Detections
Analytics

3.1.22 Ensure 'log_line_prefix' is set correctly

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The log_line_prefix setting specifies a printf-style string that is prefixed to each log line. If blank, no prefix is used. You should configure this as recommended by the pgBadger development team unless directed otherwise by your organization's logging policy.

 % characters begin 'escape sequences' that are replaced with status information as outlined below. Unrecognized escapes are ignored. Other characters are copied straight to the log line. Some escapes are only recognized by session processes and will be treated as empty by background processes such as the main server process. Status information may be aligned either left or right by specifying a numeric literal after the % and before the option. A negative value will cause the status information to be padded on the right with spaces to give it a minimum width, whereas a positive value will pad on the left. Padding can be useful to aid human readability in log files.

 Any of the following escape sequences can be used:

 Escape Effect Session only

 %a Application name yes

 %u User name yes

 %d Database name yes

 %r Remote host name or IP address, and remote port yes

 %h Remote host name or IP address yes

 %p Process ID no

 %t Time stamp without milliseconds no

 %m Time stamp with milliseconds no

 %i Command tag: type of session's current command yes

 %e SQLSTATE error code no

 %c Session ID: see below no

 %l Number of the log line for each session

 or process, starting at 1 no

 %s Process start time stamp no

 %v Virtual transaction ID (backendID/localXID) no

 %x Transaction ID (0 if none is assigned) no

 %q Produces no output, but tells non-session

 processes to stop at this point in the string;

 ignored by session processes no

 %% Literal %

 Rationale:

 Properly setting log_line_prefix allows for adding additional information to each log entry (such as the user, or the database). Said information may then be of use in auditing or security reviews.

Solution

Execute the following SQL statement(s) to remediate this setting:

 postgres=# alter system set log_line_prefix = '%m [%p]: [%l-1] db=%d,user=%u,app=%a,client=%h ';
 ALTER SYSTEM
 postgres=# select pg_reload_conf();
 pg_reload_conf
 ----------------
 t
 (1 row)

 Default Value:

 %m [%p]

 References:

 https://pgbadger.darold.net/

 https://www.postgresql.org/docs/12/static/runtime-config-logging.html

See Also

https://workbench.cisecurity.org/files/2536

Item Details

References: CSCv6|6, CSCv7|6.3

Plugin: PostgreSQLDB

Control ID: 9427a85ddab4d940c15b703a11ef682ccac3b69672ea6a9ab83e1910766e2058