Skip to content

Ensure 'log_statement' is set correctly

Description

The log_statement setting specifies the types of SQL statements that are logged. Valid values are: - none (off) - ddl - mod - all (all statements) It is recommended this be set to ddl unless otherwise directed by your organization's logging policy. ddl logs all data definition statements: - CREATE - ALTER - DROP mod logs all ddl statements, plus data-modifying statements: - INSERT - UPDATE - DELETE - TRUNCATE - COPY FROM (PREPARE, EXECUTE, and EXPLAIN ANALYZE statements are also logged if their contained command is of an appropriate type.)

For clients using extended query protocol, logging occurs when an Execute message is received, and values of the Bind parameters are included (with any embedded single-quote marks doubled).

Rationale

Setting log_statement to align with your organization's security and logging policies facilitates later auditing and review of database activities.

Applies To

  • Databases

Tags

This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service rds
secureclouddb/engine postgres

Default Rule

const { checkServerSetting } = module

/**
 * @param {Object} databaseSettings - database settings object
 * @returns {boolean} true if the log_statement is set correctly ('ddl' by default)
 */

function validate(databaseSettings, parameters = { log_statement : 'ddl' }) {
    const settingName = 'log_statement'
    const expectedValue = parameters.log_statement
    const forbiddenValue = 'none'
    const success =
        checkServerSetting(databaseSettings, settingName, expectedValue) &&
        !checkServerSetting(databaseSettings, settingName, forbiddenValue)

    return {
        success,
    }
}

// invoke
// TODO: add parameters
validate(databaseSettings);