Control: 7.7 Ensure that node certificates are rotated as appropriate
Description
You should rotate swarm node certificates in line with your organizational security policy.
Docker Swarm uses TLS for clustering operations between its nodes. Certificate rotation ensures that in an event such as a compromised node or key, it is difficult to impersonate a node. By default, node certificates are rotated every 90 days, but you should rotate them more often or as appropriate in your environment.
Remediation
You should run the command to set the desired expiry time on the node certificate. For example:
docker swarm update --cert-expiry 48h
Default Value
By default, node certificates are rotated automatically every 90 days.
Usage
Run the control in your terminal:
powerpipe control run docker_compliance.control.cis_v160_7_7Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run docker_compliance.control.cis_v160_7_7 --shareSQL
This control uses a named query:
select id as resource, case when swarm -> 'Cluster' -> 'Spec' -> 'CaConfig' ->> 'NodeCertExpiry' is null then 'alarm' else 'ok' end as status, case when swarm -> 'Cluster' -> 'Spec' -> 'CaConfig' ->> 'NodeCertExpiry' is null then name || ' node cert expiry not set.' else name || ' node cert expiry set.' end as reason , _ctx ->> 'connection_name' as connection_namefrom docker_info;