1.5 Ensure Data Cluster Initialized Successfully

Information

First time installs of PostgreSQL requires the instantiation of the database cluster. A database cluster is a collection of databases that are managed by a single server instance.

Rationale:

For the purposes of security, PostgreSQL enforces ownership and permissions of the data-cluster such that:

An initialized data-cluster is owned by the UNIX account that created it.

The data-cluster cannot be accessed by other UNIX user-accounts.

The data-cluster cannot be created or owned by root

The PostgreSQL process cannot be invoked by root nor any UNIX user account other than the owner of the data cluster.

Incorrectly instantiating the data-cluster will result in a failed installation.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Attempting to instantiate a data cluster to an existing non-empty directory will fail:

# whoami
root
# PGSETUP_INITDB_OPTIONS='-k' /usr/pgsql-12/bin/postgresql-12-setup initdb
Data directory is not empty!

In the case of a cluster instantiation failure, one must delete/remove the entire data cluster directory and repeat the initdb command:

# whoami
root
# rm -rf ~postgres/12
# PGSETUP_INITDB_OPTIONS='-k' /usr/pgsql-12/bin/postgresql-12-setup initdb
Initializing database ... OK

See Also

https://workbench.cisecurity.org/files/2536

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3, CSCv6|14.4, CSCv7|14.6

Plugin: Unix

Control ID: aa1f5e3e419b883705d514dda5ef4a204f3e653ef36122be82b8fa76b474ecb5