3.1.23 Ensure 'log_statement' is set correctly

Information

The log_statement setting specifies the types of SQL statements that are logged. Valid values are:
* none (off)
* ddl
* mod
* all (all statements)
It is recommended this be set to ddl unless otherwise directed by your organization's logging policy.
ddl logs all data definition statements:
* CREATE
* ALTER
* DROP
mod logs all ddl statements, plus data-modifying statements:
* INSERT
* UPDATE
* DELETE
* TRUNCATE
* COPY FROM
(PREPARE, EXECUTE, and EXPLAIN ANALYZE statements are also logged if their contained command is of an appropriate type.)
For clients using extended query protocol, logging occurs when an Execute message is received, and values of the Bind parameters are included (with any embedded single-quote marks doubled).

Rationale:

Setting log_statement to align with your organization's security and logging policies facilitates later auditing and review of database activities.

Solution

Execute the following SQL statement(s) as superuser to remediate this setting:

postgres=# alter system set log_statement='ddl';
ALTER SYSTEM
postgres=# select pg_reload_conf();
pg_reload_conf
----------------
t
(1 row)

Default Value:

none

See Also

https://workbench.cisecurity.org/files/2407

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12, CSCv6|6, CSCv7|6.3

Plugin: PostgreSQLDB

Control ID: 8a6ac377e2e94ec5fcbf33a393ac449c47dbac7aaf9074afd91041b69bf452d4