UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Docker Enterprise node certificates must be rotated as defined in the System Security Plan (SSP).


Overview

Finding ID Version Rule ID IA Controls Severity
V-95735 DKER-EE-005080 SV-104873r1_rule Medium
Description
Rotate swarm node certificates as appropriate. Docker Swarm uses mutual TLS for clustering operations amongst its nodes. Certificate rotation ensures that in an event such as compromised node or key, it is difficult to impersonate a node. By default, node certificates are rotated every 90 days. The user should rotate it more often or as appropriate in their environment. By default, node certificates are rotated automatically every 90 days.
STIG Date
Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide 2019-09-13

Details

Check Text ( C-94565r1_chk )
Ensure node certificates are rotated as appropriate.

via CLI:

Linux: As a Docker EE Admin, follow the steps below using a Universal Control Plane (UCP) client bundle:

Run the below command and ensure that the node certificate Expiry Duration is set according to the System Security Plan (SSP).

docker info | grep "Expiry Duration"

If the expiry duration is not set according to the SSP, this is a finding.
Fix Text (F-101403r1_fix)
Run the below command to set the desired expiry time.

Example:
docker swarm update --cert-expiry 48h