Docker Bench for Security alternatives

Looking for a better tool, or simply want to learn about alternatives? There is typically more than one option.

67

360-FAAR

Supported firewall configurations

  • Checkpoint FW1
  • Cisco ASA
  • Netscreen ScreenOS

100

Anchore

Anchore is a toolkit to perform in-depth container analysis, inspection, and controlling them. Among security scanning, it can do a wide range of functions.

Project details

Anchore is written in Python.

Strengths and weaknesses

  • + Commercial support available
  • + The source code of this software is available

    Typical usage

    • System hardening

    Anchore project page

    85

    bane

    The bane tool is an AppArmor profile generator for Docker containers. It helps with creating the appropriate profile for confinement on system level.

    With bane it becomes much easier to create an AppArmor profile. It works by running a Docker container while bane monitors it. Any required permissions will then be stored in the profile.

    Project details

    bane is written in Golang.

    Strengths and weaknesses

    • + The source code of this software is available

      Typical usage

      • Security monitoring
      • System hardening

      bane project page

      78

      Clair

      Clair is an open source container analyzer. It performs static analysis of container images and correlates their contents with public vulnerability databases.

      The tool has been created by CoreOS and can scan containers of different formats. It analyzes them and determines available security weaknesses in the container.

      Project details

      Clair is written in Golang.

      Strengths and weaknesses

      • + The source code of this software is available

        Typical usage

        • Security assessment
        • Vulnerability scanning

        Clair project page

        64

        DFWFW (Docker Firewall Framework)

        DFWFW, short of Docker Firewall Framework, offers easy administration of the iptables rules of Docker containers. It updates using event streams.

        Project details

        DFWFW is written in Perl.

        Strengths and weaknesses

        • + The source code of this software is available
        • - Full name of author is unknown

        Typical usage

        • Firewall management

        DFWFW project page

        64

        Docker Bench (by Aqua)

        Project details

        Docker Bench (by Aqua) is written in Golang.

        Strengths and weaknesses

        • + The source code of this software is available
        • - No releases on GitHub available

        Typical usage

        • Configuration audit

        Docker Bench (by Aqua) project page

        64

        Dockerscan

        Dockerscan is a Docker toolkit for security analysis which includes attacking tools. It is more focused on side of the offensive than defensive.

        Project details

        Dockerscan is written in Python.

        Strengths and weaknesses

        • + More than 500 GitHub stars
        • + The source code of this software is available

          Typical usage

          • Information gathering
          • Security assessment
          • Vulnerability scanning

          Dockerscan project page

          64

          JShielder

          JShielder is a security tool for Linux systems to make them more secure by adding system hardening measures.

          Project details

          JShielder is written in Python, shell script.

          Strengths and weaknesses

          • + Used language is shell script
          • + The source code of this software is available

            Typical usage

            • System hardening

            JShielder project page

            64

            LUNAR

            LUNAR is a security scanner that runs on a Linux system or other flavors of Unix. It provides insights on what can be done to harden the system.

            LUNAR is short for Lockdown UNix Auditing and Reporting and runs on the system itself.

            Project details

            LUNAR is written in shell script.

            Strengths and weaknesses

            • + The source code of this software is available

              Typical usage

              • Security assessment
              • Self-assessment
              • System hardening

              LUNAR project page

              100

              Lynis

              Lynis is a security auditing tool for systems running Linux, macOS, or Unix. It can be used for security assessments and configuration audits.

              Lynis is an open source security auditing tool that is available since 2007 and created by Michael Boelen. Its primary goal is to evaluate the security defenses of systems running Linux or other flavors of Unix. It provides suggestions to install, configure, or correct any security measures.

              Project details

              Lynis is written in shell script.

              Strengths and weaknesses

              • + Commercial support available
              • + More than 50 contributors
              • + More than 4000 GitHub stars
              • + Used language is shell script
              • + Very low number of dependencies
              • + Project is mature (5+ years)
              • + The source code of this software is available

                Typical usage

                • IT audit
                • Penetration testing
                • Security assessment
                • System hardening

                Lynis project page

                78

                Nix-Auditor

                Nix-Auditor is a tool to help with scanning Linux systems and test them against CIS benchmarks.

                This fairly new tool is written in shell script to scan Linux systems with the focus on security auditing.

