PostgreSQL log duration not set

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > PostgreSQL log duration not set

Metadata

Id: ansible-azure-postgresql-log-duration-not-set

Provider: Azure

Platform: Ansible

Severity: Medium

Category: Observability

Learn More

Provider Reference

Description

Enable the PostgreSQL server parameter log_duration to record statement execution durations. Without duration logging, slow queries and malicious long-running activity can go undetected, hindering timely detection and forensic investigation.

In Ansible tasks using the azure.azcollection.azure_rm_postgresqlconfiguration or azure_rm_postgresqlconfiguration module, the parameter entry with name: log_duration must have value: 'ON'. Tasks missing the value property or with a value other than ON (case-insensitive) are flagged.

Secure Ansible task example:

- name: Enable log_duration for PostgreSQL server
  azure.azcollection.azure_rm_postgresqlconfiguration:
    resource_group: myResourceGroup
    server_name: myPostgresServer
    name: log_duration
    value: "ON"

Compliant Code Examples

- name: example1
  azure.azcollection.azure_rm_postgresqlconfiguration:
    resource_group: myResourceGroup
    server_name: myServer
    name: log_duration
    value: on
- name: example2
  azure.azcollection.azure_rm_postgresqlconfiguration:
    resource_group: myResourceGroup
    server_name: myServer
    name: log_duration
    value: On
- name: example3
  azure.azcollection.azure_rm_postgresqlconfiguration:
    resource_group: myResourceGroup
    server_name: myServer
    name: log_duration
    value: ON
- name: example4
  azure.azcollection.azure_rm_postgresqlconfiguration:
    resource_group: myResourceGroup
    server_name: myServer
    name: log_duration
    value: on
- name: example5
  azure.azcollection.azure_rm_postgresqlconfiguration:
    resource_group: myResourceGroup
    server_name: myServer
    name: log_duration
    value: On
- name: example6
  azure.azcollection.azure_rm_postgresqlconfiguration:
    resource_group: myResourceGroup
    server_name: myServer
    name: log_duration
    value: ON

Non-Compliant Code Examples

- name: example1
  azure.azcollection.azure_rm_postgresqlconfiguration:
    resource_group: myResourceGroup
    server_name: myServer
    name: log_duration
    value: off
- name: example2
  azure.azcollection.azure_rm_postgresqlconfiguration:
    resource_group: myResourceGroup
    server_name: myServer
    name: log_duration
    value: Off
- name: example3
  azure.azcollection.azure_rm_postgresqlconfiguration:
    resource_group: myResourceGroup
    server_name: myServer
    name: log_duration
    value: OFF
- name: example4
  azure.azcollection.azure_rm_postgresqlconfiguration:
    resource_group: myResourceGroup
    server_name: myServer
    name: log_duration
    value: "off"
- name: example5
  azure.azcollection.azure_rm_postgresqlconfiguration:
    resource_group: myResourceGroup
    server_name: myServer
    name: log_duration
    value: "Off"
- name: example6
  azure.azcollection.azure_rm_postgresqlconfiguration:
    resource_group: myResourceGroup
    server_name: myServer
    name: log_duration
    value: "OFF"