Self Service Help & FAQs

Support for Mission Critical Environments

If you need more help and support along the way, consider purchasing a support package. Contact your preferred reseller for more information.

Buy Support

All
Compliance
FAQ
Licensing
mandos
Responsibilities
vogan

Are these tools limited to Defence compliance?

Defence compliance is a strong motivator for these tools, but they extend well past Defence. It’s common for industries to present standards by which participants must adhere. Capability Maturity Models and Frameworks like the Essential 8, Cyber Essentials, and the NIST CSF are well known to businesses and system administrators working towards a calculated target state. More so where Defence or an industry standard requires it. Often called a “license to trade”, businesses put immense pressure on their staff to achieve and maintain compliance. Without the license to trade, trading may stop. Regardless of the industry, it’s common in the United States, Australia and similar countries to set their relevant Cybersecurity CMMs and Frameworks as their target states. Our tools can assist.

Authentication and MFA

The Customer Portal requires MFA to complete the authentication process. Note that this is not enforced immediately, but end-users are reminded to enrol on each login. The MFA works with Google Authenticator, Microsoft Authenticator, and possibly other smart-phone apps.

Can’t the System Administrator bypass these tools?

This is an integrity problem, not a technical problem. A system administrator can (often) technically do anything they like. No matter which tools they use.

So what can be done about this?

Limit which users can become root (sudo).
Log what system administrators do. And log centrally. Our tools log to the local syslog service.
Ensure system administrators know what they can and cannot do. Consider it a policy violation to bypass compliance measures.

Cancellation Policy

End customers purchase licenses and support packages through preferred partners. Disputes must be made directly with the preferred partner. However, we care about your experience with our software and services, and therefore we will attempt to assist with limits. Please contact your preferred partner first, and then contact our sales team (sales@agixlinux.com) if you need further assistance.

AGIX Linux has a dispute resolution process that is a case-by-case review. Please contact our sales team at sales@agixlinux.com for more information or to start the dispute process.

Compliance with mandos

With mandos, you can combine the following:

Allow one or many applications to execute based on the file hash.
Deny one or many applications to execute based on the file hash.
Allow application execution based on directory (including sub-directories).
Allow application execution based on directory (including sub-directories).
Configure a default rule that matches if none of the above match.

The following list shows the order by which rules are applied:

An explicit hash match
An explicit file match
An explicit directory match
The mode the daemon is running in (permit or enforce)

For more information, see “Managing the mandos configuration file” in this FAQ list.

Compliance with vogan

vogan is all about compliance. We want to help Linux system administrators and their organisations comply with their relevant regulations. Each country and industry has requirements that must be complied with, and vogan’s primary goal is compliance.

The goal is to ensure: “Privileged accounts (excluding those explicitly authorised to access online services) are prevented from accessing the internet, email and web services.”

Easily specify which groups of users are restricted to which networks and IP addresses.
Simple to install with just a few commands.
Works on all major Linux distributions.
Keep the configuration file local, or place them centrally on your web server.
Easy to understand license model.
Functional and simple customer portal for license management and tool downloads.
No “features” you don’t need.
Excellent support team to back you up.

Contacting AGIX Linux

Our primary means of contact is via email. The appropriate email addresses are located within the relevant sections of this website. Once an email has been received, the responsible team member may respond via email or phone, depending on the matter.

Customer Portal Storage, Transmission and Security

The Customer Portal has the following security features to protect End-Customer data:

Customers are encouraged (reminded at each login) to enrol in MFA.
Encryption in Transit: Communications to Customer Portal servers is encrypted using HTTPS. Emails may be encrypted in transit (our servers support it) and may take routes outside of any given Customer Portal region.
Encryption at Rest: Full-disk encryption is used for Customer Portal servers.

Data Collection

AGIX Linux limits data collection to only what is needed to provide services to the level expected by our customers. The following list outlines this:

Login details to the Customer Portal.
IP addresses and related network activity for the Customer Portal and application registrations.
Contact and identification details for customers and resellers.

