id: azure-postgres-log-duration-disabled info: name: Azure PostgreSQL Log Duration Not Enabled author: princechaddha severity: medium description: | Ensure that "log_duration" server parameter is enabled for all PostgreSQL database servers created in your Microsoft Azure cloud account. Once enabled, the "log_duration" parameter allows recording the duration of each completed PostgreSQL statement. Only users with administrative privileges can change this setting within Azure PostgreSQL server configuration. For database clients using extended query protocol, the duration of the "Parse", "Bind", and "Execute" steps is logged independently. impact: | Disabling the "log_duration" parameter prevents logging of query execution times, which is crucial for performance analysis and security auditing. remediation: | Enable the "log_duration" parameter in Azure PostgreSQL server configurations to ensure comprehensive logging of query durations for security and performance analysis. reference: - https://docs.microsoft.com/en-us/azure/postgresql/concepts-server-logs tags: cloud,devops,azure,microsoft,postgresql,azure-cloud-config flow: | code(1); for (let ServerData of iterate(template.serverList)) { ServerData = JSON.parse(ServerData); set("name", ServerData.name); set("resourceGroup", ServerData.resourceGroup); code(2); } self-contained: true code: - engine: - sh - bash source: | az postgres server list --output json --query '[*].{"name":name,"resourceGroup":resourceGroup}' extractors: - type: json name: serverList internal: true json: - '.[]' - engine: - sh - bash source: | az postgres server configuration show --server-name "$name" --resource-group "$resourceGroup" --name log_duration --query 'value' matchers: - type: word words: - 'off' extractors: - type: dsl dsl: - 'name + " in " + resourceGroup + " has log_duration disabled"' # digest: 490a0046304402203017e10950a2d5cbbde2b8b1e6ea6c3873156078d5fbafedd35fc4f89be9bbc1022030a6361e9ad0b311afbe10e74e29841c1ebfd6bb4f3e6b96f12d0f4859762c73:922c64590222798bb761d5b6d8e72950