Hardening Profile Files
Keep files and directories in your hardened images with profile files
By default, when hardening an image, RapidFort removes everything that was not detected as being used while profiling the runtime behavior.
In general, the best way to ensure that your hardened image will contain necessary dependencies is to maximize test coverage when profiling the stub image.
However, this may not always be feasible. Therefore, RapidFort provides the ability to specify files, directories, or packages that you would like to keep in the hardened image.
To keep files, directories, or packages in the hardened image, create a profile file and provide this when hardening the image.
rfharden <stub_image> -p <profile_file>
Profile files can also be built into your images under the name .rfprofile by adding the following line to your Dockerfile:
FROM myimage:latest
ADD /mydir/myprofile /.rfprofile
The .rfprofile must be placed at the location /
.rfprofile
in order to be detected.If an .rfprofile has been added to your image, you will no longer need to provide a profile file when hardening the image.
rfharden <stub_image>
In order to include a package in your hardened image, you may add it to your hardening profile using the following syntax:
{package_name:package_version}
or
{package_name:package_version:package_source_type}
Curly brace delimiters must be used. The package name and version must at least be provided. If you have the same package from multiple source types, you may add a source type in order to specify which one you would like to keep.
Install the RapidFort Command Line Interface tools and dependencies.
First, we will stub, test, and harden the NGINX Docker image.
For more detailed information, please refer to the Getting Started: Stub and Harden a Container Image with Docker tutorial.
docker pull nginx:latest
rfstub nginx:latest
docker run --rm -it --name=rf-test --cap-add=SYS_PTRACE -p9999:80 nginx:latest-rfstub
curl localhost:9999
docker stop rf-test
rfharden nginx:latest-rfstub
Run the hardened image:
docker run --rm -it --name=rf-test -p9999:80 nginx:latest-rfhardened
Attach to the running instance:
docker exec -it rf-test sh
Try to run
cat
.cat --help
sh: cat: not found
Now try to run
ls
.ls
sh: ls: not found
Use it or lose it!
cat
and ls
were removed from the hardened image because these were not exercised while profiling the stub image.Stop the running instance.
docker stop rf-test
We will create a profile file and generate a new hardened image using the profile file.
Create a text file called
nginx_profile
:nginx_profile
cat
ls
If an item in the profile file has dependencies, the profile file must specify all dependencies as well.
Harden the stub image with the profile file.
rfharden nginx:latest -p nginx_profile
Run the hardened image again.
docker run --rm -it --name=rf-test -p9999:80 nginx:latest-rfhardened
Attach to the running instance.
docker exec -it rf-test sh
Verify that
cat
and ls
are now available.cat --help
ls
Verify that the hardened image does not contain any files in the folders in
/usr/share/doc
.For example:
ls /usr/share/doc/sed
The files in the folders in
/usr/share/doc
were not exercised during profiling. We will update the profile file to keep everything in /usr/share/doc
.Stop the running instance.
docker stop rf-test
Add
/usr/share/doc
to the nginx_profile
file:nginx_profile
cat
ls
/usr/share/doc
Harden the stub image with the updated profile file:
rfharden nginx:latest -p nginx_profile
Run the new hardened image:
docker run --rm -it --name=rf-test -p9999:80 nginx:latest-rfhardened
Attach to the running instance.
docker exec -it rf-test sh
Verify that the hardened image now contains files in the folders in
/usr/share/doc
.For example:
ls /usr/share/doc/sed
cat /usr/share/doc/sed/copyright
We generated a stub image, ran and tested the stub image to generate the runtime profile, and then hardened the stub image.
We verified that the hardened image did not contain some items that we wanted to keep. These items were not detected as being used during profiling and were therefore removed during the hardening process.
Therefore, we created a profile file that contained files and directories that we wanted to keep in the hardened image. We generated a new hardened image using the profile file and verified that the hardened image contained the items that we wanted.
Last modified 7mo ago