With Mandos, you can combine the following:
- Allow one or many applications to execute based on the file hash.
- Deny one or many applications to execute based on the file hash.
- Allow application execution based on directory (including sub-directories).
- Allow application execution based on directory (including sub-directories).
- Configure a default rule that matches if none of the above match.
The following list shows the order by which rules are applied:
- An explicit hash match
- An explicit file match
- An explicit directory match
- The mode the daemon is running in (permit or enforce)
For more information, see “Managing the Mandos configuration file” in this FAQ list.