Beta - SQL DB Instance With Unrecommended Logging Threshold
- Query id: ecbbe763-95dc-47e6-8660-84ff751e5acf
- Query name: Beta - SQL DB Instance With Unrecommended Logging Threshold
- Platform: Terraform
- Severity: Low
- Category: Observability
- CWE: 779
- Risk score: 1.0
- URL: Github
Description¶
All 'google_sql_database_instance' resources based on POSTGRES should have the 'log_min_messages' flag set to 'WARNING' or a higher severity to prevent excessive logging
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "google_sql_database_instance" "positive_1" {
name = "postgres-instance-with-flag"
database_version = "POSTGRES_14"
region = "us-central1"
settings {
database_flags {
name = "sample_flag1"
value = "off"
}
database_flags {
name = "log_min_messages"
value = "NOTICE"
} # Flag is set to "NOTICE"
database_flags {
name = "sample_flag2"
value = "off"
}
}
}
resource "google_sql_database_instance" "positive_2" {
name = "postgres-instance-with-flag"
database_version = "POSTGRES_13"
region = "us-central1"
settings {
database_flags {
name = "log_min_messages"
value = "DEBUG5"
} # Flag is set to "DEBUG5"
}
}
resource "google_sql_database_instance" "positive_3" {
name = "postgres-instance-with-flag"
database_version = "POSTGRES_13"
region = "us-central1"
settings {
database_flags {
name = "log_min_messages"
value = "INFO"
} # Flag is set to "INFO"
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "google_sql_database_instance" "negative_1" {
name = "main-instance"
database_version = "MYSQL_8_0" # Is not a POSTGRES instance
region = "us-central1"
settings {
tier = "db-f1-micro"
database_flags {
name = "log_min_messages"
value = "DEBUG3"
}
}
}
resource "google_sql_database_instance" "negative_2" {
name = "mysql-instance-without-flag"
database_version = "POSTGRES_17"
region = "us-central1"
# Defaults to "ERROR"
}
resource "google_sql_database_instance" "negative_3" {
name = "postgres-instance-without-flag"
database_version = "POSTGRES_16"
region = "us-central1"
settings {} # Defaults to "ERROR"
}
resource "google_sql_database_instance" "negative_4" {
name = "postgres-instance-without-flag"
database_version = "POSTGRES_15"
region = "us-central1"
settings {
database_flags {
name = "sample_flag1"
value = "DEBUG3"
}
# Defaults to "ERROR"
}
}
resource "google_sql_database_instance" "negative_5" {
name = "mysql-instance-with-flag"
database_version = "POSTGRES_15"
region = "us-central1"
settings {
tier = "db-f1-micro"
database_flags {
name = "sample_flag1"
value = "off"
}
database_flags {
name = "log_min_messages"
value = "FATAL"
} # Has flag set to "FATAL"
database_flags {
name = "sample_flag2"
value = "off"
}
}
}
resource "google_sql_database_instance" "negative_6" {
name = "mysql-instance-with-flag"
database_version = "POSTGRES_15"
region = "us-central1"
settings {
tier = "db-f1-micro"
database_flags {
name = "log_min_messages"
value = "ERROR"
} # Has flag set to "ERROR"
}
}
resource "google_sql_database_instance" "negative_7" {
name = "mysql-instance-with-flag"
database_version = "POSTGRES_15"
region = "us-central1"
settings {
tier = "db-f1-micro"
database_flags {
name = "log_min_messages"
value = "LOG"
} # Has flag set to "LOG"
}
}
resource "google_sql_database_instance" "negative_8" {
name = "mysql-instance-with-flag"
database_version = "POSTGRES_15"
region = "us-central1"
settings {
tier = "db-f1-micro"
database_flags {
name = "log_min_messages"
value = "WARNING"
} # Has flag set to "WARNING" (minimum)
}
}
resource "google_sql_database_instance" "negative_9" {
name = "mysql-instance-with-flag"
database_version = "POSTGRES_15"
region = "us-central1"
settings {
tier = "db-f1-micro"
database_flags {
name = "log_min_messages"
value = "PANIC"
} # Has flag set to "PANIC"
}
}