AGIX Linux does not share or sell specific end-user or reseller information. General behavers may be shared in a summary format, but never identifying a specific end-customer.

Dispute Resolution

AGIX Linux will handle disputes with end-customers and resellers in accordance with the terms and conditions, and the appropriate agreements agreed to by all relevant parties. AGIX Linux will respond with integrity and in good faith. AGIX Linux expects the same from end-customers and resellers.

Disputes may be submitted to the following email address:

disputes@agixlinux.com

Do these tools guarantee compliance?

Compliance is typically reached when the regulatory body (or a delegate) deems it so. There are generally a combination of compliance sub-goals that need to be achieved in order to reach compliance. Some goals are technical while others are administrative. Our tools go a long way to assisting in the compliance journey. They solve specific technical concerns that we know are difficult to solve. Our tools are a component in a larger agenda.

Identity Management For Support

AGIX Linux requires resellers and end-customers to provide sufficient information to AGIX Linux to ensure proper authentication and authorisation. Authentication information may include the following to satisfy AGIX Linux of the validity of the End-Customer or Reseller:

Full name,
Contact details,
Organisation name and related details,
End-Customer identification number,
Reseller identification number,
Payment and/or invoice history,
Customer Portal login username,
Confirmation correspondence such as via SMS or Email.

For continued access to the Customer Portal, the End-Customer should:

Designate an alternative authorised contact via the Customer Portal.
Note the End-Customer identification number from the Customer Portal.
Securely record End-Customer login credentials sufficient for account access recovery.

For further assistance, contact the support team:

support@agixlinux.com

Installing mandos

Make sure to use the version suitable for your region. Each region has their own license server(s) and therefore their own tool versions.

Download the mandos package from the customer portal. Once downloaded, extract the package and run the installer script. See below:

# Debian/Ubuntu and similar:
dpkg -i mandos-dkms_<region>-<version>_amd64.deb
dpkg -i mandos_<region>-<version>_amd64.deb

# Redhat and similar:
rpm -ihv mandos-dkms_<region>-<version>_amd64.rpm
rpm -ihv mandos_<region>-<version>_amd64.rpm

# Optionally update the PATH variable: 
PATH=$PATH:/opt/cyber-compliance/bin

At this point mandos is installed but no rules have been applied.

Edit the default configuration file first. It’s possibly no changes need to be made. But it’s a good idea to at least familiarise yourself with the options.

cat /opt/cyber-compliance/etc/mandos.conf

IMPORTANT: Make sure to download a license using the “libreq”. See the example below:

/opt/cyber-compliance/bin/licreq --client <license-key>
cp /tmp/license.dat /opt/cyber-compliance/etc/license.dat

To apply the mandos rules, issue the command:

systemctl restart mandosd

Remember to test on a pre-production (test) system first.

Installing vogan

Make sure to use the version suitable for your region. Each region has their own license server(s) and therefore their own tool versions.

Download the vogan package from the customer portal. Once downloaded, extract the package and run the installer script. See below:

# Debian/Ubuntu and similar:
dpkg -i vogan_<region>-<version>_amd64.deb

# Redhat and similar:
rpm -ihv vogans_<region>-<version>_amd64.rpm

# Optionally update the PATH variable: 
PATH=$PATH:/opt/cyber-compliance/bin

At this point vogan is installed but no rules have been applied.

Edit the default configuration file first. It’s possible that no changes need to be made. But it’s a good idea to at least familiarise yourself with the options.

cat /opt/cyber-compliance/etc/vogan.conf

IMPORTANT: Make sure to download a license using the “libreq”. See the example below:

/opt/cyber-compliance/bin/licreq --client <license-key>
cp /tmp/license.dat /opt/cyber-compliance/etc/license.dat

To apply the vogan rules, issue the command:

vogan -a apply

Remember to test on a pre-production (test) system first.

Licencing Overview

The Cyber-Compliance tools require a license to use. Within the customer portal, you can see your seat allocation. The following points should provide you with the information you need to understand our license model.

