Enterprise-Grade Privacy and Security
Welcome to Kodachi Security Binaries
A collection of high-performance Rust-based security tools that form the backbone of Linux Kodachi's privacy and anonymity infrastructure. These production-ready binaries provide enterprise-level security features for advanced privacy protection and system hardening.
Core Architecture Principles
Zero-Trust Architecture: Authentication-first design with granular authorization and certificate pinning
Memory-Safe Implementation: Rust-first design with comprehensive error handling and rigorous safety practices
Modular Design: Independent services with shared libraries through cli-core, auth-shared, and logs-hook
Forensic Resistance: Multi-pass secure wiping, memory cleaning, emergency data destruction capabilities
🛡️ Binary Categories and Requirements
Network and Privacy Tools
| Binary | Primary Function | Requires Auth | Requires Sudo | Auto-Start |
|---|---|---|---|---|
| tor-switch | Advanced Tor network orchestration (70+ commands) | Mixed (73%) | Yes (iptables/nftables) | No |
| routing-switch | Multi-protocol routing (12 protocols) | Mixed (61%) | Yes (network config) | No |
| ip-fetch | Secure IP geolocation with multi-source verification | Mixed (8%) | No (sudo only for system changes) | No |
| dns-switch | DNS management with 50+ secure resolver options | Mixed (44%) | Yes (system DNS) | No |
| dns-leak | Real-time DNS leak detection and analysis | Mixed (25%) | No | No |
System Security and Protection
| Binary | Primary Function | Requires Auth | Requires Sudo | Auto-Start |
|---|---|---|---|---|
| health-control | Emergency kill switches and panic modes | Mixed (61%) | Yes (system ops) | No |
| integrity-check | Cryptographic system integrity verification | No | No | No |
| permission-guard | Real-time permission monitoring and enforcement | No | No | No |
| online-auth | Secure authentication and heartbeat monitoring | No | Yes (system-wide) | No (manual start) |
Infrastructure and Management
| Binary | Primary Function | Requires Auth | Requires Sudo | Auto-Start |
|---|---|---|---|---|
| logs-hook | Centralized secure logging infrastructure | No | No | Auto-integrated by all |
| deps-checker | Dependency validation and security auditing | No | No | No |
| global-launcher | System-wide binary deployment manager | No | No | No |
| online-info-switch | Online information hub and RSS feeds | Mixed (58%) | No | No |
🛡️ Inter-Binary Dependencies Matrix
Binary Communication Flow
| Service | Calls These Binaries | Called By These Binaries |
|---|---|---|
| online-auth | logs-hook | Authentication required by: ip-fetch, tor-switch, routing-switch, dns-switch, dns-leak, health-control, online-info-switch |
| logs-hook | None | Integrated by all services for centralized logging |
| ip-fetch | logs-hook, online-auth, routing-switch | tor-switch, routing-switch, dns-switch, dns-leak |
| tor-switch | logs-hook, online-auth, ip-fetch | routing-switch |
| routing-switch | logs-hook, online-auth, tor-switch, ip-fetch | health-control, ip-fetch |
| dns-switch | logs-hook, online-auth, ip-fetch | None |
| dns-leak | logs-hook, online-auth, ip-fetch | None |
| health-control | logs-hook, online-auth, routing-switch | dns-switch, online-info-switch |
| integrity-check | logs-hook | None |
| permission-guard | logs-hook | Can be used alongside online-auth for permission checks |
| deps-checker | logs-hook | None |
| global-launcher | logs-hook | Can be orchestrated by online-auth for deployments |
| online-info-switch | logs-hook, online-auth, health-control | None |
Critical Service Dependencies
| Dependency Type | Description | Affected Services |
|---|---|---|
| Authentication Chain | Services requiring valid authentication before operation | ip-fetch, tor-switch, routing-switch, dns-switch, dns-leak, health-control, online-info-switch |
| Logging Infrastructure | All services use logs-hook for centralized logging | ALL binaries |
| IP Verification | Services that call ip-fetch for network testing | tor-switch, routing-switch, dns-switch, dns-leak |
