R
R
RapidFort User Documentation
Search…
Welcome to RapidFort
RapidFort Support
RapidFort SaaS
RapidFort SaaS Solution
RapidFort On-Premises
RapidFort On-Premises Solution
RapidFort AWS Prerequisites
RapidFort Helm Chart AWS Deployment
RapidFort Standalone AWS Commercial Console Deployment
RapidFort Standalone AWS GovCloud Console Deployment
Using RapidFort
RapidFort Command Line Interface Tools
RapidFort User Interface
RapidFort Service Accounts
Getting Started Guides
Getting Started: Stub and Harden a Docker Image
Getting Started: Stub and Harden a Docker Image with Docker-Compose
Getting Started: Stub and Harden a Docker Image with Kubernetes
Getting Started: Stub and Harden a Docker Image with GitLab
Getting Started: Stub and Harden a Docker Image with Bitbucket
Getting Started: Scan a Docker Image
How To Guides
Add the SYS_PTRACE Linux Kernel Capability
Verify that Profiling Information is Propagated to RapidFort
Download Reports
RapidFort GitLab CI/CD Integration
Using RapidFort with Helm Charts
Scanning with RapidFort
Overview
Registry Configuration
Scanning Images
Scanning Container Registries
Scanning Amazon Elastic Container Registry (ECR) Images
Advanced Features
Workload Tags
Hardening Features
Hardening Profiles
Powered By GitBook
Verify that Profiling Information is Propagated to RapidFort
Learn how to verify that profiling information is propagated to RapidFort for your stub images

Overview

To optimize and secure your application, RapidFort must be able to trace the runtime behavior and generate a runtime profile while the stub image is deployed and running.
Review: A stub image is the original image built with additional dependencies necessary for RapidFort to trace the runtime behavior and generate the runtime profile.
In this guide, we will learn how to deploy a stub image with the required settings and verify that runtime tracing information is being propagated to RapidFort.

Deploy the Stub Image

Before you deploy a stub image, please verify the following:
  • The stub image (not the original image) will be deployed
  • The environment in which the stub image will be deployed has HTTPS access to the RapidFort server
  • The SYS_PTRACE Linux kernel capability is added
    • For more information on how to add SYS_PTRACE, please refer to the How To guide.
  • The root filesystem has read/write access enabled
  • Privilege escalation is enabled

Visit the RapidFort Dashboard

View the Image List

Find the stub image in the image list and view the Profiling status.
  • If no profiling information is available, then the Profiling status will be Not Started.
  • If profiling information is available, then the Profiling status will be In progress or Finished.

View the Profiling Logs

Select the stub image in the image list.
In the left column, select Logs.
View the Logs table. If profiling information is available, you should see file accesses, system calls, and so forth. The Logs table contents are updated in real time.

Next Steps

Run Coverage Tests for the Application

While your stub image is deployed, run coverage tests to exercise the functionalities of the application. The goal is to ensure that all required files and dependencies are detected while the runtime behavior of the stub image is being traced. This reduces the risk that required files will be removed during the hardening process.
Use it or lose it! If a file is not detected as being used during runtime tracing, then it may be removed during the hardening process.

Harden the Stub Image

Congratulations! Your stub image is now ready to be hardened. Run rfharden <stub_image> to optimize and secure your image.

Deploy the Hardened Image

Deploy and run the hardened image. Use the same deployment settings as the original image.
Adding SYS_PTRACE is not required when running the hardened image (unless this is required by your application -- that is, when running the original image). RapidFort does not add any runtime tracing dependencies to the hardened image.
Verify that the hardened image has the same runtime behavior as the original image.
If any functionality is not working as expected in the hardened image, please verify that this was exercised in the coverage tests for the stub image and then harden the image again.
If you are not able to exercise this functionality in your coverage tests, then you may also use a hardening profile file that specifies files and directories to keep in the hardened image.
How To Guides - Previous
Add the SYS_PTRACE Linux Kernel Capability
Next - How To Guides
Download Reports
Last modified 1mo ago
Copy link
Contents
Overview
Deploy the Stub Image
Visit the RapidFort Dashboard
View the Image List
View the Profiling Logs
Next Steps
Run Coverage Tests for the Application
Harden the Stub Image
Deploy the Hardened Image