bane - Custom & better AppArmor profile generator for Docker containers.

  •        7

AppArmor profile generator for docker containers. Basically a better AppArmor profile, than creating one by hand, because who would ever do that. For installation instructions from binaries please visit the Releases Page.

https://github.com/genuinetools/bane

Tags
Implementation
License
Platform

   




Related Projects

bane - Custom & better AppArmor profile generator for Docker containers.

  •    Go

AppArmor profile generator for docker containers. Basically a better AppArmor profile, than creating one by hand, because who would ever do that.sample.toml is a AppArmor sample config for nginx in a container.

contained.af - A stupid game for learning about containers, capabilities, and syscalls.

  •    Javascript

A game for learning about containers, capabilities, and syscalls. To add a question edit this file: frontend/js/questions.js.

DockerSlim (docker-slim) - Optimize and secure your Docker containers

  •    Go

Docker slim minify's and secure's Docker containers. Keep doing what you are doing. No need to change anything. Use the base image you want. Use the package manager you want. Don't worry about hand optimizing your Dockerfile. You shouldn't have to throw away your tools and your workflow to have small container images.

amicontained - Container introspection tool

  •    Makefile

Container introspection tool. Find out what container runtime is being used as well as features available. For installation instructions from binaries please visit the Releases Page.

reg - Docker registry v2 command line client and repo listing generator with security checks.

  •    Go

Docker registry v2 command line client and repo listing generator with security checks. For installation instructions from binaries please visit the Releases Page.


amicontained - Container introspection tool

  •    Go

Container introspection tool. Find out what container runtime is being used as well as features available.

img - Standalone, daemon-less, unprivileged Dockerfile and OCI compatible container image builder.

  •    Go

Standalone, daemon-less, unprivileged Dockerfile and OCI compatible container image builder. img is more cache-efficient than Docker and can also execute multiple build stages concurrently, as it internally uses BuildKit's DAG solver.

docker-bench-security - The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production

  •    Shell

The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production. The tests are all automated, and are inspired by the CIS Docker Community Edition Benchmark v1.1.0. We are releasing this as a follow-up to our Understanding Docker Security and Best Practices blog post. We are making this available as an open-source utility so the Docker community can have an easy way to self-assess their hosts and docker containers against this benchmark.

dagda - a tool to perform static analysis of known vulnerabilities, trojans, viruses, malware & other malicious threats in docker images/containers and to monitor the docker daemon and running docker containers for detecting anomalous activities

  •    Python

Dagda is a tool to perform static analysis of known vulnerabilities, trojans, viruses, malware & other malicious threats in docker images/containers and to monitor the docker daemon and running docker containers for detecting anomalous activities. In order to fulfill its mission, first the known vulnerabilities as CVEs (Common Vulnerabilities and Exposures), BIDs (Bugtraq IDs), RHSAs (Red Hat Security Advisories) and RHBAs (Red Hat Bug Advisories), and the known exploits from Offensive Security database are imported into a MongoDB to facilitate the search of these vulnerabilities and exploits when your analysis are in progress.

ecs-deploy - CLI tool to simplify Amazon ECS deployments

  •    Python

ecs-deploy simplifies deployments on Amazon ECS by providing a convinience CLI tool for complex actions, which are executed pretty often. Alternatively you can pass the AWS credentials (via --access-key-id and --secret-access-key) or the AWS configuration profile (via --profile) as options when you run ecs.

Docker-Secure-Deployment-Guidelines - Deployment checklist for securely deploying Docker

  •    

Within today’s growing cloud-based IT market, there is a strong demand for virtualisation technologies. Unfortunately most virtualisation solutions are not flexible enough to meet developer requirements and the overhead implied by the use of full virtualisation solutions becomes a burden on the scalability of the infrastructure. Docker reduces that overhead by allowing developers and system administrators to seamlessly deploy containers for applications and services required for business operations. However, because Docker leverages the same kernel as the host system to reduce the need for resources, containers can be exposed to significant security risks if not adequately configured. The following itemised list suggests hardening actions that can be undertaken to improve the security posture of the containers within their respective environment. It should be noted that proposed solutions only apply to deployment of Linux Docker containers on Linux-based hosts, using the most recent release of Docker at the time of this writing (1.4.0, commit 4595d4f, dating 11/12/14). Part of the content below is based on publications from Jérôme Petazzoni [1] and Daniel J Walsh [2]. This document aims at adding on to their recommendations and how they can specifically be implemented within Docker. Note: Most of suggested command line options can be stored and used in a similar manner inside a Dockerfile for automated image building. Docker 1.3 now supports cryptographic signatures [3] to ascertain the origin and integrity of official repository images. This feature is however still a work in progress as Docker will issue a warning but not prevent the image from actually running. Furthermore, it does not apply to non-official images. In general, ensure that images are only retrieved from trusted repositories and that the --insecure-registry=[] command line option is never used.

