Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Configure "log_min_messages" Flag for PostgreSQL Instances

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: CloudSQL-030

Ensure that "log_min_messages" database flag configured for your Google Cloud PostgreSQL database instances has the appropriate level of severity in accordance with your organization's logging policy. The "log_min_messages" configuration flag defines the minimum message severity level considered an error statement. The severity levels available are DEBUG5, DEBUG4, DEBUG3, DEBUG2, DEBUG1, INFO, NOTICE, WARNING, ERROR, LOG, FATAL, and PANIC. For compliance, the minimum message severity level should be set to WARNING, however, ERROR level is considered the best practice setting. Prior to running this conformity rule, you must specify the name of the minimum message severity level used by the "log_min_messages" flag within your organization, in the rule settings, on your Trend Cloud One™ – Conformity account console.

This rule resolution is part of the Conformity Security & Compliance tool for GCP.

Performance
efficiency
Operational
excellence

PostgreSQL database auditing can help in troubleshooting operational issues and enable administrators to perform forensic analysis. If the "log_min_messages" configuration flag is not set to the correct value, messages may not be classified as error messages appropriately, therefore the flag value should be set in accordance with your organization's logging protocols.

Note: Some database flag settings can affect instance availability and/or stability, and eventually remove the PostgreSQL instance from the Google Cloud SQL Service Level Agreement (SLA).

Audit

To determine if the "log_min_messages" flag set for your Cloud PostgreSQL database instances has the appropriate configuration value, perform the following actions:

Using GCP Console

01 Sign in to your Trend Cloud One™ – Conformity account, access the Configure "log_min_messages" Flag for PostgreSQL Instances rule, and note the severity level configured for the "log_min_messages" database flag.

02 Sign in to the Google Cloud Management Console.

03 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

04 Navigate to Cloud SQL Instances available console at https://console.cloud.google.com/sql/instances.

05 Click inside the Filter box, select Type and choose PostgreSQL to list only the PostgreSQL database instances provisioned for the selected GCP project.

06 Click on the name (ID) of the database instance that you want to examine.

07 In the navigation panel, select Overview to access the configuration details available for the selected instance.

08 In the Configuration section, under Database flags, check the name of the severity level set for the log_min_messages database flag. If log_min_messages is not available in the Database flags list or the flag value (i.e. severity level) is different than the one identified at step no. 1, the "log_min_messages" flag configuration for the selected Google Cloud PostgreSQL database instance is not compliant.

09 Repeat steps no. 6 – 8 to check the "log_min_messages" flag configuration for each PostgreSQL database instance available within the selected project.

10 Repeat steps no. 2 – 9 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Sign in to your Trend Cloud One™ – Conformity account, access the Configure "log_min_messages" Flag for PostgreSQL Instances rule, and note the severity level configured for the "log_min_messages" database flag.

02 Run projects list command (Windows/macOS/Linux) using custom query filters to list the ID of each Google Cloud Platform (GCP) project available in your cloud account: 

gcloud projects list
  --format="table(projectId)"

03 The command output should return the requested GCP project identifiers: 

PROJECT_ID
cc-web-project-112233
cc-gov-project-123123

04 Run sql instances list command (Windows/macOS/Linux) with custom filtering to describe the name of each PostgreSQL database instance provisioned for the selected Google Cloud project: 

gcloud sql instances list
  --project cc-web-project-112233
  --filter='DATABASE_VERSION:POSTGRES*'
  --format="(NAME)"

05 The command output should return the requested database instance names: 

NAME
cc-app-postgres-instance
cc-web-postgres-instance

06 Run sql instances describe command (Windows/macOS/Linux) using the name of the PostgreSQL database instance that you want to examine as the identifier parameter and custom query filters to describe the "log_min_messages" flag configuration value set for the selected database instance: 

gcloud sql instances describe cc-app-postgres-instance
  --format=json | jq '.settings.databaseFlags[] | select(.name=="log_min_messages")|.value'

07 The command output should return the requested flag configuration value: 

"info"

If the sql instances describe command output returns null or the flag value (i.e. severity level) is different than the one chosen by your organization and identified at step no. 1, the "log_min_messages" flag configuration for the selected Google Cloud PostgreSQL database instance is not compliant.

08 Repeat steps no. 6 and 7 to verify the "log_min_messages" flag configuration value for each PostgreSQL database instance created for the selected project.

09 Repeat steps no. 4 – 8 for each project available within your Google Cloud account.

Remediation / Resolution

To configure the "log_min_messages" flag severity level in accordance with your organization's logging policy, perform the following actions:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Cloud SQL Instances console available at https://console.cloud.google.com/sql/instances.

04 Click inside the Filter box, select Type and choose PostgreSQL to list only the PostgreSQL database instances provisioned for the selected GCP project.

05 Click on the name (ID) of the database instance that you want to configure.

06 In the resource navigation panel, select Overview, and choose EDIT from the console top menu.

07 In the Customize your instance section, choose Flags to expand the panel with the database flags configured for the selected PostgreSQL instance.

08 Find the log_min_messages flag and select the appropriate severity level, in accordance with your organization's logging policy, from the flag configuration dropdown list. If the flag has not been set on the selected instance before, choose ADD A DATABASE FLAG, select the log_min_messages flag from the Choose a flag dropdown menu, and set its value accordingly. Choose DONE to close the panel. IMPORTANT: Configuring the "log_min_messages" flag restarts automatically the selected database instance.

09 Choose SAVE to apply the configuration changes.

10 Repeat steps no. 5 – 9 to configure the required flag for each PostgreSQL database instance available within the selected project.

11 Repeat steps no. 2 – 10 for each project deployed in your Google Cloud Platform (GCP) account.

Using GCP CLI

01 Run sql instances patch command (Windows/macOS/Linux) using the name of the PostgreSQL database instance that you want to configure as the identifier parameters, to set the right severity level, in accordance with your organization's logging policy, for the "log_min_messages" database flag. The supported levels are "debug5", "debug4", "debug3", "debug2", "debug1", "info", "notice", "warning", "error", "log" and "fatal", "panic". For compliance, the minimum message severity level should be "warning". The following command request example, sets the "log_min_messages" severity level to "error": 

gcloud sql instances patch cc-app-postgres-instance
  --database-flags log_min_messages=error
IMPORTANT: Configuring the "log_min_messages" flag restarts automatically the selected database instance.

02 Type Y to confirm the database configuration change: 

The following message will be used for the patch API method.
{"name": "cc-app-postgres-instance", "project": "cc-web-project-112233", "settings": {"databaseFlags": [{"name": "log_min_messages", "value": "error"}]}}
WARNING: This patch modifies database flag values, which may require your instance to be restarted. Check the list of supported flags - https://cloud.google.com/sql/docs/postgres/flags - to see if your instance will be restarted when this patch is submitted.
Do you want to continue (Y/n)? Y

03 The output should return the **sql instances patch** command request status: 

Patching Cloud SQL instance...done.
Updated [https://sqladmin.googleapis.com/sql/v1beta4/projects/cc-web-project-112233/instances/cc-app-postgres-instance].

04 Repeat steps no. 1 – 3 to configure the required flag for each PostgreSQL database instance provisioned for the selected project.

05 Repeat steps no. 1 – 4 for each project created within your Google Cloud Platform (GCP) account.

References

Publication date Jun 30, 2023

Related CloudSQL rules