Getting Started: Stub and Harden a Docker Image with GitLab
Use the RapidFort Command Line Interface (CLI) tools to stub and harden a Docker image with GitLab

Prerequisites

You will need the following:
  • RapidFort Server (SaaS or On-Premises)
  • RapidFort Service Account
  • GitLab Runner
  • Deployment Environment (for example, Kubernetes, Docker, Docker-Compose, AWS Fargate)
    • The deployment environment must have HTTPS access to the RapidFort server
    • The deployment environment must provide support for adding the SYS_PTRACE Linux kernel capability
    • In this tutorial, we will deploy and test the stub image on the GitLab runner
  • Container Registry (for example, Amazon Elastic Container Registry, Docker Hub, Microsoft Azure Container Registry, and so forth)
    • In this tutorial, we will not push images to a container registry

Stub, Test, and Harden the NGINX Docker Image

In this tutorial, we will stub, test, and harden the NGINX Docker image.
Original Image: The NGINX Docker image available directly from Docker Hub. The original image has not yet been optimized and secured by RapidFort and may have known vulnerabilities.
Stub Image: The original image with additional dependencies necessary for RapidFort to trace the runtime behavior.
Hardened Image: The optimized and secured image generated by RapidFort.
Download the sample .gitlab-ci.yml file.
Update the following variables:
  • RF_ROOT_URL:
    • For SaaS users, specify https://frontrow.rapidfort.com.
    • For On-Premises users, specify the hostname or IP address of your RapidFort on-premises server (for example, https://rapidfort.example.com).
  • RF_ACCESS_ID: Specify the access id for your RapidFort service account.
  • RF_SECRET_ACCESS_KEY: Specify the secret access key for your RapidFort service account.
  • RF_CLI_UPDATE: Specify "no" to download and install the RapidFort CLI tools only if they are not already installed on the runner or "yes" to always download and install the tools (even if they are already installed).
  • RF_CLI_PATH: Specify the location where the RapidFort CLI tools will be installed on the GitLab runner.
We recommend adding these as environment variables.
.gitlab-ci.yml
1
variables:
2
DOCKER_IMAGE_NAME: "nginx"
3
TAG: latest
4
RF_ROOT_URL: https://frontrow.rapidfort.com
5
# generate service account & replace these
6
RF_ACCESS_ID: RFabcdefghijkl123456
7
RF_SECRET_ACCESS_KEY: 01234567891011abcdefghijklmnopqrstuvwxyz
8
RF_CLI_UPDATE: "no"
9
RF_CLI_PATH: /home/gitlab-runner/.local/bin
10
11
default:
12
tags:
13
- ubuntu
14
before_script:
15
- |
16
if [ -z "$(command -v rflogin)" ] || [ "${RF_CLI_UPDATE}" == "yes" ]; then
17
curl -ks "${RF_ROOT_URL}"/cli/ | bash
18
fi
19
export PATH="$RF_CLI_PATH:$PATH"
20
21
stages:
22
- Build
23
- Stub
24
- Deploy
25
- Test
26
- Harden
27
28
build:
29
stage: Build
30
script:
31
- |
32
docker pull $DOCKER_IMAGE_NAME:$TAG
33
docker tag $DOCKER_IMAGE_NAME:$TAG $DOCKER_IMAGE_NAME:$TAG-$CI_PIPELINE_ID
34
35
generate-stub:
36
stage: Stub
37
script:
38
- |
39
# ** GENERATE STUB **
40
rfstub $DOCKER_IMAGE_NAME:$TAG-$CI_PIPELINE_ID
41
docker images | grep $DOCKER_IMAGE_NAME | grep $CI_PIPELINE_ID
42
43
deploy:
44
stage: Deploy
45
script:
46
- |
47
# Run & test stub
48
docker run --rm --name $DOCKER_IMAGE_NAME-$TAG-$CI_PIPELINE_ID -p9999:80 --cap-add=SYS_PTRACE -d $DOCKER_IMAGE_NAME:$TAG-$CI_PIPELINE_ID-rfstub
49
50
test:
51
stage: Test
52
script:
53
- |
54
STATUS_CODE=$(curl -s -o /dev/null -w "%{http_code}" http://localhost:9999 || /bin/true)
55
until [ "${STATUS_CODE}" == 200 ]; do
56
sleep 1
57
STATUS_CODE=$(curl -s -o /dev/null -w "%{http_code}" http://localhost:9999 || /bin/true)
58
done
59
# Load test
60
ab -n 10 -c 10 http://localhost:9999/
61
# Remove running stub
62
docker stop $DOCKER_IMAGE_NAME-$TAG-$CI_PIPELINE_ID
63
64
Harden:
65
stage: Harden
66
script:
67
- |
68
# ** GENERATE HARDENED IMAGE **
69
rfharden $DOCKER_IMAGE_NAME:$TAG-$CI_PIPELINE_ID-rfstub && echo "Hardened Done" || echo "Hardened Failed"
70
docker images | grep $DOCKER_IMAGE_NAME | grep $CI_PIPELINE_ID
71
when: manual
Copied!

Stub

During the Stub stage, run rfstub to generate a stub image.
In this tutorial, we will not push the stub image to a container registry, but your pipeline will need to do so.
When you generate a stub image, RapidFort also scans the original image for packages and known vulnerabilities and computes the estimated risk reduction opportunity if the image is hardened. You may optionally visit the RapidFort dashboard to view the vulnerabilities and packages that were found in the original image.

Deploy and Test

Next, deploy and test the stub image so that RapidFort can trace the runtime behavior of the application and build the runtime profile.
The SYS_PTRACE Linux kernel capability must be added when deploying stub images so that RapidFort can trace the runtime behavior.
If you are planning to deploy the stub image in a Kubernetes environment, you will need to allow privilege escalation and read/write access to the root filesystem:
  • allowPrivilegeEscalation: true
  • readOnlyRootFilesystem: false
Make sure that your deployment environment (in this tutorial, the GitLab runner) allows HTTPS access to the RapidFort server.

Verify that Tracing Information is Propagated to the RapidFort Server

Log into the RapidFort dashboard. You should see an image list.
Select the image that you deployed.
In the left column, select Logs. Verify that the Logs table contains tracing information. You should see file accesses, system calls, and so forth. The Logs table contents are updated in real time.
If the Logs table is empty, please verify the following:
  • The stub image (not the original image) was deployed
  • The deployment configuration added the SYS_PTRACE Linux kernel capability
    • For Kubernetes environments, the deployment configuration allows privilege escalation and enable read/write access for the root filesystem
      • allowPrivilegeEscalation: true
      • readOnlyRootFilesystem: false
  • The environment in which the stub image was deployed has HTTPS access to the RapidFort server
If there are any issues, please update your deployment configuration and environment and deploy the stub image again. RapidFort cannot harden an image unless it has a valid runtime profile.

Harden

After you have deployed and tested the stub image and verified that the runtime profile information was propagated to RapidFort, you are ready to harden it.
Note that the Harden stage is manual. You must deploy and test the stub image and verify that the runtime profile was generated successfully before hardening it.