Getting Started: Stub and Harden a Container Image with Docker-Compose
Use the RapidFort Command Line Interface (CLI) tools to stub and harden a container image using Docker-Compose
You will need the following:
- Docker-Compose
- RapidFort server (SaaS or On-Premises) and account
In this tutorial, we will stub, test, and harden the NGINX Docker image.
Original Image: The NGINX Docker image available directly from Docker Hub. The original image has not yet been optimized and secured by RapidFort and may have known vulnerabilities.
Stub Image: The original image with additional dependencies necessary for RapidFort to trace the runtime behavior.
Hardened Image: The optimized and secured image generated by RapidFort.
Before we start using RapidFort, we will get the original NGINX Docker image and verify that we can run and test this.
Pull the latest NGINX Docker image:
docker pull nginx:latest
Run
docker images
and verify that the image is available:docker images | grep nginx
Download the sample
docker-compose.yml
file to your client system.docker-compose.yml
web:
image: nginx:latest
volumes:
- ./templates:/etc/nginx/templates
ports:
- "9999:80"
environment:
- NGINX_HOST=localhost
- NGINX_PORT=80
Deploy the original image:
docker-compose up -d
Open another terminal window and run the following command:
curl localhost:9999
You should see a welcome message if everything is working as expected.
Undeploy the original image:
docker-compose down
Run
rflogin
to log into RapidFort. Enter your password if prompted.rflogin <your-email-address>
Run
rfstub
to generate a stub image:rfstub nginx:latest
This creates a new image,
nginx:latest-rfstub
.Run
docker images
to view the stub image:docker images | grep nginx:latest-rfstub
Before deploying the stub image, make the following updates to
docker-compose.yml
:- Update the
image
tonginx:latest-rfstub
. - Add a new section called
cap_add
. Add theSYS_PTRACE
capability to enable RapidFort to trace the runtime behavior of the stub image.
docker-compose.yml
web:
image: nginx:latest-rfstub
volumes:
- ./templates:/etc/nginx/templates
ports:
- "9999:80"
environment:
- NGINX_HOST=localhost
- NGINX_PORT=80
cap_add:
- SYS_PTRACE
Deploy the stub image:
docker-compose up -d
Run some tests. This enables RapidFort to trace the runtime behavior of your container.
For example, run the following command:
curl localhost:9999
Log into the RapidFort dashboard. You should see an image list.
Select the nginx:latest image.
In the left column, select Logs. Verify that the Logs table contains tracing information. You should see file accesses, system calls, and so forth. The Logs table contents are updated in real time.
If the Logs table is empty, please verify the following:
- The stub image (
nginx:latest-rfstub
) is currently deployed and running - The
docker run
command specified--cap-add=SYS_PTRACE
- The Docker host has access to the RapidFort server
When you generate a stub image, RapidFort also scans the original image for packages and known vulnerabilities. You may optionally view the vulnerabilities and packages found in the original image from the RapidFort dashboard.
When you are finished with running tests, undeploy the stub image:
docker-compose down
Run
rfharden
to harden the stub image.rfharden nginx:latest-rfstub
This creates a new image,
nginx:latest-rfhardened
.Run
docker images
to view the hardened image:docker images | grep nginx:latest-rfhardened
Before deploying the hardened image, make the following updates to
docker-compose.yml
:- Update the
image
tonginx:latest-rfhardened
. - Remove the
cap_add
section. (TheSYS_PTRACE
capability is not required since we are not profiling the hardened image.)
docker-compose.yml
web:
image: nginx:latest-rfhardened
volumes:
- ./templates:/etc/nginx/templates
ports:
- "9999:80"
environment:
- NGINX_HOST=localhost
- NGINX_PORT=80
Deploy the hardened image and test it again:
docker-compose up -d
curl localhost:9999
When you are finished with testing the hardened image, undeploy it:
docker-compose down
To view information on a RapidFort image, run
rfinfo <rapidfort_id>
:rfinfo <rapidfort_id>
Optionally, to save reports to your local system, run
rfinfo
with the -s
parameter.rfinfo -s <rapidfort_id>
You can also visit the RapidFort dashboard for more information.
Stub: Run
rfstub
to generate a stub image from the original image.Test: Run and test the stub image instead of the original image.
When running the stub image, add the
SYS_PTRACE
Linux kernel capability by specifying the following so that RapidFort can trace the runtime behavior:cap_add:
- SYS_PTRACE
Verify that tracing information is being propagated to the RapidFort server by visiting the RapidFort dashboard and viewing the logs for the stub image.
Harden: Run
rfharden
to generate a hardened image.Test Again: Run and test the hardened image again. Verify that the hardened image has the same runtime behavior as the original image.
View the Results: View the attack surface, known vulnerabilities, packages, and files in the original and hardened images. You can also download reports.
Stub images cannot be used as base images. If you need to make updates, please build a new original image with the updates and then generate a new stub image.