← Back to Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide

V-235848

CAT II (Medium)

Docker Swarm must have the minimum number of manager nodes.

Rule ID

SV-235848r961863_rule

STIG

Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide

Version

V2R2

CCIs

CCI-000366

Discussion

Ensure that the minimum number of required manager nodes is created in a swarm. Manager nodes within a swarm have control over the swarm and change its configuration modifying security parameters. Having excessive manager nodes could render the swarm more susceptible to compromise. If fault tolerance is not required in the manager nodes, a single node should be elected as a manger. If fault tolerance is required then the smallest practical odd number to achieve the appropriate level of tolerance should be configured.

Check Content

Ensure the correct range of manager nodes have been created in a swarm.

via CLI:

Linux: As a Docker EE Admin, follow the steps below using a Universal Control Plane (UCP) client bundle:

Run the following command.
docker info --format '{{ .Swarm.Managers }}' 

Alternatively run the below command.

docker node ls | grep 'Leader'

Ensure the number of leaders is between 1 and 3. If the number of leaders is not 1, 2 or 3, this is a finding.

Fix Text

If an excessive number of managers is configured, the excess can be demoted to worker using the following command:

docker node demote <ID> 
Where is the node ID value of the manager to be demoted.