Add the SYS_PTRACE Linux Kernel Capability
Learn how to add the SYS_PTRACE Linux kernel capability when deploying your stub images
To optimize and secure your application, RapidFort must be able to trace the runtime behavior and generate a runtime profile while the stub image is deployed and running. Tracing the runtime behavior of the stub image has additional requirements. In particular, the
SYS_PTRACE
Linux kernel capability must be added.Review: A stub image is the original image built with additional dependencies necessary for RapidFort to trace the runtime behavior and generate the runtime profile.
In this guide, we will learn how to add
SYS_PTRACE
when deploying the stub image.During initialization, the stub image will try to detect if
SYS_PTRACE
has been added. If SYS_PTRACE
has not been added, then the stub image will fail to run.Add
--cap-add=SYS_PTRACE
to the docker run
command.docker run --cap-add=SYS_PTRACE <flags> <stub image>
For example:
docker run --cap-add=SYS_PTRACE -p9999:80 --name=nginx-rf-test docker.io/library/nginx:latest-rfstub
Add a section called
cap_add
and a SYS_PTRACE
list item to the Compose yaml file.cap_add:
- SYS_PTRACE
Add a
securityContext
section to the Kubernetes manifest file.securityContext:
capabilities:
add: ["SYS_PTRACE"]
allowPrivilegeEscalation: true
readOnlyRootFilesystem: false
allowPrivilegeEscalation
and readOnlyRootFilesystem
are not directly related to adding SYS_PTRACE
, but these are required for RapidFort to trace the runtime behavior of the stub image and must also be specified in the securityContext
when deploying the stub image.Add a
"capabilities"
section to the "linuxParameters"
section in the AWS Fargate task definition."linuxParameters": {
"capabilities": {
"add": [
"SYS_PTRACE"
]
}
}
For more information, please view the Amazon Elastic Container Service KernelCapabilities documentation.
Adding
SYS_PTRACE
is one requirement for profiling your stub image. You will need to verify that the stub image is able to send profiling information to RapidFort.While your stub image is deployed, run coverage tests to exercise the functionalities of the application. The goal is to ensure that all required files and dependencies are detected while the runtime behavior of the stub image is being traced. This reduces the risk that required files will be removed during the hardening process.
Use it or lose it! If a file is not detected as being used during runtime tracing, then it may be removed during the hardening process.
Congratulations! Your stub image is now ready to be hardened. Run
rfharden <stub_image>
to optimize and secure your image.Adding
SYS_PTRACE
is not required when running the hardened image (unless this is required by your application). RapidFort does not leave any runtime tracing dependencies in the hardened image.