In order to use the tools, you first purchase seats. Each seat allows you to register one or more tools to a Linux system.
If you want multiple tools installed on a single Linux host, you need only one license seats.
We offer 5 trial seats. The trial seats will expire 14 days from the date of your customer portal activation.
Seats can be purchased in any quantity starting at 5. Seats expire 1 year from the date of allocation. Additional seats can be purchased on a pro-rata arrangement.
Seats can be extended for an additional year at any time. Organise the renewal with your preferred reseller.
Each seat you allocate is assigned to a single Linux system. The Linux system’s characteristics (such as the MAC address and Machine ID) are used to match the seat to the host. Changes to your Linux system may invalidate the license.
From within your customer portal, you can un-assign any allocated seats from an existing Linux system. This process marks the original Linux system as “disabled”. Any seats previously allocated to the disabled Linux system are returned to the pool. If a disabled Linux system is ever enabled, it will require an available seat to be allocated to it.

License and Registration

The Cyber-Compliance tools need a license file before use. One license file is used for both vogan and mandos.

The following commands demonstrate the registration process:

/opt/cyber-compliance/bin/licreq --client <license-key>
cp /tmp/license.dat /opt/cyber-compliance/etc/license.dat

The tools should be ok to use at this point. If not, an error should present you with a hint as to what went wrong.

Managing the mandos Configuration file

The mandos configuration file in “/opt/cyber-compliance/etc/mandos.conf” can include a remote location from where additional rules can be included. The following is an example of the configuration file where a remote location is included.

mode permit
include https://webserver.local/mandos.conf
hash "860ab19122c867d95d31d016e7ffdb3ae5082b5d6a1f4ce5fd050c91338e9b6c" deny
hash "f1a12ac21ea441cc7a005076dc931a57098f7b302c4cb387b6d217c87e1f62c0" permit
directory "/tmp" deny
directory "/bin" permit
directory "/sbin" permit
directory "/usr/bin" permit
directory "/usr/sbin" permit

The configuration file is read in order. The first rule overrides later rules. In the example above the rules round in the remote configuration file will override those that follow it. If the included remote location does not exist or cannot be retrieved, it will be ignored, and the remaining rules in the local configuration file will take effect.

The following list shows the order by which rules are applied:

An explicit hash match
An explicit file match
An explicit directory match
The mode the daemon is running in (permit or enforce)

Managing the vogan Configuration file

On installation, you will see a configuration file located at “/opt/cyber-compliance/etc/vogan.conf”. The following is an example:

# Optionally include a remote configuration file. If the remote file cannot be read,
# vogan will timeout and continue reading the remaining lines of the local 
# configuration file.
include https://webserver.local/vogan.conf
# List the networks or IP addresses to ALLOW. 
# Anything else is DENIED.
network_addresses=127.0.0.1/8,192.168.0.0/16,172.16.0.0/12,10.0.0.0/8
# List the primary groups to apply the above 
# network address restrictions to.
# Each network applied to each group.
restricted_groups=root
# Note: Groups must exist.

The above configuration states that the “root” user (being a member of the root group) can access the network resources stated by the “network_addresses” but nothing else. Other users are not impacted by these restrictions. However, if “alice” needs to be blocked as well, just add alices primary group to the the end of the “restricted_groups” option. Such as:

restricted_groups=root,alice

Generally, users have their primary group named after them. Ie, alice’s primary group is “alice”. This is not always the case.

The “network_addresses” option can include IP addresses, networks, and host names (which are resolved once at execution time). Such as:

network_addresses=127.0.0.1/8,192.168.0.0/16,172.16.0.0/12,10.0.0.0/8,8.8.8.8,au-portal.agixlinux.com

A remote configuration file can be used which bypasses all local rules. Such as:

vogan -a apply -r https://webserver.local/vogan.conf

mandos Minimum Requirements

mandos is a minimalistic tool. Download the correct version for your distribution. Test on a non-production system prior to production use. The following Linux distributions have been tested and confirmed to work. Our tests are based on standard default installations.

