Links

Getting Started: Stub and Harden a Container Image with Docker-Compose

Use the RapidFort Command Line Interface (CLI) tools to stub and harden a container image using Docker-Compose

Prerequisites

You will need the following:

Stub and Harden the NGINX Docker Image

In this tutorial, we will stub, test, and harden the NGINX Docker image.
Original Image: The NGINX Docker image available directly from Docker Hub. The original image has not yet been optimized and secured by RapidFort and may have known vulnerabilities.
Stub Image: The original image with additional dependencies necessary for RapidFort to trace the runtime behavior.
Hardened Image: The optimized and secured image generated by RapidFort.

Part 1: Get and Deploy the Original Image

Before we start using RapidFort, we will get the original NGINX Docker image and verify that we can run and test this.

Step 1.1: Pull the NGINX Docker Image

Pull the latest NGINX Docker image:
docker pull nginx:latest
Run docker images and verify that the image is available:
docker images | grep nginx

Step 1.2: Deploy the Original Image

Download the sample docker-compose.yml file to your client system.
docker-compose.yml
web:
image: nginx:latest
volumes:
- ./templates:/etc/nginx/templates
ports:
- "9999:80"
environment:
- NGINX_HOST=localhost
- NGINX_PORT=80
Deploy the original image:
docker-compose up -d

Step 1.3: Test the Original Image

Open another terminal window and run the following command:
curl localhost:9999
You should see a welcome message if everything is working as expected.
Undeploy the original image:
docker-compose down

Part 2: Generate and Deploy the Stub Image

Step 2.1: Log Into RapidFort

Run rflogin to log into RapidFort. Enter your password if prompted.
rflogin <your-email-address>

Step 2.2: Generate a Stub Image

Run rfstub to generate a stub image:
rfstub nginx:latest
This creates a new image, nginx:latest-rfstub.
Run docker images to view the stub image:
docker images | grep nginx:latest-rfstub

Step 2.3: Deploy the Stub Image

Before deploying the stub image, make the following updates to docker-compose.yml:
  • Update the image to nginx:latest-rfstub.
  • Add a new section called cap_add. Add the SYS_PTRACE capability to enable RapidFort to trace the runtime behavior of the stub image.
docker-compose.yml
web:
image: nginx:latest-rfstub
volumes:
- ./templates:/etc/nginx/templates
ports:
- "9999:80"
environment:
- NGINX_HOST=localhost
- NGINX_PORT=80
cap_add:
- SYS_PTRACE
Deploy the stub image:
docker-compose up -d

Step 2.4: Test the Stub Image

Run some tests. This enables RapidFort to trace the runtime behavior of your container.
For example, run the following command:
curl localhost:9999

Step 2.5: Verify that Tracing Information is Propagated to RapidFort

Log into the RapidFort dashboard. You should see an image list.
Select the nginx:latest image.
In the left column, select Logs. Verify that the Logs table contains tracing information. You should see file accesses, system calls, and so forth. The Logs table contents are updated in real time.
If the Logs table is empty, please verify the following:
  • The stub image (nginx:latest-rfstub) is currently deployed and running
  • The docker run command specified --cap-add=SYS_PTRACE
  • The Docker host has access to the RapidFort server
When you generate a stub image, RapidFort also scans the original image for packages and known vulnerabilities. You may optionally view the vulnerabilities and packages found in the original image from the RapidFort dashboard.

Step 2.6: Undeploy the Stub Image

When you are finished with running tests, undeploy the stub image:
docker-compose down

Part 3: Generate and Deploy the Hardened Image

Step 3.1: Harden the Stub Image

Run rfharden to harden the stub image.
rfharden nginx:latest-rfstub
This creates a new image, nginx:latest-rfhardened.
Run docker images to view the hardened image:
docker images | grep nginx:latest-rfhardened

Step 3.2: Deploy the Hardened Image

Before deploying the hardened image, make the following updates to docker-compose.yml:
  • Update the image to nginx:latest-rfhardened.
  • Remove the cap_add section. (The SYS_PTRACE capability is not required since we are not profiling the hardened image.)
docker-compose.yml
web:
image: nginx:latest-rfhardened
volumes:
- ./templates:/etc/nginx/templates
ports:
- "9999:80"
environment:
- NGINX_HOST=localhost
- NGINX_PORT=80
Deploy the hardened image and test it again:
docker-compose up -d
curl localhost:9999
When you are finished with testing the hardened image, undeploy it:
docker-compose down

Step 3.3: View Image Information

To view information on a RapidFort image, run rfinfo <rapidfort_id>:
rfinfo <rapidfort_id>
Optionally, to save reports to your local system, run rfinfo with the -s parameter.
rfinfo -s <rapidfort_id>
You can also visit the RapidFort dashboard for more information.

Review

Stub: Run rfstub to generate a stub image from the original image.
Test: Run and test the stub image instead of the original image.
When running the stub image, add the SYS_PTRACE Linux kernel capability by specifying the following so that RapidFort can trace the runtime behavior:
cap_add:
- SYS_PTRACE
Verify that tracing information is being propagated to the RapidFort server by visiting the RapidFort dashboard and viewing the logs for the stub image.
Harden: Run rfharden to generate a hardened image.
Test Again: Run and test the hardened image again. Verify that the hardened image has the same runtime behavior as the original image.
View the Results: View the attack surface, known vulnerabilities, packages, and files in the original and hardened images. You can also download reports.

Notes

Stub images cannot be used as base images. If you need to make updates, please build a new original image with the updates and then generate a new stub image.