Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality. Learn more →
Top 11 Apparmor Open-Source Projects
-
Lean and Mean Docker containers
Slim(toolkit): Don't change anything in your container image and minify it by up to 30x (and for compiled languages even more) making it secure too! (free and open source)
-
Certified-Kubernetes-Security-Specialist
Curated resources help you prepare for the CNCF/Linux Foundation CKS 2021 "Kubernetes Certified Security Specialist" Certification exam. Please provide feedback or requests by raising issues, or making a pull request. All feedback for improvements are welcome. thank you.
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
amicontained
Container introspection tool. Find out what container runtime is being used as well as features available.
-
-
Perfect-Ubuntu-Guide
Ubuntu Guide. Learn about getting your Ubuntu Desktop/Server ready for development. Including Ubuntu Security, Graphics (AMD/NVIDIA/Intel ARC), and Software Apps.
-
SaaSHub
SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives
And if you want to make the container quickly secure without bloats, maybe give this a try https://github.com/slimtoolkit/slim
Project mention: Sandboxing All the Things with Flatpak and BubbleBox | news.ycombinator.com | 2024-04-14If anyone want to look further into sandboxing applications on Linux, you can also look at AppArmor and the sandboxing features built into systemd.
I love this repository for bases for AppArmor profiles[1], really good work. Never found a repository as good for systemd, but there are a few around.
[1] https://github.com/roddhjav/apparmor.d
Project mention: CoolRune - An easy way to setup Artix Linux automatically | /r/coolgithubprojects | 2023-06-22
# /etc/systemd/system/nginx.service # Rootless Nginx service based on https://github.com/stephan13360/systemd-services/blob/master/nginx/nginx.service [Unit] # This is from the default nginx.service Description=nginx (hardened rootless) Documentation=https://nginx.org/en/docs/ Documentation=https://github.com/stephan13360/systemd-services/blob/master/nginx/README.md After=network-online.target remote-fs.target nss-lookup.target Wants=network-online.target [Service] # forking is not necessary as `daemon` is turned off in the nginx config Type=exec User=nginx Group=nginx ## can be used e.g. for accessing directory containing SSL certs #SupplementaryGroups=acme # define runtime directory /run/nginx as rootless services can't access /run RuntimeDirectory=nginx # write logs to /var/log/nginx LogsDirectory=nginx # write cache to /var/cache/nginx CacheDirectory=nginx # configuration is in /etc/nginx ConfigurationDirectory=nginx ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf # PID is not necessary here as the service is not forking ExecReload=/usr/sbin/nginx -s reload Restart=on-failure RestartSec=10s # Hardening # hide the entire filesystem tree from the service and also make it read only, requires systemd >=238 TemporaryFileSystem=/:ro # Remount (bind) necessary paths, based on https://gitlab.com/apparmor/apparmor/blob/master/profiles/apparmor.d/abstractions/base, # https://github.com/jelly/apparmor-profiles/blob/master/usr.bin.nginx, # https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RootDirectory= # # This gives access to (probably) necessary system files, allows journald logging BindReadOnlyPaths=/lib/ /lib64/ /usr/lib/ /usr/lib64/ /etc/ld.so.cache /etc/ld.so.conf /etc/ld.so.conf.d/ /etc/bindresvport.blacklist /usr/share/zoneinfo/ /usr/share/locale/ /etc/localtime /usr/share/common-licenses/ /etc/ssl/certs/ /etc/resolv.conf BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout /run/systemd/notify # Additional access to service-specific directories BindReadOnlyPaths=/usr/sbin/nginx BindReadOnlyPaths=/run/ /usr/share/nginx/ PrivateTmp=true PrivateDevices=true ProtectControlGroups=true ProtectKernelModules=true ProtectKernelTunables=true # Network access RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 # Miscellaneous SystemCallArchitectures=native # also implicit because settings like MemoryDenyWriteExecute are set NoNewPrivileges=true MemoryDenyWriteExecute=true ProtectKernelLogs=true LockPersonality=true ProtectHostname=true RemoveIPC=true RestrictSUIDSGID=true ProtectClock=true # Capabilities to bind low ports (80, 443) AmbientCapabilities=CAP_NET_BIND_SERVICE [Install] WantedBy=multi-user.target
NOTE:
The open source projects on this list are ordered by number of github stars.
The number of mentions indicates repo mentiontions in the last 12 Months or
since we started tracking (Dec 2020).
Apparmor related posts
-
Sandboxing All the Things with Flatpak and BubbleBox
-
Is updating software in Docker containers useful?
-
Anyone writes AppArmor profiles?
-
AppArmor and Profile Inheritance
-
How would you sandbox shady PDF files from the internet?
-
OpenSUSE Tumbleweed Security – firewall, fail2ban, apparmor
-
FOSS alternative to Teamviewer
-
A note from our sponsor - InfluxDB
www.influxdata.com | 4 May 2024
Index
What are some of the best open-source Apparmor projects? This list will help you:
| Project | Stars | |
|---|---|---|
| 1 | Lean and Mean Docker containers | 18,194 |
| 2 | Certified-Kubernetes-Security-Specialist | 1,918 |
| 3 | amicontained | 947 |
| 4 | security-profiles-operator | 648 |
| 5 | apparmor.d | 365 |
| 6 | Perfect-Ubuntu-Guide | 205 |
| 7 | apparmor-profiles | 30 |
| 8 | CoolRune | 23 |
| 9 | kapparmor | 9 |
| 10 | apparmor-profiles | 6 |
| 11 | apparmor-profiles | 2 |
Sponsored
SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives
www.saashub.com