PostgreSQL log connections not set

This product is not supported for your selected Datadog site. ().

Metadata

Id: 7b47138f-ec0e-47dc-8516-e7728fe3cc17

Cloud Provider: Azure

Platform: Ansible

Severity: Medium

Category: Observability

Learn More

Description

PostgreSQL servers must have the server parameter log_connections set to ON so connection events are recorded for auditing and intrusion detection. Without this logging, connection attempts and session activity can go unnoticed, hampering incident investigation and compliance.

In Ansible, tasks using the azure.azcollection.azure_rm_postgresqlconfiguration or azure_rm_postgresqlconfiguration modules must set the name property to log_connections and the value property to ON. This rule flags tasks where name equals log_connections (case-insensitive) and value is missing or not ON (case-insensitive). Secure configuration example:

- name: Enable PostgreSQL connection logging
  azure.azcollection.azure_rm_postgresqlconfiguration:
    resource_group: my-rg
    server_name: my-pg-server
    name: log_connections
    value: "ON"

Compliant Code Examples

- name: Update PostgreSQL Server setting
  azure.azcollection.azure_rm_postgresqlconfiguration:
    resource_group: myResourceGroup
    server_name: myServer
    name: log_connections
    value: on
- name: Update PostgreSQL Server setting2
  azure.azcollection.azure_rm_postgresqlconfiguration:
    resource_group: myResourceGroup
    server_name: myServer
    name: log_connections
    value: On
- name: Update PostgreSQL Server setting3
  azure.azcollection.azure_rm_postgresqlconfiguration:
    resource_group: myResourceGroup
    server_name: myServer
    name: log_connections
    value: ON
- name: Update PostgreSQL Server setting4
  azure.azcollection.azure_rm_postgresqlconfiguration:
    resource_group: myResourceGroup
    server_name: myServer
    name: log_connections
    value: on
- name: Update PostgreSQL Server setting5
  azure.azcollection.azure_rm_postgresqlconfiguration:
    resource_group: myResourceGroup
    server_name: myServer
    name: log_connections
    value: On
- name: Update PostgreSQL Server setting6
  azure.azcollection.azure_rm_postgresqlconfiguration:
    resource_group: myResourceGroup
    server_name: myServer
    name: log_connections
    value: ON

Non-Compliant Code Examples

---
- name: Update PostgreSQL Server setting
  azure.azcollection.azure_rm_postgresqlconfiguration:
    resource_group: myResourceGroup
    server_name: myServer
    name: log_connections
    value: off
- name: Update PostgreSQL Server setting2
  azure.azcollection.azure_rm_postgresqlconfiguration:
    resource_group: myResourceGroup
    server_name: myServer
    name: log_connections
    value: Off
- name: Update PostgreSQL Server setting3
  azure.azcollection.azure_rm_postgresqlconfiguration:
    resource_group: myResourceGroup
    server_name: myServer
    name: log_connections
    value: OFF
- name: Update PostgreSQL Server setting4
  azure.azcollection.azure_rm_postgresqlconfiguration:
    resource_group: myResourceGroup
    server_name: myServer
    name: log_connections
    value: "off"
- name: Update PostgreSQL Server setting5
  azure.azcollection.azure_rm_postgresqlconfiguration:
    resource_group: myResourceGroup
    server_name: myServer
    name: log_connections
    value: "Off"
- name: Update PostgreSQL Server setting6
  azure.azcollection.azure_rm_postgresqlconfiguration:
    resource_group: myResourceGroup
    server_name: myServer
    name: log_connections
    value: "OFF"