7.8 Ensure node certificates are rotated as appropriate

Information

Rotate swarm node certificates as appropriate.
Rationale:
Docker Swarm uses mutual TLS for clustering operations amongst its nodes. Certificate rotation ensures that in an event such as compromised node or key, it is difficult to impersonate a node. By default, node certificates are rotated every 90 days. You should rotate it more often or as appropriate in your environment.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Run the below command to set the desired expiry time.
For example,
docker swarm update --cert-expiry 48h
Impact:
None
Default Value:
By default, node certificates are rotated automatically every 90 days.

See Also

https://workbench.cisecurity.org/files/1726

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-12, CSCv6|14.2

Plugin: Unix

Control ID: d3a75b2e387f51efb17a2877b905ba285bf27979332261aff37904f5cccd770a