Advanced Hardening features
      Back to home
      1. RapidFort SASM Platform Documentation
      2. Quick Start Guide
      3. Advanced Hardening features

      Harden using presets

      Step-by-step tutorial on how to use hardening presets

      Part 1: Generate and Test/Exercise the Stub Image

      Step 1.1: Pull the Debian Image
      Pull the latest Debian image from Docker Hub.
       docker pull debian:latest
      Step 1.2: Generate a Stub Image
       rfstub debian:latest
      Step 1.3: Run the Stub Image
      Run the stub image. Be sure to add the SYS_PTRACE Linux kernel capability.
       docker run --rm -dt --name=rf-test --cap-add=SYS_PTRACE debian:latest-rfstub
      Step 1.4: Test the Stub Image
      Test the stub image so that RapidFort can trace the runtime behavior and generate the runtime profile.
      Executing this command in the stub image will ensure that ls -lrta is preserved in the hardened image so we can use it to verify files in our hardened image later. 
      docker exec -it rf-test bash -c "ls -lrta; echo testing"
      Step 1.5: Stop the Running Stub Instance 
      docker stop rf-test

      Part 2: Light Hardening

      Step 2.1: Harden with the light option
      Light hardening will remove unused packages with critical and high severity vulnerabilities and keep unused packages with medium, low, and unknown severity vulnerabilities as well as all used packages and files.
      Specify --preset light to harden using the light hardening preset. 
      rfharden --preset light debian:latest-rfstub
      Step 2.2: Verify package files are in the hardened image
      Visit the RapidFort dashboard. Select Packages and In Use to view packages that were kept in the hardened image.
      With light hardening, the unused package libsepol1 is expected to still be present in the hardened image since it has only low severity vulnerabilities.
      Run the following command to verify that this package has had its files preserved. 
      docker run --rm -it debian:latest-rfhardened bash -c "ls -lrta usr/share/doc/libsepol1/copyright"
      This will return usr/share/doc/libsepol1/copyright.

      Part 3: Standard Hardening

      Step 3.1: Harden with the standard option
      Standard hardening will remove unused packages with known vulnerabilities and keep packages with no known vulnerabilities as well as all used packages and files.
      Specify --preset standard to harden using the standard hardening preset. 
      rfharden --preset standard debian:latest-rfstub
      Step 3.2: Verify package files are not in the hardened image
      Visit the RapidFort dashboard. Select Packages and In Use to view packages that were kept in the hardened image.
      With standard hardening, the unused package libsepol1 is expected to have been removed from the hardened image since it has known vulnerabilities.
      Run the following command to verify that this package has had its files removed. 
      docker run --rm -it debian:latest-rfhardened bash -c "ls -lrta usr/share/doc/libsepol1/copyright"
      This will return No such file or directory.
      Step 3.3: Verify package files are in the hardened image
      With standard hardening, the unused package libcrypt1 is expected to still be present in the hardened image since it has no known vulnerabilities.
      Run the following command to verify that this package has had its files preserved. 
      docker run --rm -it debian:latest-rfhardened bash -c "ls -lrta usr/share/doc/libcrypt1/copyright"
      This will return usr/share/doc/libcrypt1/copyright.

      Part 4: Aggressive Hardening

      Step 4.1: Harden with the aggressive option
      Aggressive hardening, which is the default hardening preset, will remove all unused packages and keep all used packages and files.
      Specify --preset aggressive to harden using the aggressive hardening preset. 
      rfharden --preset aggressive debian:latest-rfstub
      or 
      rfharden debian:latest-rfstub
      Step 4.2: Verify package files are not in the hardened image
      Visit the RapidFort dashboard. Select Packages and In Use to view packages that were kept in the hardened image.
      With aggressive hardening, the unused package libcrypt1 is expected to have been removed from the hardened image since it was not used during runtime tracing.
      Run the following command to verify that this package has had its files removed. 
      docker run --rm -it debian:latest-rfhardened bash -c "ls -lrta usr/share/doc/libcrypt1/copyright"
      This will return No such file or directory.
      Review
      To customize how your workloads are hardened, you can specify a hardening preset.
      •  Light: Remove unused packages with high and critical severity vulnerabilities.
      •  Standard: Remove unused packages with known vulnerabilities.
      •  Aggressive (default): Remove all unused packages and files.
      You can also specify any or all of the following hardening features in combination with a hardening preset:
      •  Keep Data Files: Keep all files that are not executable. 
      •  rfharden <stub_image> --keep-data-files
      •  Keep Packages Coherent: Keep all package files for packages with at least one used executable file. 
      •  rfharden <stub_image> --keep-pkgs-coherent