Information
It is common to have more than one authorized individual administering the PostgreSQL service at the Operating System level. It is also quite common to permit login privileges to individuals on a PostgreSQL host who otherwise are not authorized to access the server's data cluster and files. Administering the PostgreSQL data cluster, as opposed to its data, is to be accomplished via a localhost login of a regular UNIX user account. Access to the postgres superuser account is restricted in such a manner as to interdict unauthorized access. sudo satisfies the requirements by escalating ordinary user account privileges as the PostgreSQL RDBMS superuser.
Rationale:
Without sudo, there would be no capabilities to strictly control access to the superuser account nor to securely and authoritatively audit its use.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
As superuser root, execute the following commands:
# echo '%dba ALL=(postgres) PASSWD: ALL' > /etc/sudoers.d/postgres
# chmod 600 /etc/sudoers.d/postgres
This grants any Operating System user that is a member of the dba group the ability to use sudo -iu postgres to become the postgres user.
Ensure that all Operating System user's that need such access are members of the group.