Tux AppGuard for Linux devices

  • Published on Apr 10, 2026
  • 3 minute(s) read
Prev Next

Tux AppGuard for Linux is a security feature that helps protect your Linux devices by controlling which applications and system programs are allowed to run. Instead of letting any program execute freely, it ensures that only trusted and approved binaries can operate on the system. This reduces the risk of unauthorized software, malware, or accidental execution of harmful commands.

For ease of setup, AppGuard provides a learning phase (permissive mode) where it observes normal device activity and records what is needed, followed by a protection phase (enforcing mode) where it strictly allows only those approved components to run.

This article explains how to:

  1. Use permissive mode to safely discover required system binaries

  2. Capture and review execution logs

  3. Create and deploy an enforcing policy

  4. Handle emergency situations if something is unintentionally blocked

By following this guide, administrators can create a secure and controlled environment without disrupting essential workflows.

How It Works

Tux AppGuard for Linux provides application-level execution control through two operational modes:

  1. Permissive Mode (Learning Mode): Logs all executed binaries without blocking them. This helps identify required components for normal system operation.

  2. Enforcing Mode: Allows only explicitly whitelisted binaries to execute, blocking all others to ensure a secure and controlled environment.

Administrators typically begin with permissive mode to observe system behavior and then transition to enforcing mode to apply strict execution policies.

Pre-requisites

  1. Linux device(s) enrolled with Scalefusion

  2. tux-agent build version should be 4.1.0 or above

  3. Permissions to create and execute .sh scripts

  4. Access to AppGuard logs (/var/log/tux-agent/veltar/appguard.log)

  5. Supported Operating Systems: While Tux AppGuard is compatible with most operating systems, it has been tested and verified on Ubuntu, Linux Mint, and Fedora.

Steps

Step1: Configure Permissive Mode

In this phase, AppGuard operates in learning mode and does not block any execution.

Procedure:

  1. Create a script in .sh format.

  2. Configure the script to start AppGuard in permissive mode.

  3. Deploy the script to the target devices.

    Follow our guide to upload & publish the script using Scalefusion Dashboard.

Outcome:

  • All executed binaries are logged.

  • No processes are blocked.

Step 2: Capture Binary Paths from Logs

Once permissive mode is active, collect the binaries used during system operation.

Steps:

  1. Run the following command on the device:

    sudo tail -f /var/log/tux-agent/veltar/appguard.log

  2. While monitoring logs, perform key workflows:

    • Restart and shutdown

    • Login and logout

    • User switching

    • Business-critical applications

    • Automation scripts and monitoring tools

Outcome:

  • A comprehensive list of required binary paths is captured.

Step 3: Create Enforcing Script

After identifying required binaries, create a script to enforce execution control.

Script Requirements:

  • File format: .sh

  • Must start with:

    #!app-guard|enforcing

Add rules in the following format:

/absolute/path/to/binary,allow

Example:

/bin/login,allow
/usr/bin/ssh,allow
/usr/sbin/sshd,allow

Outcome:

  • Only listed binaries are allowed to execute.

  • All others are blocked.

Step 4: Deploy Enforcing Script

  1. Upload the enforcing script to the Enterprise Linux Store. To do so, navigate to Scalefusion Dashboard > Application Management > Enterprise Store and select Upload Linux Script

  2. Publish the script to target devices.

    Follow our guide to upload & publish the script using Scalefusion Dashboard.

  3. Verify that all critical workflows function correctly under enforcing mode.

Emergency Stop for AppGuard

In case of misconfiguration or unintended blocking, AppGuard can be disabled using the following methods:

Method 1: Emergency Script (Recommended)

  1. Create a removal script (e.g., appguard_remove.sh).

  2. Upload and publish it via the Scalefusion dashboard.

Outcome:

  • Stops or removes AppGuard configuration.

  • Restores unrestricted device operation.

Method 2: TUXSOS Failsafe

Run the following command on the device:

touch /tmp/TUXSOS

Outcome:

  • Creates a failsafe file that disables AppGuard.

    If terminal access is blocked due to enforcement, execute via SSH.

Best Practices

  1. Validate before enforcement: Ensure all critical workflows are tested in permissive mode and required binaries are captured.

  2. Whitelist package managers: Include tools like apt, yum, dnf, or zypper if installations or updates are required.

  3. Maintain an emergency plan: Keep a ready-to-deploy emergency removal script and document its usage.

  4. Ensure failsafe awareness: Administrators should know how to use the touch /tmp/TUXSOS command.

  5. Test remote access: Verify that SSH and related binaries are whitelisted and functional before enabling enforcing mode.

Ambitious companies around the world trust Scalefusion to secure and manage endpoints including smartphones, tablets, laptops, rugged devices, POS, and digital signages. Our mission is to make Device Management simple and effortless along with providing world class customer support.
By Business Initiative
Top Features
Existing Users
Connect With Us
Sales and Support
Copyright © 2023 Scalefusion. All rights reserved.