2.2 Ensure the PostgreSQL pg_wheel group membership is correct

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The group pg_wheel is explicitly created on a host where the PostgreSQL server is installed. Membership in this group enables an ordinary user account to gain 'superuser' access to a database cluster by using the sudo command (See 'Ensure sudo is configured correctly' later in this benchmark). Only user accounts authorized to have superuser access should be members of the pg_wheel group.

Rationale:

Users with unauthorized membership in the pg_wheel group can assume the privileges of the owner of the PostgreSQL RDBMS and administer the database, as well as accessing scripts, files, and other executables they should not be able to access.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

If the pg_wheel group does not exist, use the following command to create it:

$ whoami
root
$ groupadd pg_wheel && getent group pg_wheel
pg_wheel:x:502:

Note: that your system's group number may not be 502. That's OK.

Adding the postgres user to the newly created group is done by issuing:

$ whoami
root
$ gpasswd -a postgres pg_wheel
Adding user postgres to group pg_wheel
$ # verify membership
$ awk -F':' '/pg_wheel/{print $4}' /etc/group
postgres

Removing a user account from the 'pg_wheel' group is achieved by executing the following command:

$ whoami
root
$ gpasswd -d pg_wheel postgres
Removing user postgres from group pg_wheel
$ # verify the user was removed
$ awk -F':' '/pg_wheel/{print $4}' /etc/group
$

References:

https://man7.org/linux/man-pages/man1/groups.1.html

https://man7.org/linux/man-pages/man8/getent.1.html

https://man7.org/linux/man-pages/man8/gpasswd.1.html

https://man7.org/linux/man-pages/man8/useradd.8.html

https://en.wikipedia.org/wiki/Wheel_%28Unix_term%29

See Also

https://workbench.cisecurity.org/files/2536