Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable "LOG_DISCONNECTIONS" Parameter for PostgreSQL Servers

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: PostgreSQL-004

Ensure that the "log_disconnections" server parameter is enabled for all PostgreSQL database servers provisioned in your Microsoft Azure cloud account. The "log_disconnections" parameter enables the logging of session termination. The log output provides information similar to the one generated by the "log_connections" parameter, plus the duration of the session. Only Azure account admins can change this parameter at the session start, and it cannot be changed at all during a session.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Enabling the "log_disconnections" parameter starts recording PostgreSQL activity data that can be useful to identify, troubleshoot, and repair configuration errors and sub-optimal performance for your Microsoft Azure PostgreSQL database servers.

Audit

To determine if "log_disconnections" parameter is enabled for your Azure PostgreSQL servers, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 From the Type filter box, select Azure Database for PostgreSQL server to list all the PostgreSQL servers available in your Azure account.

04 Click on the name of the PostgreSQL database server that you want to examine.

05 In the navigation panel, under Settings, select Server parameters to access the configuration parameters available for the selected PostgreSQL server.

06 On Server parameters page, find the log_disconnections parameter using the Search to filter items search box. Once the parameter is found, check its configuration value, listed within the VALUE column. If the parameter value is set to OFF, the "log_disconnections" server parameter is not enabled for the selected Azure PostgreSQL database server.

07 Repeat steps no. 4 – 6 for each PostgreSQL database server provisioned in the current Azure subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure PowerShell

01 Run postgres server list command (Windows/macOS/Linux) using custom query filters to list the names of all PostgreSQL database servers (and the name of their associated resource groups) available in the current Microsoft Azure subscription: 

az postgres server list
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

02 The command output should return a table with requested PostgreSQL server information: 

Name                ResourceGroup
------------------  ------------------------------
cc-development-db   cloud-shell-storage-westeurope

03 Run postgres server configuration show command (Windows/macOS/Linux) using the name of the Azure PostgreSQL server that you want to examine and its associated resource group as identifier parameters, with custom query filters, to get the "log_disconnections" parameter value for the selected database server: 

az postgres server configuration show
	--server-name "cc-development-db"
	--resource-group "cloud-shell-storage-westeurope"
	--name log_disconnections
	--query 'value'

04 The command output should return the requested configuration value ("ON" for enabled, "OFF" for disabled): 

"OFF"

If postgres server configuration show command output returns "OFF", the "log_disconnections" server parameter is not enabled for the selected Azure PostgreSQL database server.

05 Repeat step no. 3 and 4 for each Microsoft Azure PostgreSQL server provisioned in the selected subscription.

06 Repeat steps no. 1 – 5 for each subscription available within your Microsoft Azure cloud account.

Remediation / Resolution

To enable the "log_disconnections" server parameter for all your Microsoft Azure PostgreSQL database servers, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 From the Type filter box, select Azure Database for PostgreSQL server to list the PostgreSQL servers available in your Azure account.

04 Click on the name of the PostgreSQL server that you want to reconfigure (see Audit section part I to identify the right database server).

05 In the navigation panel, under Settings, select Server parameters to access the configuration parameters for the selected PostgreSQL database server.

06 On Server parameters page, find the log_disconnections parameter using the Search to filter items search box.

07 Once the log_disconnections server parameter is found, enable it by selecting ON from the toggle configuration button, available in the VALUE column.

08 Click Save to apply the configuration changes.

09 Repeat steps no. 4 – 8 for each PostgreSQL database server available within the selected subscription.

10 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI and PowerShell

01 Run postgres server configuration set command (Windows/macOS/Linux) using the name of the PostgreSQL server that you want to reconfigure as identifier parameter (see Audit section part II to identify the right database resource) to enable "log_disconnections" parameter for the selected Azure PostgreSQL database server: 

az postgres server configuration set
	--server-name "cc-development-db"
	--resource-group "cloud-shell-storage-westeurope"
	--name log_disconnections
	--value on

02 The command output should return the metadata for the reconfigured server parameter: 

{
  "allowedValues": "on,off",
  "dataType": "Boolean",
  "defaultValue": "off",
  "description": "Logs end of a session, including duration.",
  "id": "/subscriptions/abcdabcd-abcd-1234-abcd-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DBforPostgreSQL/servers/cc-development-db/configurations/log_disconnections",
  "name": "log_disconnections",
  "resourceGroup": "cloud-shell-storage-westeurope",
  "source": "user-override",
  "type": "Microsoft.DBforPostgreSQL/servers/configurations",
  "value": "on"
}

03 Repeat step no. 1 and 2 for each PostgreSQL database server provisioned in the selected subscription.

04 Repeat steps no. 1 – 3 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Jul 29, 2019

Related PostgreSQL rules