CLI tools
      Back to home
      1. RapidFort SASM Platform Documentation
      2. Client tools
      3. CLI tools

      rfharden

      Basic Usage

      To harden a stub image, run:
      rfharden <stub_image>
      For example:
      rfharden example.registry.com/my-repository:v1.2.3-rfstub
      Hardening a stub image requires the runtime profile to be available. The runtime profile is generated when running and tracing the stub image. RapidFort must have the runtime profile to determine which files were used.
      Another option is to use workload tags and reuse the profile for a stub image that has already been traced.
      If runtime profile information is not available when trying to harden a stub image, then you may see an error message similar to the following:
      General Error: Error: no stub instances have run yet...

       

      For more information on how to verify that profiling information is being propagated to RapidFort,  verify that profiling information is propagated to the RapidFort platform

      Hardened Image Tag

      By default, rfharden generates a hardened image with -rfhardened appended to the original image tag.
      For example, the following command will generate a hardened image called registry.example.com/my-repository:v1.2.3-rfhardened.
      rfharden registry.example.com/my-repository:v1.2.3-rfstub
      You may specify a different tag for the hardened image with -o <hardened_image_tag>:
      rfharden <registry>/<repository>:<tag> -o <hardened_image_tag>
      For example, the following command will generate a hardened image called registry.example.com/my-repository:my-hardened-tag:
      rfharden registry.example.com/my-repository:v1.2.3 -o my-hardened-tag
      If a RapidFort image (stub image or hardened image) with the same name already exists on the client system, then rfharden will automatically rename the existing RapidFort image.
      For example, if there is already a hardened image on the client system named registry.example.com/my-repository:v1.2.3-rfhardened and a new hardened image is generated with the same tag, then:
      • The existing hardened image will be renamed to registry.example.com/my-repository:v1.2.3-rfhardened-<rapidfort_id>
        • For example: registry.example.com/my-repository:v1.2.3-rfhardened-a0b1c2d3
      • The new hardened image will be named registry.example.com/my-repository:v1.2.3-rfhardened
      If a non-RapidFort image (original image) with the same name already exists on the client system, then it will be untagged.
      For example, if the original image is named registry.example.com/my-repository:v1.2.3 and a hardened image is generated with the same tag (-o v1.2.3), then the original image will be untagged and the hardened image will be named registry.example.com/my-repository:v1.2.3
       

      Workload Tags

      You may optionally specify one or more workload tags and/or RapidFort GUIDs to harden the image using the runtime profile information from the corresponding RapidFort jobs.
      rfharden <stub_image> -t <workload_tag0> -t <workload_tag1> ...
      rfharden <stub_image> -t <workload_tag0> -t <rapidfort_id0> -t <workload_tag1> ...
      When hardening an image with a workload tag, the profiles for all RapidFort IDs that are associated with the workload tag will be included by default.
      To exclude the profile associated with a specific RapidFort ID, specify -x <rapidfort_id>:
      rfharden <stub_image> -t <workload_tag> -x <rapidfort_id_to_exclude>

      For more information, please refer to Workload tags

      Hardening Options

      When profiling a stub image, RapidFort detects what is and is not in use. By default, RapidFort removes everything that was not used when hardening an image.
      You may specify a hardening preset to customize how your image is hardened.
      You may optionally instruct RapidFort to keep specific files and directories in the hardened image by creating a profile file that contains files and directories that you would like to keep and specifying -p <profile_file>:
      rfharden <stub_image> -p <profile_file>

      The profile file uses the gitignore Syntax

      Credentials File

      By default, rfharden expects the RapidFort credentials file to be located in ~/.rapidfort/credentials.
      To override this, specify -c <rapidfort_credential_file>:
      rfharden <stub_image> -c /path/to/rapidfort/credentials

      Next Steps

      Congratulations! You have optimized and secured your image.
      Deploy and test your hardened image. If your hardened image is missing dependencies that were not exercised while profiling your stub image, then please try the following:
      Run more tests on the stub image before hardening it again to update the profile. You can test and harden your stub image as many times as necessary.
      Refer to the hardening profiles guide to keep specific files and directories in the hardened image.

      You can reuse the hardening profile to harden other images. For more information, please refer to Workload tags

      To view and download reports, visit the RapidFort dashboard or run:

      rfinfo -s <rapidfort_guid>