iCompaas Support

Profile Applicability:

• Level 2

Description:

The log_error_verbosity database flag determines the level of detail included in error log messages. Accepted values are:

• TERSE: Excludes detailed information like DETAIL, HINT, QUERY, and CONTEXT.

• DEFAULT: Includes essential error details for troubleshooting.

• VERBOSE: Adds extensive information, including SQLSTATE error codes, file names, function names, and line numbers.

For effective logging and security, this flag should be set to DEFAULT or stricter (TERSE) for all PostgreSQL database instances.

Rationale:

Proper auditing is critical for troubleshooting and forensic analysis. Setting the log_error_verbosity flag to DEFAULT or stricter ensures sufficient logging without excessive or irrelevant details that may clutter logs or expose sensitive information. This setting balances security, clarity, and log management.

Impact:

• Enabling detailed logging can increase storage requirements.

• Configuring custom flags may reset omitted flags to their default values, potentially causing disruptions.

• It is recommended to apply flag changes during periods of low usage to minimize impact.

Default Value:
The default value of the log_error_verbosity flag is DEFAULT.

Audit Steps:

Using Google Cloud Console:

1. Navigate to the Cloud SQL Instances page.

2. Select the PostgreSQL instance to open its Instance Overview page.

3. Under the Configuration section, locate the Database Flags list.

4. Verify that the log_error_verbosity flag is set to DEFAULT or stricter (TERSE).

Using Google Cloud CLI:

List all Cloud SQL PostgreSQL database instances:

gcloud sql instances list

For each instance, verify the value of the log_error_verbosity flag:

gcloud sql instances describe <INSTANCE_NAME> --format=json | jq '.settings.databaseFlags[] | select(.name=="log_error_verbosity") | .value'

1. The expected output should show DEFAULT or TERSE.

Remediation Steps:

Using Google Cloud Console:

1. Navigate to the Cloud SQL Instances page.

2. Select the PostgreSQL instance where the flag needs to be updated

               .

3. Click Edit.

4. Scroll to the Flags section and click Add a Database Flag.

5. Select log_error_verbosity from the dropdown and set its value to DEFAULT or TERSE.

6. Click Save to apply the changes.

7. Verify the updated flag under the Database Flags section

               .

Using Google Cloud CLI:

Set the log_error_verbosity flag for each PostgreSQL instance:

gcloud sql instances patch <INSTANCE_NAME> --database-flags log_error_verbosity=<TERSE|DEFAULT>

1. Note: This command overwrites all previously set flags. To retain existing flags, include their values in the command.

Backout Plan:

1. Revert the Flag to Default (if needed):
   • If changes need to be reversed, set the log_error_verbosity flag back to the previous setting (e.g., TERSE or DEFAULT).

Using Google Cloud Console:

• Navigate to the Cloud SQL Instances page.
• Select the PostgreSQL instance to edit.
• Click Edit.
• Scroll to the Flags section and modify the log_error_verbosity flag to DEFAULT.
• Save the changes and restart the instance

Using Google Cloud CLI:

gcloud sql instances patch [INSTANCE_NAME] --database-flags log_error_verbosity=DEFAULT

• Restart the instance for changes to take effect.

References:

1. Google Cloud SQL - Database Flags

2. PostgreSQL Documentation - Log Error Verbosity

Additional Information:

• Configuring this flag does not require restarting the Cloud SQL instance.

• Some database flag configurations may affect availability or stability and remove the instance from the Cloud SQL SLA. Review Operational Guidelines for more details.

CIS Controls: