Hardening Profiles
Fine-tune your hardened workloads

Profile File

By default, when hardening an image, RapidFort removes everything that was not detected as being used during profiling the runtime behavior.
In general, the best way to ensure that your hardened image will contain necessary dependencies is to maximize test coverage when profiling the stub image.
However, this may not always be feasible. Therefore, RapidFort provides the ability to specify files or directories that you would like to keep in the hardened image.
To keep files or directories in the hardened image, create a profile file and provide this when hardening the image.
1
rfharden <stub_image> -p <profile_file>
Copied!
The profile file uses the gitignore syntax.

Tutorial: Harden a Docker Image with a Profile File

Prerequisites

Install the RapidFort Command Line Interface tools and dependencies.

Part 1: Harden without a Profile File

First, we will stub, test, and harden the NGINX Docker image.
For more detailed information, please refer to the Getting Started: Stub and Harden a Docker Image tutorial.

Step 1.1: Pull the NGINX Docker Image

1
docker pull nginx:latest
Copied!

Step 1.2: Generate a Stub Image

1
rfstub nginx:latest
Copied!

Step 1.3: Run the Stub Image

1
docker run --rm -it --name=rf-test --cap-add=SYS_PTRACE -p9999:80 nginx:latest-rfstub
Copied!

Step 1.4: Test the Stub Image

1
curl localhost:9999
Copied!

Step 1.5: Stop the Running Instance

1
docker stop rf-test
Copied!

Step 1.6: Harden the Stub Image

1
rfharden nginx:latest-rfstub
Copied!

Step 1.7: Run the Hardened Image

Run the hardened image:
1
docker run --rm -it --name=rf-test -p9999:80 nginx:latest-rfhardened
Copied!

Step 1.8: Explore the Hardened Image

Attach to the running instance:
1
docker exec -it rf-test sh
Copied!
Try to run cat.
1
cat --help
2
sh: cat: not found
Copied!
Now try to run ls.
1
ls
2
sh: ls: not found
Copied!
Use it or lose it! cat and ls were removed from the hardened image because these were not exercised while profiling the stub image.
Stop the running instance.
1
docker stop rf-test
Copied!

Part 2: Harden with a Profile File

We will create a profile file and generate a new hardened image using the profile file.

Step 2.1: Create a Profile File

Create a text file called nginx_profile:
nginx_profile
1
cat
2
ls
Copied!
If an item in the profile file has dependencies, the profile file must specify all dependencies as well.

Step 2.2: Harden with the Profile File

Harden the stub image with the profile file.
1
rfharden nginx:latest -p nginx_profile
Copied!

Step 2.3: Run the Hardened Image

Run the hardened image again.
1
docker run --rm -it --name=rf-test -p9999:80 nginx:latest-rfhardened
Copied!

Step 2.4: Explore the Hardened Image

Attach to the running instance.
1
docker exec -it rf-test sh
Copied!
Verify that cat and ls are now available.
1
cat --help
Copied!
1
ls
Copied!
Verify that the hardened image does not contain any files in the folders in /usr/share/doc.
For example:
1
ls /usr/share/doc/sed
Copied!
The files in the folders in /usr/share/doc were not exercised during profiling. We will update the profile file to keep everything in /usr/share/doc.
Stop the running instance.
1
docker stop rf-test
Copied!

Step 2.5: Update the Profile File

Add /usr/share/doc to the nginx_profile file:
nginx_profile
1
cat
2
ls
3
/usr/share/doc
Copied!

Step 2.6: Harden with the Updated Profile File

Harden the stub image with the updated profile file:
1
rfharden nginx:latest -p nginx_profile
Copied!

Step 2.7: Run the Updated Hardened Image

Run the new hardened image:
1
docker run --rm -it --name=rf-test -p9999:80 nginx:latest-rfhardened
Copied!

Step 2.8: Explore the Updated Hardened Image

Attach to the running instance.
1
docker exec -it rf-test sh
Copied!
Verify that the hardened image now contains files in the folders in /usr/share/doc.
For example:
1
ls /usr/share/doc/sed
2
cat /usr/share/doc/sed/copyright
Copied!

Summary

We generated a stub image, ran and tested the stub image to generate the runtime profile, and then hardened the stub image.
We verified that the hardened image did not contain some items that we wanted to keep. These items were not detected as being used during profiling and were therefore removed during the hardening process.
Therefore, we created a profile file that contained files and directories that we wanted to keep in the hardened image. We generated a new hardened image using the profile file and verified that the hardened image contained the items that we wanted.
Last modified 4mo ago