FAQ Group: mandos

  • Mandos Limitations

    Application Whitelisting with Mandos is an effective way to prevent unwanted applications from executing. But it must be made clear that there are limitations to what the Application Whitelister can do. This section explains some limitations. Mandos blocks execution (execve() and variants). Mandos doesn’t block dynamic libraries loaded with dlopen(), libraries on disk that have…

  • Offline License Registration

    There are times when you don’t have access to the Internet to register a Linux system, such as an air-gapped network. The following demonstrates how you can register a Linux system without that system having Internet. You will need a system that does have Internet access, such as the one you’re using. You will need…

  • Error Messages Explained – Licensing & Registration

    The following are error messages explained. When registering a Linux system with the license server, these are the messages you might receive back. ERROR: Client ID unknown The above: The license number that was used to register the Linux system is not known to the license server. In other words, you’re using the wrong client…

  • Mandos Syslog Event Example

    The following are example Syslog entries for two commands. The first copies a program to a new location, and the second is an attempt to execute the copy. The first command copies the “/usr/bin/cat” program to “/tmp”.  It is the “cp” command that is assessed. This action is permitted. [root@localhost ~]# cp /usr/bin/cat /tmp/ [root@localhost…

  • Remote Configuration Files for Mandos and Vogan

    Both Mandos and Vogan support remote configuration files. For example: include https://webserver.local/mandos.conf An example configuration file for Mandos is: mode permit include https://webserver.local/mandos.conf hash “860ab19122c867d95d31d016e7ffdb3ae5082b5d6a1f4ce5fd050c91338e9b6c” deny hash “f1a12ac21ea441cc7a005076dc931a57098f7b302c4cb387b6d217c87e1f62c0” permit directory “/tmp” deny directory “/bin” permit directory “/sbin” permit directory “/usr/bin” permit directory “/usr/sbin” permit An example configuration file for vogan is: include https://webserver.local/vogan.conf network_addresses=127.0.0.1/8,192.168.0.0/16,172.16.0.0/12,10.0.0.0/8 restricted_groups=root…

  • Starting and Stopping Mandos

    Mandos is managed with Systemd. The following commands are accepted: systemctl enable mandosd systemctl start mandosd systemctl stop mandosd systemctl restart mandosd systemctl disable mandosd

  • Installing mandos

    Make sure to use the version suitable for your region. Each region has their own license server(s) and therefore their own tool versions. Download both mandos packages from the customer portal.   Ubuntu sudo dpkg -i mandos-dkms_<region>-<version>_amd64.deb sudo dpkg -i mandos_<region>-<version>_amd64.deb Review the configuration file: sudo cat /opt/cyber-compliance/etc/mandos.conf Obtain and apply the license: sudo /opt/cyber-compliance/bin/licreq…

  • Uninstalling Mandos

    The following example commands remove the Mandos package. Remember to backup the license file located at “/opt/cyber-compliance/etc/license.dat”. # Debian/Ubuntu and similar: dpkg -r mandos-dkms dpkg -r mandosd # Redhat and similar: rpm -e mandos-dkms rpm -e mandosd

  • Managing the Mandos Configuration file

    The Mandos configuration file in “/opt/cyber-compliance/etc/mandos.conf” can include a remote location from where additional rules can be included. The following is an example of the configuration file where a remote location is included. mode permit # include https://webserver.local/mandos.conf # audit “/dev/null” # loglevel all hash “860ab19122c867d95d31d016e7ffdb3ae5082b5d6a1f4ce5fd050c91338e9b6c” deny hash “f1a12ac21ea441cc7a005076dc931a57098f7b302c4cb387b6d217c87e1f62c0” permit directory “%home%/Downloads” deny directory “/tmp”…

  • Compliance with Mandos

    With Mandos, you can combine the following: Allow one or many applications to execute based on the file hash. Deny one or many applications to execute based on the file hash. Allow application execution based on directory (including sub-directories). Allow application execution based on directory (including sub-directories). Configure a default rule that matches if none…