falco - Sysdig Falco: Behavioral Activity Monitoring With Container Support

  •    C++

Sysdig Falco is a behavioral activity monitor designed to detect anomalous activity in your applications. Powered by sysdig’s system call capture infrastructure, falco lets you continuously monitor and detect container, application, host, and network activity... all in one place, from one source of data, with one set of rules. One of the questions we often get when we talk about Sysdig Falco is “How does it compare to other tools like SELinux, AppArmor, Auditd, etc. that also have security policies?”. We wrote a blog post comparing Falco to other tools.

anchore - Legacy Anchore container analysis, inspection and control toolset

  •    Python

Anchore is a set of tools that provides visibility, transparency, and control of your container environment. With anchore, users can analyze, inspect, perform security scans, and apply custom policies to container images within a CI/CD build system, or used/integrated directly into your container environment. This repository contains the anchore analysis scanner tool (with a basic CLI interface), which can be appropriate for lower-level integrations - for new users and current users who have been looking to deploy Anchore as a centralized service with an API, an open source project called the Anchore Engine has been released (with its own light-weight client CLI) which extends the capabilities of anchore beyond what usage of this scanner tool alone can provide. The project page links are below, which include installation/quickstart instructions, API documents and usage guides.

Gorsair - Gorsair hacks its way into remote docker containers that expose their APIs.

  •    Go

Gorsair is a penetration testing tool for discovering and remotely accessing Docker APIs from vulnerable Docker containers. Once it has access to the docker daemon, you can use Gorsair to directly execute commands on remote containers. Exposing the docker API on the internet is a tremendous risk, as it can let malicious agents get information on all of the other containers, images and system, as well as potentially getting privileged access to the whole system if the image uses the root user.

Anchore Engine - Centralized service for inspection, analysis and certification of container images

  •    Python

The Anchore Engine is an open source project that provides a centralized service for inspection, analysis and certification of container images. The Anchore engine is provided as a Docker container image that can be run standalone or on an orchestration platform such as Kubernetes, Docker Swarm, Rancher or Amazon ECS. The Anchore engine can be accessed directly through a RESTful API or via the Anchore CLI.

Harbor - An enterprise-class container registry server based on Docker Distribution

  •    Go

Project Harbor is an enterprise-class registry server that stores and distributes Docker images. It extends the open source Docker Distribution by adding the functionalities usually required by an enterprise, such as security, identity and management. As an enterprise private registry, Harbor offers better performance and security.

cilium - HTTP, gRPC, and Kafka Aware Security and Networking for Containers with BPF and XDP

  •    Go

Cilium is open source software for providing and transparently securing network connectivity and loadbalancing between application workloads such as application containers or processes. Cilium operates at Layer 3/4 to provide traditional networking and security services as well as Layer 7 to protect and secure use of modern application protocols such as HTTP, gRPC and Kafka. Cilium is integrated into common orchestration frameworks such as Kubernetes and Mesos. A new Linux kernel technology called BPF is at the foundation of Cilium. It supports dynamic insertion of BPF bytecode into the Linux kernel at various integration points such as: network IO, application sockets, and tracepoints to implement security, networking and visibility logic. BPF is highly efficient and flexible. To learn more about BPF, read more in our extensive BPF and XDP Reference Guide.

x11docker - Run GUI applications and desktops in docker. Focus on security.

  •    Shell

Graphical applications and desktops in docker are similar in usage to a Virtual Machine. They are isolated from host in several ways. It is possible to run applications that would not run on host due to missing dependencies. For example, you can run latest development versions or outdated versions of applications, or even multiple versions at the same time. Practical differences to a VM: Docker containers need much less resources. x11docker discardes containers after use. Persistant data and configuration storage is done with shared folders. Persistant container system changes can be done in Dockerfile. System changes in running containers are discarded after use.

runc - CLI tool for spawning and running containers according to the OCI specification

  •    Go

runc is a CLI tool for spawning and running containers according to the OCI specification.

devspace - Cloud Native Software Development with Kubernetes and Docker - simply run "devspace up" in any of your projects and start coding directly on top of Kubernetes (works with minikube, self-hosted and cloud-based clusters)

  •    Go

With a DevSpace, you can build, test and run code directly inside any Kubernetes cluster. You can run devspace up in any of your projects and the client-only DevSpace CLI will start a DevSpace within your Kubernetes cluster. Keep coding as usual and the DevSpace CLI will sync any code change directly into the containers of your DevSpace. No more waiting for re-building images, re-deploying containers and restarting applications on every source code change. Simply edit your code with any IDE and run your code instantly inside your DevSpace.