3.1.25 Ensure 'log_statement' is set correctly - log_statement is set correctly

Information

The log_statement setting specifies the types of SQL statements that are logged. Valid values are:

none (off)

ddl

mod

all (all statements)

It is recommended this be set to ddl unless otherwise directed by your organization's logging policy.

ddl logs all data definition statements:

CREATE

ALTER

DROP

mod logs all ddl statements, plus data-modifying statements:

INSERT

UPDATE

DELETE

TRUNCATE

COPY FROM

(PREPARE, EXECUTE, and EXPLAIN ANALYZE statements are also logged if their contained command is of an appropriate type.)

For clients using extended query protocol, logging occurs when an Execute message is received, and values of the Bind parameters are included (with any embedded single-quote marks doubled).

Rationale:

Setting log_statement to align with your organization's security and logging policies facilitates later auditing and review of database activities.

Solution

Execute the following SQL statement(s) as superuser to remediate this setting:

postgres=# alter system set log_statement='ddl';
ALTER SYSTEM
postgres=# select pg_reload_conf();
pg_reload_conf
----------------
t
(1 row)

Default Value:

none

See Also

https://workbench.cisecurity.org/benchmarks/11861

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-3, 800-53|AU-3(1), 800-53|AU-7, 800-53|AU-12, CSCv7|6.3

Plugin: PostgreSQLDB

Control ID: b07c456c7c454c251c371cbecadb08334ec6d979f4cd0e5499e8b968df17d338