Links

Hardening Features

Customize how your workloads are hardened

Overview

RapidFort offers several hardening presets for customizing how your workloads are hardened.
  • Light: Remove unused packages with high and critical severity vulnerabilities. This will keep unused packages with medium, low, and unknown severity vulnerabilities.
    • rfharden <stub_image> --preset light
  • Standard: Remove unused packages with known vulnerabilities. This will keep unused packages with no known vulnerabilities.
    • rfharden <stub_image> --preset standard
  • Aggressive (default): Remove all unused packages. Use it or lose it!
    • rfharden <stub_image> --preset aggressive

Comparing Hardening Presets

The latest Redis image from Docker Hub has 81 vulnerabilities and has a size of 116.8 MB. After profiling the runtime behavior of the application, the image was hardened with each preset.
Preset
Vulnerabilities
% Reduction
Hardened Size
% Reduction
light
26
67.9 %
56.2 MB
51.9 %
standard
8
90.1 %
42.9 MB
63.3 %
aggressive
8
90.1 %
25.8 MB
77.9 %
You may harden a stub image as many times as necessary, so if a preset does not fit your needs, simply harden the stub image again using a different preset.

More Hardening Features

In combination with a hardening preset, you may specify any or all of the following features:
  • Keep Data Files: Keep all files that are not executable.
    • rfharden <stub_image> --keep-data-files
  • Keep Packages Coherent: Keep all package files for packages with at least one used executable file.
    • rfharden <stub_image> --keep-pkgs-coherent

Hardening Profile Files

A hardening preset may be used in combination with a hardening profile file.
rfharden <stub_image> --preset <preset> --profile </path/to/profile/file>

Tutorial: Comparing Hardening Features

Part 1: Generate and Exercise the Stub Image

Step 1.1: Pull the Debian Image
Pull the latest Debian image from Docker Hub.
docker pull debian:latest
Step 1.2: Generate a Stub Image
rfstub debian:latest
Step 1.3: Run the Stub Image
Run the stub image. Be sure to add the SYS_PTRACE Linux kernel capability.
docker run --rm -dt --name=rf-test --cap-add=SYS_PTRACE debian:latest-rfstub
Step 1.4: Test the Stub Image
Test the stub image so that RapidFort can trace the runtime behavior and generate the runtime profile.
Executing this command in the stub image will ensure that ls -lrta is preserved in the hardened image so we can use it to verify files in our hardened image later.
docker exec -it rf-test bash -c "ls -lrta; echo testing"
Step 1.5: Stop the Running Stub Instance
docker stop rf-test

Part 2: Light Hardening

Step 2.1: Harden with the light option
Light hardening will remove unused packages with critical and high severity vulnerabilities and keep unused packages with medium, low, and unknown severity vulnerabilities as well as all used packages and files.
Specify --preset light to harden using the light hardening preset.
rfharden --preset light debian:latest-rfstub
Step 2.2: Verify package files are in the hardened image
Visit the RapidFort dashboard. Select Packages and In Use to view packages that were kept in the hardened image.
With light hardening, the unused package libsepol1 is expected to still be present in the hardened image since it has only low severity vulnerabilities.
Run the following command to verify that this package has had its files preserved.
docker run --rm -it debian:latest-rfhardened bash -c "ls -lrta usr/share/doc/libsepol1/copyright"
This will return usr/share/doc/libsepol1/copyright.

Part 3: Standard Hardening

Step 3.1: Harden with the standard option
Standard hardening will remove unused packages with known vulnerabilities and keep packages with no known vulnerabilities as well as all used packages and files.
Specify --preset standard to harden using the standard hardening preset.
rfharden --preset standard debian:latest-rfstub
Step 3.2: Verify package files are not in the hardened image
Visit the RapidFort dashboard. Select Packages and In Use to view packages that were kept in the hardened image.
With standard hardening, the unused package libsepol1 is expected to have been removed from the hardened image since it has known vulnerabilities.
Run the following command to verify that this package has had its files removed.
docker run --rm -it debian:latest-rfhardened bash -c "ls -lrta usr/share/doc/libsepol1/copyright"
This will return No such file or directory.
Step 3.3: Verify package files are in the hardened image
With standard hardening, the unused package libcrypt1 is expected to still be present in the hardened image since it has no known vulnerabilities.
Run the following command to verify that this package has had its files preserved.
docker run --rm -it debian:latest-rfhardened bash -c "ls -lrta usr/share/doc/libcrypt1/copyright"
This will return usr/share/doc/libcrypt1/copyright.

Part 4: Aggressive Hardening

Step 4.1: Harden with the aggressive option
Aggressive hardening, which is the default hardening preset, will remove all unused packages and keep all used packages and files.
Specify --preset aggressive to harden using the aggressive hardening preset.
rfharden --preset aggressive debian:latest-rfstub
or
rfharden debian:latest-rfstub
Step 4.2: Verify package files are not in the hardened image
Visit the RapidFort dashboard. Select Packages and In Use to view packages that were kept in the hardened image.
With aggressive hardening, the unused package libcrypt1 is expected to have been removed from the hardened image since it was not used during runtime tracing.
Run the following command to verify that this package has had its files removed.
docker run --rm -it debian:latest-rfhardened bash -c "ls -lrta usr/share/doc/libcrypt1/copyright"
This will return No such file or directory.

Review

To customize how your workloads are hardened, you can specify a hardening preset.
  • Light: Remove unused packages with high and critical severity vulnerabilities.
  • Standard: Remove unused packages with known vulnerabilities.
  • Aggressive (default): Remove all unused packages and files.
You can also specify any or all of the following hardening features in combination with a hardening preset:
  • Keep Data Files: Keep all files that are not executable.
    • rfharden <stub_image> --keep-data-files
  • Keep Packages Coherent: Keep all package files for packages with at least one used executable file.
    • rfharden <stub_image> --keep-pkgs-coherent
Next, we will go through the Keep Data Files and Keep Packages Coherent hardening features.