Docker Enterprise node certificates must be rotated as defined in the System Security Plan (SSP).
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-235850 | DKER-EE-005080 | SV-235850r627677_rule | Medium |
| Description |
|---|
| Rotate swarm node certificates as appropriate. Docker Swarm uses mutual TLS for clustering operations amongst its nodes. Certificate rotation ensures that in an event such as compromised node or key, it is difficult to impersonate a node. By default, node certificates are rotated every 90 days. The user should rotate it more often or as appropriate in their environment. By default, node certificates are rotated automatically every 90 days. |
| STIG | Date |
|---|---|
| Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide | 2021-03-26 |
Details
| Check Text ( C-39069r627675_chk ) |
|---|
| Ensure node certificates are rotated as appropriate. via CLI: Linux: As a Docker EE Admin, follow the steps below using a Universal Control Plane (UCP) client bundle: Run the below command and ensure that the node certificate Expiry Duration is set according to the System Security Plan (SSP). docker info | grep "Expiry Duration" If the expiry duration is not set according to the SSP, this is a finding. |
| Fix Text (F-39032r627676_fix) |
|---|
| Run the below command to set the desired expiry time. Example: docker swarm update --cert-expiry 48h |