And why does it have SUDO all?
upgrade ALL=(ALL) NOPASSWD: ALL
Furthermore, what are the implications of disabling this sudo rule and/or disabling ssh login for the upgrade user? This poses a security risk.
No ideas on this one? I am almost positive this account would fail a PCI audit.
The default upgrade user is the db admin that manages the backend postgres DB. Disabling it would mean the upgrade wont work.