections
	--query 'value'

04 The command output should return the requested configuration value ("ON" for enabled, "OFF" for disabled): 

"OFF"

If postgres server configuration show command output returns "OFF", as shown in the example above, the "log_connections" server parameter is not enabled for the selected Azure PostgreSQL database server.

05 Repeat step no. 3 and 4 for each Microsoft Azure PostgreSQL server available in the selected subscription.

06 Repeat steps no. 1 – 5 for each subscription available within your Microsoft Azure cloud account.

Remediation / Resolution

To enable the "log_connections" server parameter for all your Azure PostgreSQL database servers, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 From the Type filter box, select Azure Database for PostgreSQL server to list the PostgreSQL servers available in your Azure account.

04 Click on the name of the PostgreSQL server that you want to reconfigure (see Audit section part I to identify the right Azure resource).

05 In the navigation panel, under Settings, select Server parameters to access the configuration parameters for the selected database server.

06 On Server parameters page, find the log_connections parameter using the Search to filter items search box.

07 Once the log_connections server parameter is found, enable it by selecting ON from the toggle button available within the VALUE column.

08 Click Save to apply the configuration changes.

09 Repeat steps no. 4 – 8 for each PostgreSQL database server provisioned in the selected subscription.

10 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI and PowerShell

01 Run postgres server configuration set command (Windows/macOS/Linux) using the name of the PostgreSQL server that you want to reconfigure as identifier parameter (see Audit section part II to identify the right Azure resource) to enable "log_connections" parameter for the selected Azure PostgreSQL database server: 

az postgres server configuration set
	--server-name "cc-postgres-server"
	--resource-group "cloud-shell-storage-westeurope"
	--name log_connections
	--value on

02 The command output should return the metadata for the reconfigured server parameter: 

{
  "allowedValues": "on,off",
  "dataType": "Boolean",
  "defaultValue": "on",
  "description": "Logs each successful connection.",
  "id": "/subscriptions/abcdabcd-abcd-1234-abcd-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DBforPostgreSQL/servers/cc-postgres-server/configurations/log_connections",
  "name": "log_connections",
  "resourceGroup": "cloud-shell-storage-westeurope",
  "source": "user-override",
  "type": "Microsoft.DBforPostgreSQL/servers/configurations",
  "value": "on"
}

03 Repeat step no. 1 and 2 for each PostgreSQL database server available in the selected subscription.

04 Repeat steps no. 1 – 3 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Jul 29, 2019

Related PostgreSQL rules