Ensure that "log_duration" server parameter is enabled for all PostgreSQL database servers created in your Microsoft Azure cloud account. Once enabled, the "log_duration" parameter allows recording the duration of each completed PostgreSQL statement. Only users with administrative privileges can change this setting within Azure PostgreSQL server configuration. For database clients using extended query protocol, the duration of the "Parse", "Bind", and "Execute" steps is logged independently.
PoC代码[已公开]
id: azure-postgres-log-duration-disabled
info:
name: Azure PostgreSQL Log Duration Not Enabled
author: princechaddha
severity: medium
description: |
Ensure that "log_duration" server parameter is enabled for all PostgreSQL database servers created in your Microsoft Azure cloud account. Once enabled, the "log_duration" parameter allows recording the duration of each completed PostgreSQL statement. Only users with administrative privileges can change this setting within Azure PostgreSQL server configuration. For database clients using extended query protocol, the duration of the "Parse", "Bind", and "Execute" steps is logged independently.
impact: |
Disabling the "log_duration" parameter prevents logging of query execution times, which is crucial for performance analysis and security auditing.
remediation: |
Enable the "log_duration" parameter in Azure PostgreSQL server configurations to ensure comprehensive logging of query durations for security and performance analysis.
reference:
- https://docs.microsoft.com/en-us/azure/postgresql/concepts-server-logs
tags: cloud,devops,azure,microsoft,postgresql,azure-cloud-config
flow: |
code(1);
for (let ServerData of iterate(template.serverList)) {
ServerData = JSON.parse(ServerData);
set("name", ServerData.name);
set("resourceGroup", ServerData.resourceGroup);
code(2);
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az postgres server list --output json --query '[*].{"name":name,"resourceGroup":resourceGroup}'
extractors:
- type: json
name: serverList
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az postgres server configuration show --server-name "$name" --resource-group "$resourceGroup" --name log_duration --query 'value'
matchers:
- type: word
words:
- 'off'
extractors:
- type: dsl
dsl:
- 'name + " in " + resourceGroup + " has log_duration disabled"'
# digest: 490a0046304402203017e10950a2d5cbbde2b8b1e6ea6c3873156078d5fbafedd35fc4f89be9bbc1022030a6361e9ad0b311afbe10e74e29841c1ebfd6bb4f3e6b96f12d0f4859762c73:922c64590222798bb761d5b6d8e72950