Node certificates are rotated as appropriate

Docs > Datadog Security > OOTB Rules > Node certificates are rotated as appropriate

Classification:

compliance

Framework:

cis-docker

Control:

7.8

Set up the docker integration.

Description

You should rotate swarm node certificates in line with your organizational security policy.

Rationale

Docker Swarm uses TLS for clustering operations between its nodes. Certificate rotation ensures that in an event such as a compromised node or key, it is difficult to impersonate a node. By default, node certificates are rotated every 90 days, but you should rotate them more often or as appropriate in your environment.

Audit

Run one of the commands below to ensure the node certificate Expiry Duration is set as appropriate:

docker info | grep "Expiry Duration"
docker info --format 'NodeCertExpiry: {{ .Swarm.Cluster.Spec.CAConfig.NodeCertExpiry }}'

Remediation

You should run the command to set the desired expiry time on the node certificate. For example, docker swarm update --cert-expiry 48h

Impact

None

Default value

By default, node certificates are rotated automatically every 90 days.

References

https://docs.docker.com/engine/reference/commandline/swarm_update/#examples

CIS controls

Version 6

14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted.

Version 7

14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.