R
R
RapidFort User Documentation
Search…
Welcome to RapidFort
RapidFort Support
RapidFort SaaS
RapidFort SaaS Solution
RapidFort On-Premises
RapidFort On-Premises Solution
RapidFort AWS Prerequisites
RapidFort Helm Chart AWS Deployment
RapidFort Standalone AWS Commercial Console Deployment
RapidFort Standalone AWS GovCloud Console Deployment
Using RapidFort
RapidFort Command Line Interface Tools
RapidFort User Interface
RapidFort Service Accounts
Getting Started Guides
Getting Started: Stub and Harden a Docker Image
Getting Started: Stub and Harden a Docker Image with Docker-Compose
Getting Started: Stub and Harden a Docker Image with Kubernetes
Getting Started: Stub and Harden a Docker Image with GitLab
Getting Started: Stub and Harden a Docker Image with Bitbucket
Getting Started: Scan a Docker Image
How To Guides
Add the SYS_PTRACE Linux Kernel Capability
Verify that Profiling Information is Propagated to RapidFort
Download Reports
RapidFort GitLab CI/CD Integration
Using RapidFort with Helm Charts
Scanning with RapidFort
Overview
Registry Configuration
Scanning Images
Scanning Container Registries
Scanning Amazon Elastic Container Registry (ECR) Images
Advanced Features
Workload Tags
Hardening Features
Keep Data Files
Keep Packages Coherent
Hardening Profiles
Powered By GitBook
Keep Packages Coherent
Customize how your workloads are hardened
By default, RapidFort will remove all unused files and packages during hardening.
One way to customize this is by using the hardening option --keep-pkgs-coherent, which keeps all package files for packages with at least one used executable file and helps maintain the integrity of packages.

Tutorial: Keep Packages Coherent

Part 1: Generate and exercise the stub image

Step 1.1: Pull the Debian Docker image
docker pull debian:latest
Step 1.2: Generate a stub image
rfstub debian:latest
Step 1.3: Run the stub image
docker run --rm -dt --name=rf-test --cap-add=SYS_PTRACE debian:latest-rfstub
Step 1.4: Test the stub image
Executing this command in the stub image will ensure that ‘ls -lrta’ is preserved, so we can use it to verify files in our hardened image later.
docker exec -it rf-test bash -c "ls -lrta; echo testing"
Step 1.5: Stop the running instance
docker stop rf-test

Part 2: Harden with --keep-pkgs-coherent

Step 2.2: Harden with --keep-pkgs-coherent

rfharden --keep-pkgs-coherent debian:latest-rfstub
Step 2.3: Verify package files in hardened image
Follow the User Interface to Packages>In Use. Since at least 1 file from ‘libpcre 2-8-0’ was used, keeping packages coherent will have kept all of its files. Run the following to verify that this package has had its files preserved.
docker run --rm -it debian:latest-rfhardened bash -c "ls -lrta usr/share/doc/libpcre2-8-0/copyright"
This should return usr/share/doc/libpcre2-8-0/copyright.

Part 3: Harden without --keep-pkgs-coherent

Step 3.1: Harden without --keep-pkgs-coherent

rfharden debian:latest-rfstub

Step 3.2: Verify package files are not in hardened image

Run the following to verify that the libpcre2-8-0 package has had some of its files removed.
docker run --rm -it debian:latest-rfhardened bash -c "ls -lrta usr/share/doc/libpcre2-8-0/copyright"
This should return No such file or directory.

Step 3.3: Verify package files are in hardened image

Run the following to verify that the libpcre2-8.so.0.10.1 package has had some of its files preserved.
docker run --rm -it debian:latest-rfhardened bash -c "ls -lrta /usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.1"
This should return /usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.1.
Previous
Keep Data Files
Next - Advanced Features
Hardening Profiles
Last modified 1mo ago
Copy link
Outline
Tutorial: Keep Packages Coherent
Part 1: Generate and exercise the stub image
Part 2: Harden with --keep-pkgs-coherent
Part 3: Harden without --keep-pkgs-coherent