Ubuntu 24.04
Ubuntu 22.04
Ubuntu 20.04

Product Testing

We distribute our tools initially to a subset of our customers to test and provide feedback. This group of customers volunteer to participate in the testing program. This, combined with out own internal testing, ensures that by the time you get our tools, they’ve been installed, tested and verified. If you want to be in the testing group, please contact our sales team at sales@agixlinux.com

Remote Configuration Files for mandos and vogan

Both mandos and vogan support remote configuration files. For example:

include https://webserver.local/mandos.conf

An example configuration file for mandos is:

mode permit
include https://webserver.local/mandos.conf
hash "860ab19122c867d95d31d016e7ffdb3ae5082b5d6a1f4ce5fd050c91338e9b6c" deny
hash "f1a12ac21ea441cc7a005076dc931a57098f7b302c4cb387b6d217c87e1f62c0" permit
directory "/tmp" deny
directory "/bin" permit
directory "/sbin" permit
directory "/usr/bin" permit
directory "/usr/sbin" permit

An example configuration file for vogan is:

include https://webserver.local/vogan.conf
network_addresses=127.0.0.1/8,192.168.0.0/16,172.16.0.0/12,10.0.0.0/8
restricted_groups=root

By having the “include” rule towards the top of the configuration file means it is read first, and the first matching rule applies. If the include file cannot be reached/read, it is skipped and the remaining configuration settings apply.

mandos does not validate the remote “https” server certificate.

Sovereignty

Customers should choose a Customer Portal in their region of choice. Please see our “https://agixlinux.com/sovereignty/” page for sovereignty details. This is important to understand.

Customer Portals are currently available in the following regions:

Australia

Starting and Stopping mandos

mandos is managed with Systemd. The following commands are accepted:

systemctl enable mandosd
systemctl start mandosd
systemctl stop mandosd
systemctl restart mandosd
systemctl disable mandosd

Uninstalling mandos

The following example commands remove the mandos package. Remember to backup the license file located at “/opt/cyber-compliance/etc/license.dat”.

# Debian/Ubuntu and similar:
dpkg -r mandos-dkms
dpkg -r mandosd

# Redhat and similar:
rpm -e mandos-dkms
rpm -e mandosd

Uninstalling vogan

The following example commands remove the vogan package. Remember to backup the license file located at “/opt/cyber-compliance/etc/license.dat”.

# Debian/Ubuntu and similar:
dpkg -r vogan

# Redhat and similar:
rpm -e vogan

vogan Minimum Requirements

vogan is a minimalistic tool. Download the correct version for your distribution. Test on a non-production system prior to production use. The following Linux distributions have been tested and confirmed to work. Our tests are based on standard default installations.

Ubuntu 24.04
Ubuntu 22.04
Ubuntu 20.04

What do we mean by Compliance

When working in certain industries like Defence, Finance, and Governments, there’s often rules that your business must adhere to in order to be considered for contacts. These compliance rules are generally more difficult to achieve the higher the sensitivity of the work being sought.

Using Australia as an example, for a business to be considered for contracts with defence, they are expected to be audited to a set of standards. Australia uses the Essential 8 as a capability maturity model and framework. Other countries have similar CMMs and frameworks. Regardless of the country, the industry, the CMMs and the frameworks, the point is always the same, meet these requirements and we’ll considering work with you. Sway from them and we may not work with you.

What we offer & don’t offer

Our tools are focused on simplifying the path to compliance. We want your journey to be as painless as possible. We aim to make the tools simple and quick to install and to maintain, and with a licensing model that makes sense.

We don’t suggest for a moment that our tools (by themselves) will make your organisation compliant, just that they will contribute to the effort in a significant and meaningful way, and without the complexity and pain that you’d otherwise experience.

We know the path to compliance can include some significant hurdles. We’ve been there and understand. We know there’s a better way, and that’s our inspiration.

