GCP PostgreSQL instance database flag log_hostname is not set to off
Description
This policy is concerned with monitoring and logging activities within Google Cloud Platform's (GCP) PostgreSQL databases. It verifies that hostnames are being logged. The absence of this feature could hinder an organization's ability to track user activities, troubleshoot issues or conduct forensic investigations in the event of a data breach or an attack. Proper logging could help in detecting foul play quicker and in responding to regulatory compliance checks or audits. Thus, it's critical to ensure hostnames are logged for GCP PostgreSQL databases for robust security control.
Code Example
resource "google_sql_database_instance" "database_instance" {
database_version = "POSTGRES_13"
settings {
database_flags {
name = "log_hostname"
value = "on"
}
}
}Remediation
Terraform
- Resource: google_sql_database_instance
To correct this issue, you should set the flag, log_hostname, to ON. This will ensure that all hostnames of clients attempting to connect to the database are logged.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0966 |
| Severity | INFO |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_GCP_108 |