Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable 'log_hostname' Flag for PostgreSQL Database Instances

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: CloudSQL-023

Ensure that the "log_hostname" database flag is enabled for your Google Cloud PostgreSQL database instances in order to assist with incident response and tracking usage in an environment utilizing dynamic IP addresses. There is a potential cost to server performance caused by hostname logging.

This rule resolution is part of the Conformity Security & Compliance tool for GCP.

Security

Logging hostnames allows for the association of hostname to IP address at the time of connection. This information can aid with incident response efforts particularly in an environment that utilizes dynamic IP addresses. Logging hostnames may incur overhead on server performance as for each statement logged, DNS resolution will be required to convert IP address to hostname. Depending on the setup, this may be non-negligible. This recommendation is applicable to PostgreSQL database instances only.

Note: Some database flag settings can affect instance availability and/or stability, and eventually remove the PostgreSQL instance from the Google Cloud SQL Service Level Agreement (SLA).

Audit

To determine if the "log_hostname" flag is enabled for your Google Cloud PostgreSQL database instances, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the top navigation bar.

03 Navigate to Cloud SQL Instances dashboard at https://console.cloud.google.com/sql/instances.

04 Click inside the Filter box, select Type and PostgreSQL <version>, then press Enter to list only the PostgreSQL database instances provisioned for the selected GCP project.

05 Click on the name (ID) of the database instance that you want to examine.

06 In the navigation panel, select Overview to access the configuration details available for the selected PostgreSQL instance.

07 In the Configuration section, under Database flags, check the configuration value set for the log_hostname database flag. If log_hostname is set to off, the "log_hostname" database flag is disabled for the selected Google Cloud PostgreSQL database instance, therefore the instance configuration is not compliant.

08 Repeat step no. 5 – 7 to check the "log_hostname" flag value for other PostgreSQL database instances available within the selected project.

09 Repeat steps no. 2 – 8 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom query filters to list the IDs of all the GCP projects available within your Google Cloud account: 

gcloud projects list
  --format="table(projectId)"

02 The command output should return the requested GCP project identifiers: 

PROJECT_ID
cc-web-project-112233
cc-mobile-project-123123

03 Run sql instances list command (Windows/macOS/Linux) with custom filtering to describe the name of each PostgreSQL database instance provisioned for the selected Google Cloud project: 

gcloud sql instances list
  --project cc-web-project-112233
  --filter='DATABASE_VERSION:POSTGRES*'
  --format="(NAME)"

04 The command output should return the requested database instance name(s): 

NAME:
cc-web-postgres-instance
cc-dev-postgres-instance

05 Run sql instances describe command (Windows/macOS/Linux) using the name of the PostgreSQL database instance that you want to examine as the identifier parameter and custom query filters to describe the "log_hostname" flag configuration value set for the selected database instance: 

gcloud sql instances describe cc-web-postgres-instance
  --format=json | jq '.settings.databaseFlags[] | select(.name=="log_hostname")|.value'

06 The command output should return the requested flag configuration value: 

"off"

If the sql instances describe command output returns "off", the "log_hostname" database flag is currently disabled for the selected Google Cloud PostgreSQL database instance, therefore the database configuration is not compliant.

07 Repeat steps no. 5 and 6 to verify the "log_hostname" flag value for other PostgreSQL database instances created for the selected project.

08 Repeat steps no. 3 – 7 for each project created within your Google Cloud account.

Remediation / Resolution

To turn on the "log_hostname" database flag for your Google Cloud PostgreSQL database instances, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the top navigation bar.

03 Navigate to Cloud SQL Instances dashboard at https://console.cloud.google.com/sql/instances.

04 Click inside the Filter box, select Type and PostgreSQL <version>, and press Enter to display only the PostgreSQL database instances available for the selected project.

05 Click on the name (ID) of the database instance that you want to reconfigure.

06 In the navigation panel, select Overview to access the configuration details available for the selected instance.

07 Choose Edit from the dashboard top menu to modify the instance configuration.

08 In the Customize your instance section, choose Flags to expand the panel with the database flags configured for the selected PostgreSQL instance.

09 Find the log_hostname flag and enable it by selecting On from the Value dropdown list. Choose DONE to close the panel.

10 Choose SAVE to apply the configuration changes.

11 Repeat steps no. 5 – 10 to enable the specified flag for other PostgreSQL database instances available within the selected GCP project.

12 Repeat steps no. 2 – 11 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Run sql instances patch command (Windows/macOS/Linux) using the name of the PostgreSQL database instance that you want to reconfigure as the identifier parameters, to enable the "log_hostname" database flag for the selected PostgreSQL instance: 

gcloud sql instances patch cc-web-postgres-instance
  --database-flags log_hostname=on

02 Type Y to confirm the database configuration change: 

The following message will be used for the patch API method.

{"name": "cc-web-postgres-instance", "project": "cc-web-project-112233", "settings": {"databaseFlags": [{"name": "log_hostname", "value": "on"}]}}

WARNING: This patch modifies database flag values, which may require your instance to be restarted. Check the list of supported flags - https://cloud.google.com/sql/docs/postgres/flags - to see if your instance will be restarted when this patch is submitted.

Do you want to continue (Y/n)? Y

03 The output should return the sql instances patch command request status: 

Patching Cloud SQL instance...done.

Updated [https://sqladmin.googleapis.com/sql/v1beta4/projects/cc-web-project-112233/instances/cc-web-postgres-instance].

04 Repeat steps no. 1 – 3 to enable the specified flag for other PostgreSQL database instances provisioned for the selected GCP project.

05 Repeat steps no. 1 – 4 for each project created within your Google Cloud account.

References

Publication date Apr 21, 2021

Related CloudSQL rules