4.1 Ensure sudo is configured correctly - /etc/sudoers.d/postgres

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

It is common to have more than one authorized individual administering the PostgreSQL service at the Operating System level. It is also quite common to permit login privileges to individuals on a PostgreSQL host who otherwise are not authorized to access the server's data cluster and files. Administering the PostgreSQL data cluster, as opposed to its data, is to be accomplished via a localhost login of a regular UNIX user account. Access to the postgres superuser account is restricted in such a manner as to interdict unauthorized access. sudo satisfies the requirements by escalating ordinary user account privileges as the PostgreSQL RDBMS superuser.

Rationale:

Without sudo, there would not be capabilities to strictly control access to the superuser account and to securely and authoritatively audit its use.

Solution

As superuser root, execute the following commands:

# echo '%pg_wheel ALL= /bin/su - postgres' > /etc/sudoers.d/postgres
# chmod 600 /etc/sudoers.d/postgres

This grants any Operating System user that is a member of the pg_wheel group to use sudo su - postgres to become the postgres user.
Ensure that all Operating System user's that need such access are members of the group as detailed earlier in this benchmark.

See Also

https://workbench.cisecurity.org/files/3170