Azure PostgreSQL 漏洞列表

Ensure that a Microsoft Azure activity log alert is fired whenever a “Delete PostgreSQL Database” event is triggered within your cloud account. An Azure activity log alert fires each time the action event that matches the condition specified in the alert configuration is triggered. The alert condition that this conformity rule checks for is "Whenever the Activity Log has an event with Category='Administrative', Signal name='Delete PostgreSQL Database (Microsoft.DBforPostgreSQL/servers/databases)'".

Ensure that an Azure activity log alert is fired whenever “Create/Update PostgreSQL Database” events are triggered within your Microsoft Azure cloud account. The log alerts get triggered when a new activity log event that matches the condition specified in the alert configuration occurs. For this conformity rule, the matched condition is "Whenever the Activity Log has an event with Category='Administrative', Signal name='Create/Update PostgreSQL Database (servers/databases)'"

Ensure that "connection_throttling" server parameter is enabled for all PostgreSQL database servers provisioned within your Microsoft Azure cloud account. The "connection_throttling" parameter enables temporary connection throttling per IP address for too many invalid login failures.

Ensure that infrastructure double encryption is enabled for your Single Server Azure PostgreSQL database servers in order to add a second layer of encryption for your PostgreSQL databases using a different encryption algorithm which provides enhanced data protection.

Ensure that "log_checkpoints" server parameter is enabled for all PostgreSQL flexible database servers available within your Microsoft Azure cloud account. The "log_checkpoints" parameter allows checkpoints and restart points to be logged in the Azure PostgreSQL server log.

Ensure that "log_connections" server parameter is enabled for all PostgreSQL database servers available in your Microsoft Azure cloud account. The "log_connections" parameter allows each attempted connection to the database server to be logged, including successful client authentication requests. Only Azure users with administrative privileges can change this parameter at session start, and it cannot be changed during an access session.

Ensure that the "log_disconnections" server parameter is enabled for all PostgreSQL database servers provisioned in your Microsoft Azure cloud account. The "log_disconnections" parameter enables the logging of session termination. The log output provides information similar to the one generated by the "log_connections" parameter, plus the duration of the session. Only Azure account admins can change this parameter at the session start, and it cannot be changed at all during a session.

Ensure that "log_duration" server parameter is enabled for all PostgreSQL database servers created in your Microsoft Azure cloud account. Once enabled, the "log_duration" parameter allows recording the duration of each completed PostgreSQL statement. Only users with administrative privileges can change this setting within Azure PostgreSQL server configuration. For database clients using extended query protocol, the duration of the "Parse", "Bind", and "Execute" steps is logged independently.

Ensure that your Microsoft Azure PostgreSQL database servers have geo-redundant backups enabled, to allow you to restore your PostgreSQL servers to a different Azure region in the event of a regional outage or a disaster.

Ensure that Storage Auto-Growth feature is enabled for your production Azure PostgreSQL database servers. Storage auto-growth prevents your PostgreSQL servers from running out of storage and becoming read-only.