Managing the Mandos Configuration file

The Mandos configuration file in “/opt/cyber-compliance/etc/mandos.conf” can include a remote location from where additional rules can be included. The following is an example of the configuration file where a remote location is included.

mode permit
# include https://webserver.local/mandos.conf
# audit "/dev/null"
# loglevel all
hash "860ab19122c867d95d31d016e7ffdb3ae5082b5d6a1f4ce5fd050c91338e9b6c" deny
hash "f1a12ac21ea441cc7a005076dc931a57098f7b302c4cb387b6d217c87e1f62c0" permit
directory "%home%/Downloads" deny
directory "/tmp" deny
directory "/bin" permit
directory "/sbin" permit
directory "/usr/bin" permit
directory "/usr/sbin" permit

The configuration file options are detailed here:

  1. mode” is either “permit” or “deny”. This is the default action if no matches apply.
  2.  “include” specifies the URL to the location that has a configuration file to use. It applies in the order that it is found. The order matters, and is explained below.
  3. audit” specifies the location of the audit file. If this option exists, mandos will output all audit logs to this location. However, if set to “/dev/null”, syslog will be used as the output.
  4. loglevel” is “match”, “all”, or “debug”.
    1. match” will only emit messages where the program executed was an explicit match to something in the configuration file.
    2. all” will emit messages whether the program was an explicit match to something in the configuration file, or if it fell through and was permitted or denied based on the mode.
    3. debug” will output debug messages.
  5. hash” specifies the sha256 hash of the file to match. It must be followed by either “deny” or “permit”.
  6. directory” specifies the directory (without a trailing slash) to match, including subdirectories. It must be followed by either “deny” or “permit”.
    1. %home%” has a special meaning. It is the users home directory location, followed by an existing directory. Eg, “~/Downloads”.

The configuration file is read in order. The first rule overrides later rules. In the example above the rules found in the remote configuration file will override those that follow it. If the included remote location does not exist or cannot be retrieved, it will be ignored, and the remaining rules in the local configuration file will take effect.

The following list shows the order by which rules are applied:

  1. An explicit hash match
  2. An explicit file match
  3. An explicit directory match
  4. The mode the daemon is running in (permit or enforce)
Return to Help & FAQs