Metadata

Id: 0461b4fd-21ef-4687-929e-484ee4796785

Cloud Provider: Azure

Platform: Ansible

Severity: Medium

Category: Observability

Learn More

• Provider Reference

Description

PostgreSQL servers must retain logs to support security incident investigation and satisfy audit and compliance requirements. Without log retention, attackers or misconfigurations may go undetected and forensic analysis is impeded.

In Ansible playbooks using the azure.azcollection.azure_rm_postgresqlconfiguration or azure_rm_postgresqlconfiguration modules, the configuration entry with name: log_retention must have value: on (case-insensitive). Tasks missing the log_retention configuration or with value not equal to on are flagged as insecure.

Secure Ansible example:

- name: Ensure PostgreSQL log_retention is enabled
  azure.azcollection.azure_rm_postgresqlconfiguration:
    resource_group: my-resource-group
    server_name: my-postgres-server
    name: log_retention
    value: on

Compliant Code Examples

- name: Update PostgreSQL Server setting
  azure_rm_postgresqlconfiguration:
    resource_group: myResourceGroup
    server_name: myServer
    name: log_retention
    value: on

Non-Compliant Code Examples

---
- name: Update PostgreSQL Server setting
  azure_rm_postgresqlconfiguration:
    resource_group: myResourceGroup
    server_name: myServer
    name: log_retention
    value: off