For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-000-zsv.md. A documentation index is available at /llms.txt.

PostgreSQL instances should have the 'cloudsql.enable_pgaudit' database flag set to 'on'

Description

Setting the cloudsql.enable_pgaudit database flag to on enables the pgAudit extension on a Cloud SQL PostgreSQL instance. pgAudit emits detailed session and object audit log entries via the standard PostgreSQL logging facility, providing the level of detail expected by compliance frameworks for centralized audit logging.

Rationale

Without pgAudit, the default log_statement setting only records statements at coarse levels (none, ddl, mod, all) and does not classify events as audit events for downstream pipelines. pgAudit produces classified audit records that downstream SIEMs and log-export pipelines can route, alert on, and retain separately from operational logs. Enabling pgAudit is also a prerequisite for satisfying the CIS GCP Foundation Benchmark v5.0.0 control 6.2.8.

Impact

Enabling pgAudit increases log volume and storage costs proportional to database activity. Plan for the additional sink/retention cost in Cloud Logging or whichever export destination the project uses. Setting custom flags through the command line on certain instances can also reset omitted flags to defaults; apply flag changes during a window of low usage and re-assert the full set of custom flags when patching.

Remediation

From the console

  1. Navigate to the Cloud SQL Instances page in the Google Cloud Console.
  2. Select the PostgreSQL instance to update.
  3. Click Edit.
  4. Scroll to the Flags section.
  5. Click Add item, choose cloudsql.enable_pgaudit from the dropdown, and set the value to on.
  6. Click Save and confirm the change.

From the command line

gcloud sql instances patch <INSTANCE_NAME> --database-flags cloudsql.enable_pgaudit=on

patch overwrites all previously set database flags. To preserve existing flags, pass the full set on every patch call (for example, --database-flags cloudsql.enable_pgaudit=on,log_statement=ddl,log_connections=on). For flags that do not take a value, append an equals sign with no value.

After enabling the flag, install the pgAudit extension on each database that should emit audit events:

gcloud sql connect <INSTANCE_NAME> --user=postgres --quiet
CREATE EXTENSION pgaudit;

Default Value

By default, cloudsql.enable_pgaudit is unset (equivalent to off).

References

  1. pgAudit project
  2. Cloud SQL Instances console
  3. Cloud SQL for PostgreSQL: Use pgAudit
  4. Cloud SQL for PostgreSQL: Configure database flags

CIS Controls

Version 8, 8.5 - Collect Detailed Audit Logs

  • Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.