4.1 Ensure sudo is configured correctly

Information

It is common to have more than one authorized individual administering the PostgreSQL service at the Operating System level. It is also quite common to permit login privileges to individuals on a PostgreSQL host who otherwise are not authorized to access the server's data cluster and files. Administering the PostgreSQL data cluster, as opposed to its data, is to be accomplished via a localhost login of a regular UNIX user account. Access to the postgres superuser account is restricted in such a manner as to interdict unauthorized access. sudo satisfies the requirements by escalating ordinary user account privileges as the PostgreSQL RDBMS superuser.
Rationale:
Without sudo, there would not be capabilities to strictly control access to the superuser account and to securely and authoritatively audit its use.

Solution

As superuser root, execute the command visudo to edit the /etc/sudoers file so the following line is present:
%pg_wheel ALL= /bin/su - postgres
This grants any Operating System user that is a member of the pg_wheel group to use sudo to become the postgres user.
Ensure that all Operating System user's that need such access are members of the group as detailed earlier in this benchmark.

See Also

https://workbench.cisecurity.org/files/2235

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2(9), CSCv6|5.8, CSCv7|4.3

Plugin: Unix

Control ID: 3881d366f840f575f695ee431029eba395c306cc57e13ec5b3c025911656b88b