Skip to content

Ensure 'log_duration' is enabled

Description

Enabling the log_duration setting causes the duration of each completed SQL statement to be logged.

For clients using the extended query protocol, durations of the Parse, Bind, and Execute steps are logged independently.

Rationale

By logging the duration of statements, it is easy to identify both non-performant queries as well as possible DoS attempts (excessively long running queries may be attempts at resource starvation).

Applies To

  • Databases

Tags

This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service rds
secureclouddb/engine postgres

Default Rule

const { checkRdsVersion, checkServerSetting, OK_SKIP_VERSION } = module
/**
 * @param {Object} databaseSettings - database settings object
 * @returns {boolean} true if the duration of statements is being logged
 */

function validate(databaseSettings) {
    const supportedVersions = ['9.5']
    const supported = checkRdsVersion(databaseSettings, supportedVersions)
    if(!supported) {
        return OK_SKIP_VERSION
    }
    const settingName = 'log_duration'
    const expectedValue = "on"
    const success = checkServerSetting(databaseSettings, settingName, expectedValue)

    return {
        success,
    }
}

// invoke
validate(databaseSettings);