Step-by-step tutorial on how to retain data files in a hardened image
Step 1.1: Pull the Debian Docker image
docker pull debian:latest
Step 1.2: Generate a stub image
rfstub debian:latest
Step 1.3: Run the stub image
docker run --rm -dt --name=rf-test --cap-add=SYS_PTRACE debian:latest-rfstub
Step 1.4: Test the stub image
Executing this command in the stub image will ensure that ls -lrta is preserved in the hardened image so that we can verify which files are included in and excluded from our hardened image later.
docker exec -it rf-test bash -c "ls -lrta; echo testing"
Step 1.5: Stop the running instance
docker stop rf-test
Step 2.1: Harden with --keep-data-files
rfharden --keep-data-files debian:latest-rfstub
Step 2.2: Verify data files are in hardened image
Visit the RapidFort dashboard. Select Files and All to view the files.
Find the /usr/share/doc/libcap-ng0/copyright file, which is a data (non-executable) file.
Run the following command to verify that this file was preserved in the hardened image.
docker run --rm -it debian:latest-rfhardened bash -c "ls -lrta usr/share/doc/libcap-ng0/copyright"
This should return usr/share/doc/libcap-ng0/copyright.
This will follow the default hardening process, removing all files that are unused from the image.
Step 3.1: Harden without --keep-data-files
rfharden debian:latest-rfstub
Step 3.2: Verify data files are not in hardened image
Run the following to verify that this file was removed.
docker run --rm -it debian:latest-rfhardened bash -c "ls -lrta usr/share/doc/libcap-ng0/copyright"
This should return No such file or directory.