Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality. Learn more →
Top 11 Apparmor Open-Source Projects
-
Lean and Mean Docker containers
Slim(toolkit): Don't change anything in your container image and minify it by up to 30x (and for compiled languages even more) making it secure too! (free and open source)
-
Certified-Kubernetes-Security-Specialist
Curated resources help you prepare for the CNCF/Linux Foundation CKS 2021 "Kubernetes Certified Security Specialist" Certification exam. Please provide feedback or requests by raising issues, or making a pull request. All feedback for improvements are welcome. thank you.
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
amicontained
Container introspection tool. Find out what container runtime is being used as well as features available.
-
Perfect-Ubuntu-Guide
Ubuntu Guide. Learn about getting your Ubuntu Desktop/Server ready for development. Including Ubuntu Security, Graphics (AMD/NVIDIA/Intel ARC), and Software Apps.
-
SaaSHub
SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives
And if you want to make the container quickly secure without bloats, maybe give this a try https://github.com/slimtoolkit/slim
Project mention: Sandboxing All the Things with Flatpak and BubbleBox | news.ycombinator.com | 2024-04-14If anyone want to look further into sandboxing applications on Linux, you can also look at AppArmor and the sandboxing features built into systemd.
I love this repository for bases for AppArmor profiles[1], really good work. Never found a repository as good for systemd, but there are a few around.
[1] https://github.com/roddhjav/apparmor.d
Project mention: CoolRune - An easy way to setup Artix Linux automatically | /r/coolgithubprojects | 2023-06-22
# /etc/systemd/system/nginx.service # Rootless Nginx service based on https://github.com/stephan13360/systemd-services/blob/master/nginx/nginx.service [Unit] # This is from the default nginx.service Description=nginx (hardened rootless) Documentation=https://nginx.org/en/docs/ Documentation=https://github.com/stephan13360/systemd-services/blob/master/nginx/README.md After=network-online.target remote-fs.target nss-lookup.target Wants=network-online.target [Service] # forking is not necessary as `daemon` is turned off in the nginx config Type=exec User=nginx Group=nginx ## can be used e.g. for accessing directory containing SSL certs #SupplementaryGroups=acme # define runtime directory /run/nginx as rootless services can't access /run RuntimeDirectory=nginx # write logs to /var/log/nginx LogsDirectory=nginx # write cache to /var/cache/nginx CacheDirectory=nginx # configuration is in /etc/nginx ConfigurationDirectory=nginx ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf # PID is not necessary here as the service is not forking ExecReload=/usr/sbin/nginx -s reload Restart=on-failure RestartSec=10s # Hardening # hide the entire filesystem tree from the service and also make it read only, requires systemd >=238 TemporaryFileSystem=/:ro # Remount (bind) necessary paths, based on https://gitlab.com/apparmor/apparmor/blob/master/profiles/apparmor.d/abstractions/base, # https://github.com/jelly/apparmor-profiles/blob/master/usr.bin.nginx, # https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RootDirectory= # # This gives access to (probably) necessary system files, allows journald logging BindReadOnlyPaths=/lib/ /lib64/ /usr/lib/ /usr/lib64/ /etc/ld.so.cache /etc/ld.so.conf /etc/ld.so.conf.d/ /etc/bindresvport.blacklist /usr/share/zoneinfo/ /usr/share/locale/ /etc/localtime /usr/share/common-licenses/ /etc/ssl/certs/ /etc/resolv.conf BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout /run/systemd/notify # Additional access to service-specific directories BindReadOnlyPaths=/usr/sbin/nginx BindReadOnlyPaths=/run/ /usr/share/nginx/ PrivateTmp=true PrivateDevices=true ProtectControlGroups=true ProtectKernelModules=true ProtectKernelTunables=true # Network access RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 # Miscellaneous SystemCallArchitectures=native # also implicit because settings like MemoryDenyWriteExecute are set NoNewPrivileges=true MemoryDenyWriteExecute=true ProtectKernelLogs=true LockPersonality=true ProtectHostname=true RemoveIPC=true RestrictSUIDSGID=true ProtectClock=true # Capabilities to bind low ports (80, 443) AmbientCapabilities=CAP_NET_BIND_SERVICE [Install] WantedBy=multi-user.target
Apparmor related posts
-
Sandboxing All the Things with Flatpak and BubbleBox
-
Is updating software in Docker containers useful?
-
Anyone writes AppArmor profiles?
-
AppArmor and Profile Inheritance
-
How would you sandbox shady PDF files from the internet?
-
OpenSUSE Tumbleweed Security – firewall, fail2ban, apparmor
-
FOSS alternative to Teamviewer
-
A note from our sponsor - InfluxDB
www.influxdata.com | 4 May 2024
Index
What are some of the best open-source Apparmor projects? This list will help you:
Project | Stars | |
---|---|---|
1 | Lean and Mean Docker containers | 18,194 |
2 | Certified-Kubernetes-Security-Specialist | 1,918 |
3 | amicontained | 947 |
4 | security-profiles-operator | 648 |
5 | apparmor.d | 365 |
6 | Perfect-Ubuntu-Guide | 205 |
7 | apparmor-profiles | 30 |
8 | CoolRune | 23 |
9 | kapparmor | 9 |
10 | apparmor-profiles | 6 |
11 | apparmor-profiles | 2 |
Sponsored