| System Management | Services that may interact with online-auth | permission-guard, global-launcher |
🛡️ Authentication Requirements Matrix
Authentication Quick Reference (Sorted by Command Count)
| Service | Total | Auth | No Auth | Auth Level | Primary Use Case |
|---|---|---|---|---|---|
| health-control | 186 | 114 | 72 | ██████░░░░ | Emergency kill switches, panic modes, system hardening |
| tor-switch | 108 | 79 | 29 | ███████░░░ | Tor network orchestration with 70+ management commands |
| dns-switch | 25 | 11 | 14 | ████░░░░░░ | DNS server management with 50+ resolver options |
| routing-switch | 18 | 11 | 7 | ██████░░░░ | Multi-protocol network routing configuration |
| online-auth | 14 | 8 | 6 | ██████░░░░ | Authentication service and heartbeat monitoring |
| ip-fetch | 13 | 1 | 12 | █░░░░░░░░░ | IP geolocation (auth only for bulk operations) |
| online-info-switch | 12 | 7 | 5 | ██████░░░░ | Online information hub and RSS feeds |
| integrity-check | 7 | 0 | 7 | ░░░░░░░░░░ | System integrity verification |
| dns-leak | 4 | 1 | 3 | ███░░░░░░░ | DNS leak detection |
| permission-guard | 4 | 0 | 4 | ░░░░░░░░░░ | Permission monitoring |
| deps-checker | 4 | 0 | 4 | ░░░░░░░░░░ | Dependency validation |
| global-launcher | 3 | 0 | 3 | ░░░░░░░░░░ | Binary deployment management |
| logs-hook | 3 | 0 | 3 | ░░░░░░░░░░ | Centralized logging |
Legend
| Symbol | Description |
|---|---|
| Auth Required | Commands requiring valid authentication via online-auth |
| No Auth | Commands that can run without authentication |
| Emergency Bypass | Some services in health-control have emergency bypass commands for critical recovery |
Authentication Dashboard
Key Insights
Overview Statistics
Total Commands
401
Auth Required
232 (57.9%)
No Auth
169 (42.1%)
Total Binaries
13
🔴 Highest Authentication
tor-switch
73% (79/108)
health-control
61% (114/186)
routing-switch
61% (11/18)
🟢 No Authentication Required
✓ integrity-check
7 cmds
✓ permission-guard
4 cmds
✓ deps-checker
4 cmds
✓ global-launcher
3 cmds
✓ logs-hook
3 cmds
Command Distribution
Top 3 binaries
79%
Average per binary
31 cmds
Median auth rate
25%
Binary Authentication Overview
health-control
61% auth
tor-switch
73% auth
dns-switch
44% auth
routing-switch
61% auth
online-auth
57% auth
ip-fetch
8% auth
online-info-switch
58% auth
integrity-check
0% auth
dns-leak
25% auth
permission-guard
0% auth
deps-checker
0% auth
global-launcher
0% auth
logs-hook
0% auth
Authentication Patterns by Service Type
| Pattern | Services | Description |
|---|---|---|
| No Authentication | logs-hook, global-launcher, deps-checker, permission-guard, integrity-check |
No auth-shared library usage |
| Mixed Authentication | online-info-switch, dns-leak, routing-switch, ip-fetch, dns-switch, tor-switch, health-control |
Selective command authentication |
| Bulk Operations Auth | ip-fetch |
Only bulk/multi operations require auth |
| Emergency Bypass | health-control |
Critical recovery commands bypass auth |
| Special Provider | online-auth |
Authentication provider service |
Service-Specific Authentication Details
logs-hook
Total Commands: 3 | Auth Required: 0 | No Auth: 3
| Commands Requiring Authentication | Commands Without Authentication |
|---|---|
| — | log • maintenance rotate • maintenance wipe |
global-launcher
Total Commands: 3 | Auth Required: 0 | No Auth: 3
| Commands Requiring Authentication | Commands Without Authentication |
|---|---|
| — | deploy • verify • cleanup |
deps-checker
Total Commands: 4 | Auth Required: 0 | No Auth: 4
| Commands Requiring Authentication | Commands Without Authentication |
|---|---|
| — | check • scan • verify • report |
permission-guard
Total Commands: 4 | Auth Required: 0 | No Auth: 4
| Commands Requiring Authentication | Commands Without Authentication |
|---|---|
| — | watch • config • scan • status |
dns-leak
Total Commands: 4 | Auth Required: 1 | No Auth: 3
| Commands Requiring Authentication | Commands Without Authentication |
|---|---|
test |
discover • report • results |
integrity-check
Total Commands: 7 | Auth Required: 0 | No Auth: 7
| Commands Requiring Authentication | Commands Without Authentication |
|---|---|
