turbot/docker_compliance
GitHub
Loading controls...

Control: 7.7 Ensure that node certificates are rotated as appropriate

Description

You should rotate swarm node certificates in line with your organizational security policy.

Docker Swarm uses TLS for clustering operations between its nodes. Certificate rotation ensures that in an event such as a compromised node or key, it is difficult to impersonate a node. By default, node certificates are rotated every 90 days, but you should rotate them more often or as appropriate in your environment.

Remediation

You should run the command to set the desired expiry time on the node certificate. For example:

docker swarm update --cert-expiry 48h

Default Value

By default, node certificates are rotated automatically every 90 days.

Usage

Run the control in your terminal:

steampipe check docker_compliance.control.cis_v160_7_7

Snapshot and share results via Steampipe Cloud:

steampipe login
steampipe check --share docker_compliance.control.cis_v160_7_7

SQL

This control uses a named query:

docker_info_swarm_node_cert_expiry_set

Tags