                Project details

                Nix-Auditor is written in shell script.

                Strengths and weaknesses

                • + Used language is shell script
                • - Full name of author is unknown
                • - Unknown project license

                Nix-Auditor project page

                85

                Prowler

                Prowler is a security tool to perform security audits on AWS configurations. It helps to find configuration flaws and improve system hardening.

                Project details

                Prowler is written in shell script.

                Strengths and weaknesses

                • + The source code of this software is available

                  Typical usage

                  • Security assessment
                  • System hardening

                  Prowler project page

                  84

                  Scout2

                  Scout2 is a security tool to assess the security of an AWS environment. It can be used for system hardening and IT audits.

                  Project details

                  Scout2 is written in Python.

                  Strengths and weaknesses

                  • + More than 10 contributors
                  • + More than 500 GitHub stars

                    Typical usage

                    • IT audit
                    • Security assessment
                    • Self-assessment
                    • System hardening

                    Scout2 project page

                    64

                    seccheck

                    Seccheck is a security scanner for Linux systems. It is originally written for SuSE Linux by Marc Heuse.

                    Project details

                    seccheck is written in shell script.

                    Strengths and weaknesses

                    • + The source code of this software is available
                    • - Project looks outdated (old code or documentation)

                    Typical usage

                    • Security assessment
                    • System hardening

                    seccheck project page

                    85

                    ssh_scan

                    The ssh_scan utility is a SSH configuration and policy scanner maintained by the Mozilla Foundation. It helps to secure Linux systems running the OpenSSH.

                    This tool is light on its dependencies, as it only uses Ruby and BinData. The scanner is simple to use, as it is limited in the number of parameters and options. There is also the ability to show the results on the screen or export the data to a JSON file. The latter is great if you want to do further processing of the details, or simply store them for later comparison.

                    Project details

                    ssh_scan is written in Ruby.

                    Strengths and weaknesses

                    • + More than 10 contributors
                    • + Many releases available
                    • + The source code of this software is available
                    • + Supported by a large company

                      Typical usage

                      • Penetration testing
                      • Security assessment
                      • System hardening
                      • Vulnerability scanning

                      ssh_scan project page

                      85

                      subuser

                      Subuser is a tool that allows commands to be executed with restrictions. It works on Linux and can increase security by lowering access levels.

                      Project details

                      subuser is written in Python.

                      Strengths and weaknesses

                      • + More than 10 contributors
                      • + More than 500 GitHub stars
                      • + The source code of this software is available

                        Typical usage

                        • Software testing

                        subuser project page

                        59

                        Tiger

                        Tiger a security audit and intrusion detection tool for flavors of Unix

                        Project details

                        Tiger is written in shell script.

                        Strengths and weaknesses

                        • + Used language is shell script
                        • + The source code of this software is available
                        • - No updates for a while

                        Typical usage

                        • Intrusion detection
                        • IT audit
                        • System hardening
                        • Vulnerability scanning

                        Tiger project page

                        85

                        VHostScan

                        VHostScan is a security tool that performs reverse lookups, can be used with pivot tools, detect catch-all scenarios, aliases, and dynamic default pages.

                        Project details

                        VHostScan is written in Python.

                        Strengths and weaknesses

                        • + The source code of this software is available

                          Typical usage

                          • Penetration testing
                          • Reconnaissance

                          VHostScan project page

                          74

                          YASAT

                          YASAT describes itself as another simple stupid audit tool to test Linux systems. It has many tests for checking the security configuration of the system.

                          The YASAT tool performs a system scan to detect configuration issues and possible improvements for hardening the system.

                          Project details

                          YASAT is written in shell script.

                          Strengths and weaknesses

                          • + Used language is shell script
                          • - No updates for a while

                          Typical usage

                          • IT audit
                          • Security assessment

                          YASAT project page

                          64

                          Zeus

                          Zeus is a security tool to provide security audits on AWS environments. It is written in shell script and can be used for security audits.

                          Project details

                          Zeus is written in shell script.

                          Strengths and weaknesses

                          • + Used language is shell script
                          • + The source code of this software is available

                            Typical usage

                            • Security assessment
                            • Self-assessment
                            • System hardening

                            Zeus project page

                            The tool with the highest score in this overview is Lynis. It might be a good candidate to replace Docker Bench for Security.