3.1.21 Ensure 'log_disconnections' is enabled

Information

Enabling the log_disconnections setting logs the end of each session, including session duration. This parameter cannot be changed after the session start.

Rationale:

PostgreSQL does not maintain the beginning or ending of a connection internally for later review. It is only by enabling the logging of these that one can examine connections for failed attempts, 'over long' duration, or other anomalies.

Note that enabling this without also enabling log_connections provides little value. Generally, you would enable/disable the pair together.

Solution

Execute the following SQL statement(s) to enable this setting:

postgres=# alter system set log_disconnections = 'on';
ALTER SYSTEM
postgres=# select pg_reload_conf();
pg_reload_conf
----------------
t
(1 row)

Default Value:

off

See Also

https://workbench.cisecurity.org/benchmarks/14977

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-3, 800-53|AU-3(1), 800-53|AU-7, 800-53|AU-12, CSCv7|6.3

Plugin: PostgreSQLDB

Control ID: b6039a938de913ff17688e26a6b1daffaa2146cd0dfa9199377713e323e9f649