Skip to content

Ensure 'log_min_duration_statement' is disabled

Description

The log_min_duration_statement setting specifies the minimum execution time for a statement at which the statement will be logged. For example, if you set it to 250ms, then all SQL statements that run 250ms or longer will be logged. Setting it to -1 disables this feature, which is recommended. Setting it to 0 records all statements regardless of duration.

Rationale

Logging of SQL statements may include sensitive information that should not be recorded in logs.

Applies To

  • Databases

Tags

This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service rds
secureclouddb/engine postgres

Default Rule

const { checkRdsVersion, checkServerSetting, OK_SKIP_VERSION } = module
/**
 * @param {Object} databaseSettings - database settings object
 * @returns {boolean} true if the log_min_duration_statement option is -1
 */

function validate(databaseSettings) {
    const supportedVersions = ['9.5']
    const supported = checkRdsVersion(databaseSettings, supportedVersions)
    if(!supported) {
        return OK_SKIP_VERSION
    }
    const settingName = 'log_min_duration_statement'
    const expectedValue = "-1"
    const success = checkServerSetting(databaseSettings, settingName, expectedValue)

    return {
        success,
    }
}

// invoke
validate(databaseSettings);