Step-by-step tutorial on how to use hardening presets
Step 1.1: Pull the Debian Image
Pull the latest Debian image from Docker Hub.
docker pull debian:latest
Step 1.2: Generate a Stub Image
rfstub debian:latest
Step 1.3: Run the Stub Image
Run the stub image. Be sure to add the SYS_PTRACE Linux kernel capability.
docker run --rm -dt --name=rf-test --cap-add=SYS_PTRACE debian:latest-rfstub
Step 1.4: Test the Stub Image
Test the stub image so that RapidFort can trace the runtime behavior and generate the runtime profile.
Executing this command in the stub image will ensure that ls -lrta is preserved in the hardened image so we can use it to verify files in our hardened image later.
docker exec -it rf-test bash -c "ls -lrta; echo testing"
Step 1.5: Stop the Running Stub Instance
docker stop rf-test
Step 2.1: Harden with the light option
Light hardening will remove unused packages with critical and high severity vulnerabilities and keep unused packages with medium, low, and unknown severity vulnerabilities as well as all used packages and files.
Specify --preset light to harden using the light hardening preset.
rfharden --preset light debian:latest-rfstub
Step 2.2: Verify package files are in the hardened image
Visit the RapidFort dashboard. Select Packages and In Use to view packages that were kept in the hardened image.
With light hardening, the unused package libsepol1 is expected to still be present in the hardened image since it has only low severity vulnerabilities.
Run the following command to verify that this package has had its files preserved.
docker run --rm -it debian:latest-rfhardened bash -c "ls -lrta usr/share/doc/libsepol1/copyright"
This will return usr/share/doc/libsepol1/copyright.
Step 3.1: Harden with the standard option
Standard hardening will remove unused packages with known vulnerabilities and keep packages with no known vulnerabilities as well as all used packages and files.
Specify --preset standard to harden using the standard hardening preset.
rfharden --preset standard debian:latest-rfstub
Step 3.2: Verify package files are not in the hardened image
Visit the RapidFort dashboard. Select Packages and In Use to view packages that were kept in the hardened image.
With standard hardening, the unused package libsepol1 is expected to have been removed from the hardened image since it has known vulnerabilities.
Run the following command to verify that this package has had its files removed.
docker run --rm -it debian:latest-rfhardened bash -c "ls -lrta usr/share/doc/libsepol1/copyright"
This will return No such file or directory.
Step 3.3: Verify package files are in the hardened image
With standard hardening, the unused package libcrypt1 is expected to still be present in the hardened image since it has no known vulnerabilities.
Run the following command to verify that this package has had its files preserved.
docker run --rm -it debian:latest-rfhardened bash -c "ls -lrta usr/share/doc/libcrypt1/copyright"
This will return usr/share/doc/libcrypt1/copyright.
Step 4.1: Harden with the aggressive option
Aggressive hardening, which is the default hardening preset, will remove all unused packages and keep all used packages and files.
Specify --preset aggressive to harden using the aggressive hardening preset.
rfharden --preset aggressive debian:latest-rfstub
or
rfharden debian:latest-rfstub
Step 4.2: Verify package files are not in the hardened image
Visit the RapidFort dashboard. Select Packages and In Use to view packages that were kept in the hardened image.
With aggressive hardening, the unused package libcrypt1 is expected to have been removed from the hardened image since it was not used during runtime tracing.
Run the following command to verify that this package has had its files removed.
docker run --rm -it debian:latest-rfhardened bash -c "ls -lrta usr/share/doc/libcrypt1/copyright"
This will return No such file or directory.
To customize how your workloads are hardened, you can specify a hardening preset.
-
Light: Remove unused packages with high and critical severity vulnerabilities.
-
Standard: Remove unused packages with known vulnerabilities.
-
Aggressive (default): Remove all unused packages and files.
You can also specify any or all of the following hardening features in combination with a hardening preset:
-
Keep Data Files: Keep all files that are not executable.
-
rfharden <stub_image> --keep-data-files
-
Keep Packages Coherent: Keep all package files for packages with at least one used executable file.
-
rfharden <stub_image> --keep-pkgs-coherent