CompTIA SecurityX CAS-005 (V5) Practice Question
During a post-incident review, a security engineer discovers that a production backup Bash script contains hard-coded privileged database credentials assigned to a shell variable:
TOKEN='eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...'
The script runs every night from cron with sudo privileges on a shared Linux jump host. The engineer must redesign the credential handling so that:
- The script continues to run non-interactively from cron.
- The credential is never stored in plaintext on disk.
- The credential's lifetime is limited to the duration of the task.
Which of the following approaches BEST meets these requirements?
Write the token to a root-owned configuration file with permissions set to 600 and have the script read it at runtime.
Have the script request a short-lived token from a centrally managed secrets vault (for example, HashiCorp Vault or AWS Secrets Manager) each time it runs and store the token only in memory.
Export the token as a global environment variable in /etc/profile so it is automatically available to any user session, including the cron job.
Base64-encode the token and keep the encoded value in the script, decoding it with the
base64 -dcommand immediately before use.