Profile Applicability:

  • Level 1

Description:

The log_min_error_statement flag defines the minimum severity level of messages that PostgreSQL will treat as error statements. Messages for error statements are logged along with the SQL statement. Valid severity levels (from lowest to highest) include:

  • DEBUG5, DEBUG4, DEBUG3, DEBUG2, DEBUG1

  • INFO

  • NOTICE

  • WARNING

  • ERROR

  • LOG

  • FATAL

  • PANIC

Each severity level includes messages of higher severity. To ensure proper error classification and auditing, it is recommended to set log_min_error_statement to ERROR or stricter.

Rationale:

Proper configuration of the log_min_error_statement flag allows accurate identification and logging of error messages and associated SQL statements. This improves troubleshooting and forensic analysis by ensuring critical errors are captured without excessive logging of less relevant information. Setting this flag to ERROR or stricter aligns with best practices for logging and auditing database activity.

Impact:

  • Setting the flag to a less restrictive value (e.g., INFO) may result in excessive logging, increasing storage requirements and making it difficult to identify critical errors.

  • Setting the flag to a more restrictive value (e.g., FATAL) may exclude essential error messages, hindering effective troubleshooting.

  • Adjusting custom flags via command-line tools may overwrite existing flags, leading to potential configuration loss or instance restarts. It is recommended to make changes during low-usage periods.

Default Value:

By default, the log_min_error_statement flag is set to ERROR.

Audit Steps:

Using Google Cloud Console:

  1. Go to the Cloud SQL Instances page.

             

  1. Select the PostgreSQL instance to view its Instance Overview page.

     

  1. Under the Configuration card, check the value of the log_min_error_statement flag. Ensure it is set to ERROR or stricter.

             

Using Google Cloud CLI:

Verify the log_min_error_statement flag for each PostgreSQL instance:gcloud sql instances describe [INSTANCE_NAME] --format=json | jq '.settings.databaseFlags[] | select(.name=="log_min_error_statement")|.value'

Remediation Steps:

Using Google Cloud Console:

  1. Navigate to the Cloud SQL Instances page.

                     

  1. Select the PostgreSQL instance that requires configuration.

               

  1. Click Edit.

           

  1. Scroll to the Flags section.

                 

  1. If the log_min_error_statement flag is not already set, click Add item, choose log_min_error_statement from the dropdown menu, and set it to ERROR or stricter.

                     

  1. Click Save.

                       

  1. Verify the changes under the Flags section on the Overview page.

           

Using Google Cloud CLI:

Configure the log_min_error_statement flag for a PostgreSQL instance:

gcloud sql instances patch [INSTANCE_NAME] --database-flags log_min_error_statement=ERROR
  1. Note: This command overwrites previously set database flags. To retain existing flags, include them in the command along with the new flag.

Backout Plan:

Step 1: Revert log_min_error_statement to a Less Restrictive Value If Needed

gcloud sql instances patch <INSTANCE_NAME> --database-flags "log_min_error_statement=WARNING"

Step 2: Notify Security and Operations Teams

  • Inform security and database teams before making further changes.

Step 3: Restore from Backup (If Necessary)

  • If setting log_min_error_statement=ERROR causes operational issues, restore the PostgreSQL instance from a backup.

References:

  1. Google Cloud SQL PostgreSQL Flags Documentation

  2. PostgreSQL Runtime Configuration Logging

Additional Information:

  • Modifying the log_min_error_statement flag does not require restarting the Cloud SQL instance.

  • Certain flag configurations may affect instance availability or stability and could void the Cloud SQL SLA. Review the Operational Guidelines before making changes.

CIS Controls:

Control

Description

IG 1

IG 2

IG 3

8.5 Collect Detailed Audit Logs

Enable detailed logging to capture sensitive data-related events, including source, timestamp, and user information.


6.3 Enable Detailed Logging

Configure logging to include essential event details such as date, user, and source/destination addresses.