Which Frameworks Require Application Whitelisting

Australian Cyber Security Centre (ACSC) Essential Eight: The Essential Eight recommends application whitelisting as one of its top strategies for mitigating cybersecurity incidents. It specifies whitelisting of applications for all servers and workstations to prevent the execution of unauthorized software, which reduces the risk of malware attacks.
NIST Cybersecurity Framework (CSF): Promote practices like application whitelisting under its Protect function. NIST Special Publication 800-167, Guide to Application Whitelisting, offers detailed guidance on implementing whitelisting as a preventive control.
Centre for Internet Security (CIS) Controls: Application whitelisting is highly recommended to restrict unauthorized applications from running. This helps reduce the attack surface by allowing only vetted applications to operate on the network.
ISO/IEC 27001: While ISO 27001 emphasizes access control and malware protection as part of its Annex A controls. Whitelisting applications can be a way to fulfill these controls, especially when combined with other access restrictions and malware defences.
Federal Information Security Modernization Act (FISMA): FISMA requires U.S. federal agencies to implement stringent cybersecurity measures. Application whitelisting is often part of the compliance requirements for federal agencies to prevent unauthorized applications and reduce malware risks.
Payment Card Industry Data Security Standard (PCI DSS): PCI DSS requires measures to restrict access to only trusted applications.

Which Frameworks Require Restricting Access to Administrators

Australian Cyber Security Centre (ACSC) Essential Eight: Part of the Essential Eight framework focuses on limiting administrative privileges and restricting internet access for accounts with administrative permissions. This is to prevent attackers from using admin accounts to download malware or communicate with command-and-control servers.
NIST Cybersecurity Framework (CSF): NIST Special Publication 800-53 (Security and Privacy Controls for Information Systems and Organizations), which supports NIST CSF, includes controls on restricting internet access for privileged users. Control AC-6 (Least Privilege) and SC-7 (Boundary Protection) guide organizations to restrict high-privilege accounts from accessing unnecessary external services.
Centre for Internet Security (CIS) Controls: CIS Control 4, “Controlled Use of Administrative Privileges,” recommends that administrative accounts be restricted from using internet services that are not essential for their function. The principle is to limit admin accounts to only necessary tasks and avoid web access that may introduce risks.
ISO/IEC 27001: While ISO/IEC 27001 does not explicitly mandate internet access restrictions, its focus on access control and secure configurations under Annex A can be applied to restrict internet access for administrative accounts. Organizations following ISO 27001 often include administrative internet restrictions in their security policies to comply with these access and security requirements.
Payment Card Industry Data Security Standard (PCI DSS): PCI DSS mandates that organizations with payment card data environments limit administrative privileges and monitor internet use for accounts with elevated access. While not explicit about restricting internet access entirely, PCI DSS does require strict access controls for administrative accounts, which can include blocking external connections to reduce risk exposure.
Federal Information Security Management Act (FISMA): For U.S. federal agencies, FISMA compliance often involves aligning with NIST 800-53 controls, which as noted above, supports limiting internet access for administrative accounts to prevent the misuse of high-level privileges.

Why the focus on Linux?

There’s three reasons:

Linux servers are managed by Linux system administrators. Linux Sysadmin teams don’t generally concern themselves with Windows servers (if at all possible). Therefore offering a specific solution to the Linux system administrator is entirely sensible.
Linux poses interesting an unique challenges to businesses. What works on Windows is typically not what works on Linux. They’re different and require different solutions.
Linux system administrators have a different way of thinking to Windows system administrators. Linux tools are generally modular and specific to a purpose. And because of the minimalistic approach, they’re excellent for automation. Our tools solve specific problems.

Quick To Deploy to Small or Large Environments

Register – Free trial for 14 days
Download – Try on 5 Linux systems
Configure – Sensible Defaults
Apply – It’s that easy

Compliance Focused With Real World Benefits

Frameworks – Results focused
Effective – Easy to tweak settings
Quick – Up and running in minutes
Linux Focused – For Linux SysAdmins

Easy To Manage Licenses That Make Sense

License – 1 seat per host, not per tool
Seats – Movable between hosts
Manage – Web portal management
Sensible – Licenses that make sense

Your Data Remains In Your Region

Your data stays in your region of choice. That includes your Customer Portal, your license details, security and access logs, backups, and your centralised configuration management (if you’re using that feature).

Sovereignty