Use files, branches, or tags for mod dependencies →
Powerpipe Hub 
Hub
Mods
turbot/docker_compliance
Overview
1Dashboards
88Controls
88Queries
2Variables
GitHub

Control: 7.5 Ensure that swarm manager is run in auto-lock mode

Description

You should review whether you wish to run Docker swarm manager in auto-lock mode.

When Docker restarts, both the TLS key used to encrypt communication among swarm nodes, and the key used to encrypt and decrypt Raft logs on disk, are loaded into each manager node's memory. You could protect the mutual TLS encryption key and the key used to encrypt and decrypt Raft logs at rest. This protection could be enabled by initializing the swarm with the --autolock flag.

With --autolock enabled, when Docker restarts, you must unlock the swarm first, using a key encryption key generated by Docker when the swarm was initialized.

This has benefits in a high security environment, however these should be balanced against the support issues caused by the swarm not starting automatically if, for example the host were to experience an outage.

Remediation

If you are initializing a swarm, use the command below.

docker swarm init --autolock

If you want to set --autolock on an existing swarm manager node, use the following command.

docker swarm update --autolock

Default Value

By default, the swarm manager does not run in auto-lock mode.

Usage

Run the control in your terminal:

powerpipe control run docker_compliance.control.cis_v160_7_5

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run docker_compliance.control.cis_v160_7_5 --share

SQL

This control uses a named query:

docker_info_swarm_manager_auto_lock_mode

Tags

category = Compliance
cis = true
cis_item_id = 7.5
cis_level = 1
cis_section_id = 7
cis_type = manual
cis_version = v1.6.0
plugin = docker
service = Docker