How to install Bane on Ubuntu?

Download the binary from the GitHub releases page or install via Go with 'go get github.com/genuinetools/bane'. Ensure AppArmor is installed and enabled on your system for it to work properly.

What's the difference between Bane and Docker's default AppArmor profile?

Docker's default profile is generic and relatively permissive, while Bane allows creating custom, restrictive profiles tailored to specific containers. This reduces attack surfaces by blocking unnecessary capabilities like raw sockets or shell access, as shown in the sample malicious activity tests.

Can Bane be used with Kubernetes?

Bane is designed for Docker containers and isn't natively integrated with Kubernetes. You might manually generate profiles and apply them to Docker runtimes within Kubernetes nodes, but this requires extra setup and isn't straightforward for dynamic orchestration.

How to debug AppArmor denials when using Bane?

Use the LogOnWritePaths feature in your TOML config to log write operations, and check system logs (e.g., dmesg or journalctl) for AppArmor audit messages. This helps identify which paths or actions are being denied, as illustrated in the README's dmesg output.

Bane or manual AppArmor profiles: which is better for security?

Bane simplifies the process by using TOML configs instead of raw AppArmor syntax, reducing human error. However, both require security expertise to configure correctly; manual profiles offer more granular control, while Bane trades some flexibility for ease of use.

How to create a custom profile for a MySQL container with Bane?

Define a TOML file with allowed paths like /var/lib/mysql, necessary capabilities (e.g., network access), and use 'bane yourconfig.toml' to generate and install the profile. Then run Docker with --security-opt='apparmor:your-profile-name' to apply it.

Open-Awesome

bane

MITGov0.4.4

A custom AppArmor profile generator for Docker containers that simplifies container security.

GitHub

1.2k stars91 forks0 contributors

What is bane?

Bane is a custom AppArmor profile generator designed specifically for Docker containers. It automates the creation of security profiles that restrict container capabilities, such as filesystem access, network operations, and process execution. This tool solves the problem of manually crafting complex AppArmor rules, which is tedious and error-prone, by generating profiles from simple configuration files.

Target Audience

System administrators, DevOps engineers, and security-focused developers who deploy Docker containers in production and need to enforce strict security policies without manual AppArmor configuration.

Value Proposition

Developers choose Bane because it drastically simplifies AppArmor profile management for Docker, offering a declarative configuration approach that reduces human error and saves time compared to writing profiles by hand. Its seamless Docker integration and focus on practical security make it a pragmatic tool for hardening containers.

Overview

Custom & better AppArmor profile generator for Docker containers.

Use Cases

Best For

Hardening Docker containers with custom AppArmor policies
Automating security profile generation for containerized applications
Restricting container capabilities to prevent privilege escalation
Auditing filesystem access and write operations in containers
Enforcing least-privilege security models in Docker deployments
Simplifying AppArmor configuration for DevOps teams

Not Ideal For

Environments using SELinux or other Linux Security Modules instead of AppArmor
Teams wanting fully automated, zero-configuration security without manual TOML file setup
Dynamic container workloads requiring runtime security policy updates without profile recompilation

Pros & Cons

Pros

Automated Profile Creation

Generates AppArmor profiles from simple TOML files, eliminating the need to write complex AppArmor syntax manually, as demonstrated in the sample.toml config for nginx.

Flexible Filesystem Control

Supports file globbing patterns (e.g., wildcards, directory exclusions) for defining allowed or denied paths, enabling fine-grained access control without hardcoding every file.

Seamless Docker Integration

Installs profiles directly and applies them with Docker's --security-opt flag, making it easy to enforce security on running containers without extra steps.

Enhanced Security Auditing

Includes LogOnWritePaths for configurable logging of write operations, helping monitor and debug security events, as shown in the dmesg output examples.

Cons

AppArmor Dependency

Only works on Linux systems with AppArmor enabled, making it unsuitable for environments using SELinux or other security modules, which limits its portability.

Manual Configuration Overhead

Requires users to write and maintain TOML configuration files, which can be error-prone and demands a good understanding of the container's security needs and AppArmor concepts.

Proof-of-Concept Limitations

Originally a proof of concept for Docker integration, as noted in the README, implying it might lack full production-ready features, active maintenance, or native Docker engine support.

Frequently Asked Questions

Related Projects

gvisor

Application Kernel for Containers

Stars18,521

Forks1,635

Last commit2 days ago

Docker bench security

The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production.

Stars9,655

Forks1,039

Last commit10 days ago

goss

Quick and Easy server testing/validation

Stars5,904

Forks490

Last commit6 days ago

docker-explorer

A tool to help forensicate offline docker acquisitions

Stars554

Forks45

Last commit1 year ago

Community-curated · Updated weekly · 100% open source

Found a gem we're missing?

Open-Awesome is built by the community, for the community. Submit a project, suggest an awesome list, or help improve the catalog on GitHub.

Submit a project Star on GitHub