| — | generate • check_all • check_integrity • check_signatures • check_version • check_config • view_logs |
online-info-switch
Total Commands: 12 | Auth Required: 7 | No Auth: 5
| Commands Requiring Authentication | Commands Without Authentication |
|---|---|
set-online • set-offline • set-auto • clear-cache • test-connectivity • rss • paste |
status • check • info • list • freshness |
ip-fetch
Total Commands: 13 | Auth Required: 1 | No Auth: 12
| Commands Requiring Authentication | Commands Without Authentication |
|---|---|
verify-multi |
fetch • plain-ip • auth-status • debug-auth • test-all • test-fallback • random • tor • dns • geo • check-tor • cache |
online-auth
Total Commands: 14 | Auth Required: 8 | No Auth: 6
| Commands Requiring Authentication | Commands Without Authentication |
|---|---|
sync-api-key • authenticate • logout • send-heartbeat • send-heartbeat-with-retry • start-heartbeat • stop-heartbeat • get-card |
check-login • check-if-blocked • get-ids • check-all-status • check-heartbeat • which-group |
routing-switch
Total Commands: 18 | Auth Required: 11 | No Auth: 7
| Commands Requiring Authentication | Commands Without Authentication |
|---|---|
connect • test-protocol • benchmark • auto-select • export-config • showconfig • showconfigurl • showconfigqr • validate-qr • tor-dns-info • vps-info |
status • dns-info • list-protocols • disconnect • reset • cleanup • recover |
dns-switch
Total Commands: 25 | Auth Required: 11 | No Auth: 14
| Commands Requiring Authentication | Commands Without Authentication |
|---|---|
switch • random • dnscrypt-set • dnscrypt-restart • pihole-enable • pihole-password • pihole-reset • health • fetch • fetch-count • clean-duplicates |
fallback • dnscrypt-remove • pihole-disable • fetch-dns-from-card • clean • backup • restore-default • restore-backup • dnscrypt • pihole • status • list • count • help |
tor-switch
Total Commands: 108 | Auth Required: 79 | No Auth: 29
| Commands Requiring Authentication | Commands Without Authentication |
|---|---|
start_tor • stop_tor • restart_tor • create_instance • delete_instance • delete_all_instances • start_instance • stop_instance • restart_instance • start_all_instances • stop_all_instances • restart_all_instances • set_default_instance • rename_instance • clone_instance • create_multiple_instances • set_exit_node • set_exit_node_all • set_exclude_node • set_exclude_node_all • clear_exit_node • clear_exit_node_all • new_tor_circuit • new_tor_circuit_all • reload_tor_config • reload_tor_config_all • backup_config • backup_config_all • restore_config • restore_config_all • generate_new_tor_password • generate_new_tor_password_all • clean_torrc_custom • clean_torrc_custom_all • auto_ip_change • stop_auto_ip_change • update_ip_timer • update_ip_all_timer • remove_ip_timer • remove_ip_all_timer • generate_haproxy_config • haproxy_start • haproxy_stop • set_load_balancing_mode • set_instance_weight • torrify_system_iptables_load_balanced • torrify_system_nftables_load_balanced • torrify_system_iptables • torrify_system_nftables • torrify_system_dns • torrify_system_iptables_dns • torrify_system_nftables_dns • start_tor_dns_iptables • start_tor_dns_nftables • detorrify_system_iptables • detorrify_system_nftables • detorrify_system_iptables_dns • detorrify_system_nftables_dns • stop_tor_dns_iptables • stop_tor_dns_nftables • cleanup • clean_orphan_services • refresh_auth • flush_iptables • flush_nftables • validate_torrc • validate_torrc_all • verify_tor_dns • verify_tor_dns_all • verify_tor_dns_direct • verify_tor_dns_port • verify_auth • set_tor_bridge • set_tor_bridge_all • clear_tor_bridge • clear_tor_bridge_all • enable_tor_logs • disable_tor_logs • view_tor_logs |
check_tor • check_tor_all • torverify • tor_status • tor_status_all • get_tor_status • get_tor_status_all • get_tor_custom_status • get_instance_pid • which_is_active • list_instances • list_haproxy_modes • haproxy_status • display_load_balancing_config • list_iptables • list_nftables • list_ip_timers • list_torrclines • list_torrclines_all • show_torrc_custom • show_torrc_custom_all • get_instance_port • get_control_port • get_socks_port • check_instance_status • check_bridges • check_bridges_all • monitor_bandwidth |
