Azure PostgreSQL Log Duration Not Enabled
ID: azure-postgres-log-duration-disabled
Severity: medium
Author: princechaddha
Tags: cloud,devops,azure,microsoft,postgresql,azure-cloud-config
Description
Section titled “Description”Ensure that “log_duration” server parameter is enabled for all PostgreSQL database servers created in your Microsoft Azure cloud account. Once enabled, the “log_duration” parameter allows recording the duration of each completed PostgreSQL statement. Only users with administrative privileges can change this setting within Azure PostgreSQL server configuration. For database clients using extended query protocol, the duration of the “Parse”, “Bind”, and “Execute” steps is logged independently.
YAML Source
Section titled “YAML Source”id: azure-postgres-log-duration-disabledinfo: name: Azure PostgreSQL Log Duration Not Enabled author: princechaddha severity: medium description: | Ensure that "log_duration" server parameter is enabled for all PostgreSQL database servers created in your Microsoft Azure cloud account. Once enabled, the "log_duration" parameter allows recording the duration of each completed PostgreSQL statement. Only users with administrative privileges can change this setting within Azure PostgreSQL server configuration. For database clients using extended query protocol, the duration of the "Parse", "Bind", and "Execute" steps is logged independently. impact: | Disabling the "log_duration" parameter prevents logging of query execution times, which is crucial for performance analysis and security auditing. remediation: | Enable the "log_duration" parameter in Azure PostgreSQL server configurations to ensure comprehensive logging of query durations for security and performance analysis. reference: - https://docs.microsoft.com/en-us/azure/postgresql/concepts-server-logs tags: cloud,devops,azure,microsoft,postgresql,azure-cloud-config
flow: | code(1); for (let ServerData of iterate(template.serverList)) { ServerData = JSON.parse(ServerData); set("name", ServerData.name); set("resourceGroup", ServerData.resourceGroup); code(2); }
self-contained: truecode: - engine: - sh - bash source: | az postgres server list --output json --query '[*].{"name":name,"resourceGroup":resourceGroup}'
extractors: - type: json name: serverList internal: true json: - '.[]'
- engine: - sh - bash source: | az postgres server configuration show --server-name "$name" --resource-group "$resourceGroup" --name log_duration --query 'value'
matchers: - type: word words: - 'off'
extractors: - type: dsl dsl: - 'name + " in " + resourceGroup + " has log_duration disabled"'# digest: 490a0046304402203017e10950a2d5cbbde2b8b1e6ea6c3873156078d5fbafedd35fc4f89be9bbc1022030a6361e9ad0b311afbe10e74e29841c1ebfd6bb4f3e6b96f12d0f4859762c73:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "cloud/azure/postgresql/azure-postgres-log-duration-disabled.yaml"