How do I install Bane on Ubuntu?

Download pre-built binaries from the Releases page or install via Go with `go get`. For Ubuntu, you may need to manually place the binary in your PATH and ensure AppArmor is installed and running.

Can Bane be used with Kubernetes?

Yes, but indirectly. Generate profiles with Bane, load them on Kubernetes nodes, and reference them in pod security contexts. It requires manual integration, as Bane doesn't have native Kubernetes support.

Bane vs writing AppArmor profiles manually – which is better?

Bane is better for quickly generating profiles with fewer errors using a TOML config. Manual writing offers more fine-grained control for complex rules, but is time-consuming and error-prone.

How to audit container activities with Bane?

Use the `LogOnWritePaths` option in your TOML config to log write operations. Check dmesg or system logs for entries, as shown in the sample output, to monitor security events.

Does Bane support SELinux?

No, Bane is specifically designed for AppArmor and does not support SELinux or other MAC systems. You'd need a different tool for SELinux policies.

What file globbing patterns does Bane support?

Bane supports various glob patterns like `/dir/*`, `/dir/**`, and more, as detailed in the README's file globbing table, allowing flexible definition of file and directory permissions.

Open-Awesome

Bane

MITGov0.4.4

A custom AppArmor profile generator for Docker containers that simplifies security configuration.

GitHub

1.2k stars91 forks0 contributors

What is Bane?

Bane is a custom AppArmor profile generator for Docker containers. It automates the creation of security profiles that restrict container capabilities, file access, and network operations. The tool solves the problem of manually writing complex AppArmor profiles, making container security more manageable and less error-prone.

Target Audience

System administrators, DevOps engineers, and security professionals who deploy Docker containers and need to enforce strict security policies using AppArmor.

Value Proposition

Developers choose Bane because it simplifies AppArmor profile generation with a declarative configuration, reducing manual effort and potential security gaps. Its seamless Docker integration and automatic installation make it a practical tool for hardening containerized applications.

Overview

Custom & better AppArmor profile generator for Docker containers.

Use Cases

Best For

Generating AppArmor profiles for Docker containers without manual coding
Restricting container capabilities and file system access in production environments
Auditing and logging write operations within secured containers
Hardening web servers like Nginx running in Docker
Implementing least-privilege security models for containerized applications
Automating security profile deployment in CI/CD pipelines

Not Ideal For

Teams using SELinux or other mandatory access control systems instead of AppArmor
Environments requiring dynamic, runtime-modifiable security policies for containers
Projects integrated with Kubernetes or other orchestrators needing out-of-the-box security profile management

Pros & Cons

Pros

Declarative Configuration

Uses a simple TOML file to define permissions, as shown in sample.toml, eliminating the need to write complex AppArmor syntax manually.

Automatic Profile Installation

Installs generated profiles directly into `/etc/apparmor.d/containers/` and runs `apparmor_parser`, streamlining deployment without manual steps.

Seamless Docker Integration

Profiles are designed to work with Docker's `--security-opt` flag, making it easy to apply security to containers, as demonstrated in the usage examples.

Audit Logging Support

Includes `LogOnWritePaths` to log write operations, with sample dmesg output provided, aiding in monitoring and debugging security events.

Cons

Limited to AppArmor and Docker

Bane only generates AppArmor profiles and is tailored for Docker, making it unsuitable for SELinux systems or other container runtimes like Podman without adaptation.

Static Profile Generation

Profiles are generated from static TOML files and require regeneration for changes, lacking support for dynamic policy updates during container runtime.

Requires Root Privileges

Installation and profile application require sudo/root access, which can complicate deployment in automated or restricted environments, as noted in the installation commands.

Frequently Asked Questions

Related Projects

trivy

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more

Stars34,748

Forks326

Last commit5 days ago

Grype

A vulnerability scanner for container images and filesystems

Stars12,103

Forks792