Links

Verify that Profiling Information is Propagated to RapidFort

Learn how to verify that profiling information is propagated to RapidFort for your stub images

Overview

To optimize and secure your application, RapidFort must be able to trace the runtime behavior and generate a runtime profile while the stub image is deployed and running.
Review: A stub image is the original image built with additional dependencies necessary for RapidFort to trace the runtime behavior and generate the runtime profile.
In this guide, we will learn how to deploy a stub image with the required settings and verify that runtime tracing information is being propagated to RapidFort.

Deploy the Stub Image

Before you deploy a stub image, please verify the following:
  • The stub image (not the original image) will be deployed
  • The environment in which the stub image will be deployed has HTTPS access to the RapidFort server
  • The SYS_PTRACE Linux kernel capability is added
    • For more information on how to add SYS_PTRACE, please refer to the How To guide.
  • The root filesystem has read/write access enabled
  • Privilege escalation is enabled

Visit the RapidFort Dashboard

View the Image List

Find the stub image in the image list and view the Profiling status.
  • If no profiling information is available, then the Profiling status will be Not Started.
  • If profiling information is available, then the Profiling status will be In progress or Finished.

View the Profiling Logs

Select the stub image in the image list.
In the left column, select Logs.
View the Logs table. If profiling information is available, you should see file accesses, system calls, and so forth. The Logs table contents are updated in real time.

Next Steps

Run Coverage Tests for the Application

While your stub image is deployed, run coverage tests to exercise the functionalities of the application. The goal is to ensure that all required files and dependencies are detected while the runtime behavior of the stub image is being traced. This reduces the risk that required files will be removed during the hardening process.
Use it or lose it! If a file is not detected as being used during runtime tracing, then it may be removed during the hardening process.

Harden the Stub Image

Congratulations! Your stub image is now ready to be hardened. Run rfharden <stub_image> to optimize and secure your image.

Deploy the Hardened Image

Deploy and run the hardened image. Use the same deployment settings as the original image.
Adding SYS_PTRACE is not required when running the hardened image (unless this is required by your application -- that is, when running the original image). RapidFort does not add any runtime tracing dependencies to the hardened image.
Verify that the hardened image has the same runtime behavior as the original image.
If any functionality is not working as expected in the hardened image, please verify that this was exercised in the coverage tests for the stub image and then harden the image again.
If you are not able to exercise this functionality in your coverage tests, then you may also use a hardening profile file that specifies files and directories to keep in the hardened image.