Hardening Features
Customize how your workloads are hardened

Overview

RapidFort offers several hardening profile presets for customizing how your workloads are hardened.
  • Light: Remove unused packages with high and critical severity vulnerabilities. This will keep unused packages with medium, low, and unknown severity vulnerabilities.
  • Standard: Remove unused packages with known vulnerabilities. This will keep unused packages with no known vulnerabilities.
  • Aggressive: Remove all unused packages and files. Use it or lose it! This is the default preset.
In addition to these presets, you may specify any or all of the following options:
  • Keep Data Files: Keep all files that are not executable.
  • Keep Packages Coherent: Keep all package files for packages with at least one used executable file.
Hardening will always preserve all used files and packages. For best results, please ensure that all required functionality is exercised when deploying the stub image so that RapidFort can generate an accurate runtime profile.
You may harden a stub image as many times as necessary, so if a preset does not fit your needs, simply harden the stub image again using a different preset.
To specify a custom hardening profile file instead of using a preset, specify -p <path_to_profile_file>:
rfharden <stub_image> -p /path/to/profile_file

Usage

  • Light: To use light hardening, specify -p light:
    • rfharden <stub_image> -p light
  • Standard: To use standard hardening, specify -p standard:
    • rfharden <stub_image> -p standard
  • Aggressive (default): To use aggressive hardening, specify -p aggressive:
    • rfharden <stub_image> -p aggressive
  • Keep Data Files: To keep data files, specify --keep-data-files:
    • rfharden <stub_image> -p light --keep-data-files
    • rfharden <stub_image> -p standard --keep-data-files
    • rfharden <stub_image> -p aggressive --keep-data-files
    • You may also specify --keep-data-files in combination with --keep-pkgs-coherent.
  • Keep Packages Coherent: To keep packages coherent, specify --keep-pkgs-coherent:
    • rfharden <stub_image> -p light --keep-pkgs-coherent
    • rfharden <stub_image> -p standard --keep-pkgs-coherent
    • rfharden <stub_image> -p aggressive --keep-pkgs-coherent
    • You may also specify --keep-pkgs-coherent in combination with --keep-data-files.

Tutorial: Comparing Hardening Features

Part 1: Generate and Exercise the Stub Image

Step 1.1: Pull the Debian Image
Pull the latest Debian image from Docker Hub.
docker pull debian:latest
Step 1.2: Generate a Stub Image
rfstub debian:latest
Step 1.3: Run the Stub Image
Run the stub image. Be sure to add the SYS_PTRACE Linux kernel capability.
docker run --rm -dt --name=rf-test --cap-add=SYS_PTRACE debian:latest-rfstub
Step 1.4: Test the Stub Image
Test the stub image so that RapidFort can trace the runtime behavior and generate the runtime profile.
Executing this command in the stub image will ensure that ls -lrta is preserved in the hardened image so we can use it to verify files in our hardened image later.
docker exec -it rf-test bash -c "ls -lrta; echo testing"
Step 1.5: Stop the Running Stub Instance
docker stop rf-test

Part 2: Light Hardening

Step 2.1: Harden with the light option
Light hardening will remove unused packages with critical and high severity vulnerabilities and keep unused packages with medium, low, and unknown severity vulnerabilities as well as all used packages and files.
Specify -p light to harden using the light hardening preset.
rfharden -p light debian:latest-rfstub
Step 2.2: Verify package files are in the hardened image
Visit the RapidFort dashboard. Select Packages and In Use to view packages that were kept in the hardened image.
With light hardening, the unused package libsepol1 is expected to still be present in the hardened image since it has only low severity vulnerabilities.
Run the following command to verify that this package has had its files preserved.
docker run --rm -it debian:latest-rfhardened bash -c "ls -lrta usr/share/doc/libsepol1/copyright"
This will return usr/share/doc/libsepol1/copyright.

Part 3: Standard Hardening

Step 3.1: Harden with the standard option
Standard hardening will remove unused packages with known vulnerabilities and keep packages with no known vulnerabilities as well as all used packages and files.
Specify -p standard to harden using the standard hardening preset.
rfharden -p standard debian:latest-rfstub
Step 3.2: Verify package files are not in the hardened image
Visit the RapidFort dashboard. Select Packages and In Use to view packages that were kept in the hardened image.
With standard hardening, the unused package libsepol1 is expected to have been removed from the hardened image since it has known vulnerabilities.
Run the following command to verify that this package has had its files removed.
docker run --rm -it debian:latest-rfhardened bash -c "ls -lrta usr/share/doc/libsepol1/copyright"
This will return No such file or directory.
Step 3.3: Verify package files are in the hardened image
With standard hardening, the unused package libcrypt1 is expected to still be present in the hardened image since it has no known vulnerabilities.
Run the following command to verify that this package has had its files preserved.
docker run --rm -it debian:latest-rfhardened bash -c "ls -lrta usr/share/doc/libcrypt1/copyright"
This will return usr/share/doc/libcrypt1/copyright.

Part 4: Aggressive Hardening

Step 4.1: Harden with the aggressive option
Aggressive hardening, which is the default hardening preset, will remove all unused packages and keep all used packages and files.
Specify -p aggressive to harden using the aggressive hardening preset.
rfharden -p aggressive debian:latest-rfstub
or
rfharden debian:latest-rfstub
Step 4.2: Verify package files are not in the hardened image
Visit the RapidFort dashboard. Select Packages and In Use to view packages that were kept in the hardened image.
With aggressive hardening, the unused package libcrypt1 is expected to have been removed from the hardened image since it was not used during runtime tracing.
Run the following command to verify that this package has had its files removed.
docker run --rm -it debian:latest-rfhardened bash -c "ls -lrta usr/share/doc/libcrypt1/copyright"
This will return No such file or directory.

Review

To customize how your workloads are hardened, you can use a preset or specify a profile file.
  • Light: Remove unused packages with high and critical severity vulnerabilities.
  • Standard: Remove unused packages with known vulnerabilities.
  • Aggressive (default): Remove all unused packages and files. Use it or lose it!
Next, we will go through the Keep Data Files and Keep Packages Coherent hardening options.