v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/docker_compliance
Overview
1Dashboards
88Controls
88Queries
2Variables
GitHub

Control: 7.7 Ensure that node certificates are rotated as appropriate

Description

You should rotate swarm node certificates in line with your organizational security policy.

Docker Swarm uses TLS for clustering operations between its nodes. Certificate rotation ensures that in an event such as a compromised node or key, it is difficult to impersonate a node. By default, node certificates are rotated every 90 days, but you should rotate them more often or as appropriate in your environment.

Remediation

You should run the command to set the desired expiry time on the node certificate. For example:

docker swarm update --cert-expiry 48h

Default Value

By default, node certificates are rotated automatically every 90 days.

Usage

Run the control in your terminal:

powerpipe control run docker_compliance.control.cis_v160_7_7

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run docker_compliance.control.cis_v160_7_7 --share

SQL

This control uses a named query:

docker_info_swarm_node_cert_expiry_set

Tags

category = Compliance
cis = true
cis_item_id = 7.7
cis_level = 1
cis_section_id = 7
cis_type = manual
cis_version = v1.6.0
plugin = docker
service = Docker