3.1.17 Ensure 'debug_print_rewritten' is disabled

Information

The debug_print_rewritten setting enables printing the query rewriter output for each executed query. These messages are emitted at the LOG message level. Unless directed otherwise by your organization's logging policy, it is recommended this setting be disabled by setting it to off.

Rationale:

Enabling any of the DEBUG printing variables may cause the logging of sensitive information that would otherwise be omitted based on the configuration of the other logging settings.

Solution

Execute the following SQL statement(s) to disable this setting:

postgres=# alter system set debug_print_rewritten = 'off';
ALTER SYSTEM
postgres=# select pg_reload_conf();
pg_reload_conf
----------------
t
(1 row)

Default Value:

off

See Also

https://workbench.cisecurity.org/benchmarks/17004

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

References: 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|5.1

Plugin: PostgreSQLDB

Control ID: 64cc74f5d299e12e692ff6fbc1839663aa21634f2be73ad7b914c0f146c2f85f