health-control
Total Commands: 186 | Auth Required: 114 | No Auth: 72
| Commands Requiring Authentication | Commands Without Authentication |
|---|---|
block-internet • kill-network • kill-network-interface • kill-process • set-timezone • sync-timezone • change-hostname • set-default-hostname • set-random-hostname • set-custom-hostname • set-random-hostname-category • set-random-timezone • mac-change-all • mac-force-change • mac-change-specific • offline-bluetooth • offline-wifi • offline-usb-storage • offline-webcam • offline-microphone • offline-system-logs • offline-cups • offline-network-manager • offline-num-lock • offline-cmd-history • offline-auto-login • offline-screen-lock • offline-fd-limit • offline-net-optimize • offline-bbr • offline-if-speed • offline-avahi • offline-modem-manager • offline-ssh • offline-apache • offline-nginx • offline-docker • offline-mysql • offline-postgresql • security-harden • security-recover • security-reset • monitoring-enable • monitoring-disable • ipv6-disable • ipv6-enable • tirdad-enable • tirdad-disable • ram-wipe • swap-encrypt • swap-decrypt • luks-nuke • luks-manage • luks-remove • luks-nuke-advanced • luks-manage-advanced • create-persistence • container-create • container-mount • container-unmount • memory-clean • memory-force-clean • memory-wipe • memory-wipe-process • swap-configure • disable-swap • enable-swap • ram-wipe-enable • ram-wipe-disable • swap-enable • swap-disable • usbguard-enable • usbguard-disable • usb-policy • usb-whitelist • storage-wipe • storage-encrypt • encryption-tune • kill-switch-arm • kill-switch-activate • kloak-enable • kloak-disable • kloak-configure • kloak-event-mode • aide-update • aide-init • aide-reinit • aide-scan-dir • auto-updates-enable • auto-updates-disable • system-maintenance-enable • system-maintenance-disable • password-policy-enable • password-policy-disable • user-security-enable • user-security-disable • two-factor-enable • two-factor-disable • check-and-install-do • package-cleanup • clear-cache • coldboot-defense-enable • coldboot-defense-disable • memory-limits |
unblock-internet • recover-internet • mac-reset-all • kill-switch-disarm • panic-soft • panic-medium • panic-hard • panic-profile • panic-recover • create-recovery-point • wipe-file • wipe-directory • wipe-logs • wipe-batch • wipe-browser-data • wipe-free-space • wipe-pattern • wipe-schedule • wipe-verify • notify • play-sound • net-check • net-check-http • list-ips • list-domains • get-hostname • get-logged-user • show-timezone • show-remote-timezone • list-timezones • list-hostnames • mac-show-interfaces • mac-show-macs • mac-active-interface • security-status • ipv6-status • tirdad-status • ram-wipe-status • disk-encryption-status • swap-status • offline-info-system • offline-info-hardware • offline-info-process • offline-info-security • offline-info-network • offline-info-user • offline-info-storage • offline-info-services • offline-info-all • security-score • security-report • scoring-profile • security-history • rootkit-scan • rootkit-scan-enhanced • lynis-audit • lynis-status • clamav-scan • system-audit • internet-status • kill-switch-status • encryption-status • usb-list • memory-stats • auto-updates-status • system-maintenance-status • password-policy-status • user-security-status • two-factor-status • kloak-status • kloak-stats • aide-check • usb-monitor • usb-history • hardware-rng-verify • entropy-status • boot-integrity-check • swap-encrypt-status • check-and-install • security-verify • security-remediate |
Authentication Workflow
# 1. Initial Authentication
sudo ./online-auth authenticate --keep-alive
# 2. Verify Authentication
./online-auth check-login
# 3. Use Authenticated Services
sudo ./tor-switch start_tor # Requires auth (all tor-switch commands)
sudo ./health-control block-internet # Requires auth
./ip-fetch plain-ip # No auth needed
# 4. Emergency Operations (No Auth Required)
./health-control panic-soft # Emergency bypass
