Verify that Profiling Information is Propagated to RapidFort
Learn how to verify that profiling information is propagated to RapidFort for your stub images
To optimize and secure your application, RapidFort must be able to trace the runtime behavior and generate a runtime profile while the stub image is deployed and running.
Review: A stub image is the original image built with additional dependencies necessary for RapidFort to trace the runtime behavior and generate the runtime profile.
In this guide, we will learn how to deploy a stub image with the required settings and verify that runtime tracing information is being propagated to RapidFort.
Before you deploy a stub image, please verify the following:
- The stub image (not the original image) will be deployed
- The environment in which the stub image will be deployed has HTTPS access to the RapidFort server
- The
SYS_PTRACELinux kernel capability is added - The root filesystem has read/write access enabled
- Privilege escalation is enabled
Find the stub image in the image list and view the Profiling status.
- If no profiling information is available, then the Profiling status will be Not Started.
- If profiling information is available, then the Profiling status will be In progress or Finished.
Select the stub image in the image list.
In the left column, select Logs.
View the Logs table. If profiling information is available, you should see file accesses, system calls, and so forth. The Logs table contents are updated in real time.
While your stub image is deployed, run coverage tests to exercise the functionalities of the application. The goal is to ensure that all required files and dependencies are detected while the runtime behavior of the stub image is being traced. This reduces the risk that required files will be removed during the hardening process.
Use it or lose it! If a file is not detected as being used during runtime tracing, then it may be removed during the hardening process.
Congratulations! Your stub image is now ready to be hardened. Run
rfharden <stub_image> to optimize and secure your image.Deploy and run the hardened image. Use the same deployment settings as the original image.
Adding
SYS_PTRACE is not required when running the hardened image (unless this is required by your application -- that is, when running the original image). RapidFort does not add any runtime tracing dependencies to the hardened image.Verify that the hardened image has the same runtime behavior as the original image.
If any functionality is not working as expected in the hardened image, please verify that this was exercised in the coverage tests for the stub image and then harden the image again.
If you are not able to exercise this functionality in your coverage tests, then you may also use a hardening profile file that specifies files and directories to keep in the hardened image.