STIGQter: STIG Summary: Kubernetes Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 13 Apr 2021:

Secrets in Kubernetes must not be stored as environment variables.

DISA Rule

SV-242415r712601_rule

Vulnerability Number

V-242415

Group Title

SRG-APP-000171-CTR-000435

Rule Version

CNTR-K8-001160

Severity

CAT I

CCI(s)

• CCI-000196 - The information system, for password-based authentication, stores only cryptographically-protected passwords.

Weight

10

Fix Recommendation

Any secrets stored as environment variables must be moved to the secret files with the proper protections and enforcements or placed within a password vault.

Check Contents

On the Kubernetes Master node, run the following command:

kubectl get all -o jsonpath='{range .items[?(@..secretKeyRef)]} {.kind} {.metadata.name} {"\n"}{end}' -A

If any of the values returned reference environment variables, this is a finding.

Vulnerability Number

V-242415

Documentable

False

Rule Version

CNTR-K8-001160

Severity Override Guidance

On the Kubernetes Master node, run the following command:

kubectl get all -o jsonpath='{range .items[?(@..secretKeyRef)]} {.kind} {.metadata.name} {"\n"}{end}' -A

If any of the values returned reference environment variables, this is a finding.

Check Content Reference

M

Target Key

5376

Comments