How to Profile & Harden your Containers
      Back to home
      1. RapidFort SASM Platform Documentation
      2. Quick Start Guide
      3. How to Profile & Harden your Containers

      Harden your Containers with Docker

      In the following tutorial, we will stub, profile, and harden the NGINX Docker image.

      Part 1: Get the Original Image & create a Stub image

      Step 1.1: Pull the NGINX Docker Image

      docker pull docker.io/nginx:latest

      Step 1.2: Log Into RapidFort

      Run rflogin to log into RapidFort. Enter your password if prompted.

      rflogin <email>

      Step 1.3: Generate a Stub Image

      Run rfstub to generate a stub image:

      rfstub docker.io/nginx:latest

      This creates a new image, docker.io/nginx:latest-rfstub. 

      Run docker images to view the stub image:

      docker images | grep nginx

      Part 2: Profile the Image

      Step 2.1: Run the Stub Image

      You must add the SYS_PTRACE Linux kernel capability for this step

      docker run --rm -it -p9999:80 --cap-add=SYS_PTRACE --name=rf-test docker.io/nginx:latest-rfstub

      If you do not add the SYS_PTRACE capability (--cap-add=SYS_PTRACE) then you may see the following error message:

      ptrace: Operation not permitted [/bin/dash]

      ERROR 48e: did you forget to add SYS_PTRACE capability (--cap-add=SYS_PTRACE)?

      Step 2.2: Profile the Stub Image

      After the stub image has been deployed, exercise the application's features. It can be accomplished by manually exercising every feature or automating using a coverage script where, unlike a QA test, for a given input signal, the output need not be evaluated. RapidFort will then identify the required software components in your application and generate a runtime profile (Real Bill of Materials). The runtime profile is required to harden & optimize the image.

      In this example we will profile NGINX for the Curl feature only:

      curl localhost:9999

      You will see the welcome message from NGINX.

      Step 2.3: Stop the Container

      Stop the Docker container:

      docker stop -t 1 rf-test

      Part 3: Generate, Run, and Test the Hardened Image

      Step 3.1: Harden the Stub Image

      Run rfharden to harden the stub image.

      rfharden docker.io/nginx:latest-rfstub

      This creates a new image, docker.io/nginx:latest-rfhardened.

      If you get the following error message when hardening the image, return to Steps 2.1-2.3:

      Error: No stub instances have run yet...

      This indicates that RapidFort did not receive runtime profile information for this image. RapidFort must have a runtime profile to harden an image.

      Step 3.2: Run the Hardened Image

      Run the hardened image and test it again to verify that your application is working as expected:

      docker run --rm -it -p9999:80 --name=rf-test docker.io/nginx:latest-rfhardened

      curl localhost:9999

      You should see the same welcome message from NGINX.

      When you are finished with testing your application, stop the Docker container:

      docker stop -t 1 rf-test

      The hardened image does not contain any RapidFort dependencies for runtime tracing.

      You need not add the SYS_PTRACE capability when running the hardened image.

      Step 3.3: View Image Information

      You can view the image information - both before and after hardening from the RapidFort Web User Interface at https://frontrow.rapidfort.com. See the RapidFort User Interface section for more information.

      Alternatively, you can view the info’ by running rfinfo <rapidfort_guid>:

      rfinfo <rapidfort_guid>
      To save reports to your local system, run rfinfo with the -s parameter.

      rfinfo -s <rapidfort_guid>

      Stub images cannot be used as base images. If you need to make updates, please build a new original image with the updates and then generate a new stub image.