CA certificates are rotated as appropriate

docker

Classification:

compliance

Framework:

cis-docker

Control:

7.9

Set up the docker integration.

Description

You should rotate root CA certificates as appropriate.

Rationale

Docker Swarm uses TLS for clustering operations between its nodes. Certificate rotation ensures that in an event such as a compromised node or key, it is difficult to impersonate a node. Node certificates depend upon root CA certificates. For operational security, it is important to rotate these frequently. Currently, root CA certificates are not rotated automatically and you should therefore establish a process for rotating them in line with your organizational security policy.

Audit

Check the time stamp on the root CA certificate file:

ls -l /var/lib/docker/swarm/certificates/swarm-root-ca.crt

The certificate should show a time stamp in line with the organizational rotation policy.

Remediation

Run the command below to rotate a certificate. For example, docker swarm ca --rotate

Impact

None

Default value

By default, root CA certificates are not rotated.

References

  1. https://docs.docker.com/engine/swarm/how-swarm-mode-works/pki/#rotating-the-ca-certificate

CIS controls

Version 6

14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted.

Version 7

14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.