4.1 Ensure sudo is configured correctly - /etc/sudoers.d/postgres

Information

It is common to have more than one authorized individual administering the PostgreSQL service at the Operating System level. It is also quite common to permit login privileges to individuals on a PostgreSQL host who otherwise are not authorized to access the server's data cluster and files. Administering the PostgreSQL data cluster, as opposed to its data, is to be accomplished via a localhost login of a regular UNIX user account. Access to the postgres superuser account is restricted in such a manner as to interdict unauthorized access. sudo satisfies the requirements by escalating ordinary user account privileges as the PostgreSQL RDBMS superuser.

Rationale:

Without sudo, there would be no capabilities to strictly control access to the superuser account nor to securely and authoritatively audit its use.

Solution

As superuser root, execute the following commands:

# echo '%dba ALL=(postgres) PASSWD: ALL' > /etc/sudoers.d/postgres
# chmod 600 /etc/sudoers.d/postgres

This grants any Operating System user that is a member of the dba group the ability to use sudo -iu postgres to become the postgres user.

Ensure that all Operating System users that need such access are members of the group.

See Also

https://workbench.cisecurity.org/benchmarks/11861

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6(2), 800-53|AC-6(5), CSCv7|4.3

Plugin: Unix

Control ID: d5df1ac45a4e1b0bfe2cce024d1b4e18a07d7278e77a2b2b31fb3a60e170382b