Hardening Profile Files
Keep files and directories in your hardened images with profile files

By default, when hardening an image, RapidFort removes everything that was not detected as being used while profiling the runtime behavior.
In general, the best way to ensure that your hardened image will contain necessary dependencies is to maximize test coverage when profiling the stub image.
However, this may not always be feasible. Therefore, RapidFort provides the ability to specify files or directories that you would like to keep in the hardened image.
To keep files or directories in the hardened image, create a profile file and provide this when hardening the image.
rfharden <stub_image> -p <profile_file>
Profile files can also be built into your images under the name .rfprofile by adding the following line to your Dockerfile:
FROM myimage:latest
ADD /mydir/myprofile /.rfprofile
The .rfprofile must be added to the base directory of your image in order to be detected.
If an .rfprofile has been added to your image, you will no longer need to provide a profile file when hardening the image.
rfharden <stub_image>
The profile file uses the gitignore syntax.

Install the RapidFort Command Line Interface tools and dependencies.

First, we will stub, test, and harden the NGINX Docker image.
For more detailed information, please refer to the Getting Started: Stub and Harden a Docker Image tutorial.

docker pull nginx:latest

rfstub nginx:latest

docker run --rm -it --name=rf-test --cap-add=SYS_PTRACE -p9999:80 nginx:latest-rfstub

curl localhost:9999

docker stop rf-test

rfharden nginx:latest-rfstub

Run the hardened image:
docker run --rm -it --name=rf-test -p9999:80 nginx:latest-rfhardened

Attach to the running instance:
docker exec -it rf-test sh
Try to run cat.
cat --help
sh: cat: not found
Now try to run ls.
ls
sh: ls: not found
Use it or lose it! cat and ls were removed from the hardened image because these were not exercised while profiling the stub image.
Stop the running instance.
docker stop rf-test

We will create a profile file and generate a new hardened image using the profile file.

Create a text file called nginx_profile:
nginx_profile
cat
ls
If an item in the profile file has dependencies, the profile file must specify all dependencies as well.

Harden the stub image with the profile file.
rfharden nginx:latest -p nginx_profile

Run the hardened image again.
docker run --rm -it --name=rf-test -p9999:80 nginx:latest-rfhardened

Attach to the running instance.
docker exec -it rf-test sh
Verify that cat and ls are now available.
cat --help
ls
Verify that the hardened image does not contain any files in the folders in /usr/share/doc.
For example:
ls /usr/share/doc/sed
The files in the folders in /usr/share/doc were not exercised during profiling. We will update the profile file to keep everything in /usr/share/doc.
Stop the running instance.
docker stop rf-test

Add /usr/share/doc to the nginx_profile file:
nginx_profile
cat
ls
/usr/share/doc

Harden the stub image with the updated profile file:
rfharden nginx:latest -p nginx_profile

Run the new hardened image:
docker run --rm -it --name=rf-test -p9999:80 nginx:latest-rfhardened

Attach to the running instance.
docker exec -it rf-test sh
Verify that the hardened image now contains files in the folders in /usr/share/doc.
For example:
ls /usr/share/doc/sed
cat /usr/share/doc/sed/copyright

We generated a stub image, ran and tested the stub image to generate the runtime profile, and then hardened the stub image.
We verified that the hardened image did not contain some items that we wanted to keep. These items were not detected as being used during profiling and were therefore removed during the hardening process.
Therefore, we created a profile file that contained files and directories that we wanted to keep in the hardened image. We generated a new hardened image using the profile file and verified that the hardened image contained the items that we wanted.
Last modified 21d ago
Copy link
On this page
Profile File
Tutorial: Harden a Docker Image with a Profile File
Prerequisites
Part 1: Harden without a Profile File
Part 2: Harden with a Profile File
Summary