id: azure-postgres-log-disconnections-disabled
info:
  name: Azure PostgreSQL Log Disconnections Not Enabled
  author: princechaddha
  severity: medium
  description: |
    Ensure that the "log_disconnections" server parameter is enabled for all PostgreSQL database servers provisioned in your Microsoft Azure cloud account. The "log_disconnections" parameter enables the logging of session termination. The log output provides information similar to the one generated by the "log_connections" parameter, plus the duration of the session. Only Azure account admins can change this parameter at the session start, and it cannot be changed at all during a session.
  impact: |
    Failing to enable the "log_disconnections" parameter can hinder monitoring and auditing capabilities, potentially obscuring insights into database session activities and durations.
  remediation: |
    Enable the "log_disconnections" parameter for your Azure PostgreSQL servers to enhance security and auditing capabilities. This change must be made by an Azure account admin at the session start.
  reference:
    - https://docs.microsoft.com/en-us/azure/postgresql/concepts-server-logs
  tags: cloud,devops,azure,microsoft,postgresql,azure-cloud-config

flow: |
  code(1);
  for (let ServerData of iterate(template.serverList)) {
    ServerData = JSON.parse(ServerData);
    set("name", ServerData.name);
    set("resourceGroup", ServerData.resourceGroup);
    code(2);
  }

self-contained: true
code:
  - engine:
      - sh
      - bash
    source: |
      az postgres server list --output json --query '[*].{"name":name, "resourceGroup":resourceGroup}'

    extractors:
      - type: json
        name: serverList
        internal: true
        json:
          - '.[]'

  - engine:
      - sh
      - bash
    source: |
      az postgres server configuration show --server-name "$name" --resource-group "$resourceGroup" --name log_disconnections --query 'value'

    matchers:
      - type: word
        words:
          - 'off'

    extractors:
      - type: dsl
        dsl:
          - 'name + " in " + resourceGroup + " has log_disconnections disabled"'
# digest: 4a0a00473045022100ef27e47360ee1f0d048724a45804a270004c9e2ad894568ab7ccdc34d1101a1202201d8702bc0af4b22470025c2b97f01eaaf6e0c1d0dd86d60fb8266ea6eed5fd42:922c64590222798bb761d5b6d8e72950