Hardening Features
Customize how your workloads are hardened
RapidFort offers several hardening presets for customizing how your workloads are hardened.
- Light: Remove unused packages with high and critical severity vulnerabilities. This will keep unused packages with medium, low, and unknown severity vulnerabilities.
rfharden <stub_image> --preset light
- Standard: Remove unused packages with known vulnerabilities. This will keep unused packages with no known vulnerabilities.
rfharden <stub_image> --preset standard
- Aggressive (default): Remove all unused packages. Use it or lose it!
rfharden <stub_image> --preset aggressive
The latest Redis image from Docker Hub has 81 vulnerabilities and has a size of 116.8 MB. After profiling the runtime behavior of the application, the image was hardened with each preset.
Preset | Vulnerabilities | % Reduction | Hardened Size | % Reduction |
---|---|---|---|---|
light | 26 | 67.9 % | 56.2 MB | 51.9 % |
standard | 8 | 90.1 % | 42.9 MB | 63.3 % |
aggressive | 8 | 90.1 % | 25.8 MB | 77.9 % |
You may harden a stub image as many times as necessary, so if a preset does not fit your needs, simply harden the stub image again using a different preset.
In combination with a hardening preset, you may specify any or all of the following features:
- Keep Data Files: Keep all files that are not executable.
rfharden <stub_image> --keep-data-files
- Keep Packages Coherent: Keep all package files for packages with at least one used executable file.
rfharden <stub_image> --keep-pkgs-coherent
A hardening preset may be used in combination with a hardening profile file.
rfharden <stub_image> --preset <preset> --profile </path/to/profile/file>
Step 1.1: Pull the Debian Image
Pull the latest Debian image from Docker Hub.
docker pull debian:latest
Step 1.2: Generate a Stub Image
rfstub debian:latest
Step 1.3: Run the Stub Image
Run the stub image. Be sure to add the
SYS_PTRACE
Linux kernel capability.docker run --rm -dt --name=rf-test --cap-add=SYS_PTRACE debian:latest-rfstub
Step 1.4: Test the Stub Image
Test the stub image so that RapidFort can trace the runtime behavior and generate the runtime profile.
Executing this command in the stub image will ensure that
ls -lrta
is preserved in the hardened image so we can use it to verify files in our hardened image later.docker exec -it rf-test bash -c "ls -lrta; echo testing"
Step 1.5: Stop the Running Stub Instance
docker stop rf-test
Step 2.1: Harden with the
light
optionLight hardening will remove unused packages with critical and high severity vulnerabilities and keep unused packages with medium, low, and unknown severity vulnerabilities as well as all used packages and files.
Specify
--preset light
to harden using the light hardening preset.rfharden --preset light debian:latest-rfstub
Step 2.2: Verify package files are in the hardened image
Visit the RapidFort dashboard. Select Packages and In Use to view packages that were kept in the hardened image.
With light hardening, the unused package
libsepol1
is expected to still be present in the hardened image since it has only low severity vulnerabilities.Run the following command to verify that this package has had its files preserved.
docker run --rm -it debian:latest-rfhardened bash -c "ls -lrta usr/share/doc/libsepol1/copyright"
This will return
usr/share/doc/libsepol1/copyright
.Step 3.1: Harden with the
standard
option Standard hardening will remove unused packages with known vulnerabilities and keep packages with no known vulnerabilities as well as all used packages and files.
Specify
--preset standard
to harden using the standard hardening preset.rfharden --preset standard debian:latest-rfstub
Step 3.2: Verify package files are not in the hardened image
Visit the RapidFort dashboard. Select Packages and In Use to view packages that were kept in the hardened image.
With standard hardening, the unused package
libsepol1
is expected to have been removed from the hardened image since it has known vulnerabilities.Run the following command to verify that this package has had its files removed.
docker run --rm -it debian:latest-rfhardened bash -c "ls -lrta usr/share/doc/libsepol1/copyright"
This will return
No such file or directory
.Step 3.3: Verify package files are in the hardened image
With standard hardening, the unused package
libcrypt1
is expected to still be present in the hardened image since it has no known vulnerabilities.Run the following command to verify that this package has had its files preserved.
docker run --rm -it debian:latest-rfhardened bash -c "ls -lrta usr/share/doc/libcrypt1/copyright"
This will return
usr/share/doc/libcrypt1/copyright
.Step 4.1: Harden with the
aggressive
option Aggressive hardening, which is the default hardening preset, will remove all unused packages and keep all used packages and files.
Specify
--preset aggressive
to harden using the aggressive hardening preset.rfharden --preset aggressive debian:latest-rfstub
or
rfharden debian:latest-rfstub
Step 4.2: Verify package files are not in the hardened image
Visit the RapidFort dashboard. Select Packages and In Use to view packages that were kept in the hardened image.
With aggressive hardening, the unused package
libcrypt1
is expected to have been removed from the hardened image since it was not used during runtime tracing.Run the following command to verify that this package has had its files removed.
docker run --rm -it debian:latest-rfhardened bash -c "ls -lrta usr/share/doc/libcrypt1/copyright"
This will return
No such file or directory
.To customize how your workloads are hardened, you can specify a hardening preset.
- Light: Remove unused packages with high and critical severity vulnerabilities.
- Standard: Remove unused packages with known vulnerabilities.
- Aggressive (default): Remove all unused packages and files.
You can also specify any or all of the following hardening features in combination with a hardening preset:
- Keep Data Files: Keep all files that are not executable.
rfharden <stub_image> --keep-data-files
- Keep Packages Coherent: Keep all package files for packages with at least one used executable file.
rfharden <stub_image> --keep-pkgs-coherent
Next, we will go through the Keep Data Files and Keep Packages Coherent hardening features.
Last modified 1yr ago