./routing-switch disconnect # Emergency recovery
# 5. Logout When Complete
./online-auth logout
Authentication Implementation Summary
Services With Authentication Requirements
| Service | Authentication Level | Details |
|---|---|---|
| health-control | Mixed Authentication | 114 commands require auth, 72 emergency bypasses |
| tor-switch | Mixed Authentication | 79 commands require auth, 29 don't |
| dns-switch | Mixed Authentication | 11 commands require auth, 14 don't |
| online-info-switch | Mixed Authentication | 7 commands require auth, 5 don't |
| routing-switch | Mixed Authentication | 11 commands require auth, 7 emergency/status don't |
| online-auth | Special Provider | 8 commands require auth, 6 status don't |
| ip-fetch | Selective Authentication | Only 1 bulk operation requires auth, 12 don't |
| dns-leak | Selective Authentication | Only test command requires auth, 3 don't |
Services NOT Using auth-shared Library
| Service | Authentication | Details |
|---|---|---|
| logs-hook | No Authentication | Logging service - operates independently |
| global-launcher | No Authentication | Service launcher - no auth integration |
| deps-checker | No Authentication | Dependency checker - read-only operations |
| permission-guard | No Authentication | Permission monitor - operates independently |
| integrity-check | No Authentication | Integrity verification - no auth needed |
Special Authentication Components
| Component | Role | Purpose |
|---|---|---|
| online-auth | Authentication Provider | Primary authentication service managing sessions |
| auth-shared | Authentication Library | Shared library providing auth functionality to services |
| KODACHI_CALLING_SERVICE | Environment Variable | Service identity verification mechanism |
🛡️ System Requirements and Permissions
Privilege Escalation Requirements
| Operation Type | Required Permissions | Affected Binaries |
|---|---|---|
| Network Configuration | sudo/root | tor-switch (iptables/nftables), routing-switch, dns-switch |
| System Security | sudo/root | health-control (network/MAC/hostname operations) |
| Authentication Management | sudo/root | online-auth (system-wide operations) |
| Read-Only Operations | Standard user | ip-fetch, dns-leak, integrity-check, logs-hook |
Service Daemon Capabilities
| Service | Daemon Mode | Command | Purpose |
|---|---|---|---|
| online-auth | Heartbeat daemon | online-auth authenticate --keep-alive |
Maintains authentication session |
| logs-hook | Integrated by all services | Automatic | Centralized logging for all operations |
| global-launcher | Service management | Standalone | Binary deployment and management |
🛡️ Key Capabilities Overview
Advanced Network Operations
| Feature | Capability | Details |
|---|---|---|
| Tor Operations | 70+ Commands | Complete control over instances, circuits, and exit nodes |
| Load Balancing | Native Kernel-Level | Traffic distribution across multiple Tor instances |
| Protocol Support | 12 Protocols | OpenVPN, WireGuard, Tor, Shadowsocks, V2Ray, Xray variants, and more |
| DNS Resolvers | 50+ Options | DNSCrypt, DoT, DoH, Pi-hole integration |
Security and Protection
| Feature | Implementation | Purpose |
|---|---|---|
| Emergency Kill Switch | health-control kill-network |
Instant network termination |
| Panic System | 3 Levels (Soft/Medium/Hard) | Progressive data destruction |
| Data Wiping | Multi-pass shredding | Secure deletion with verification |
| MAC Randomization | Auto/Manual modes | Hardware address anonymization |
| Hostname Management | Random generation | System identity protection |
System Integration
| Aspect | Approach | Benefit |
|---|---|---|
| Memory Safety | Rust-first implementation | Robust error handling, no crashes |
| Performance | Optimized binaries | Fast response for critical operations |
| Output Format | JSON-first design | Easy automation and scripting |
| Path Detection | Dynamic resolution | Works on any Linux environment |
| Containment | Execution folder only | Enhanced security isolation |
🛡️ Common Workflows
Network Anonymization Setup
# Authenticate and configure Tor
sudo ./online-auth authenticate
sudo ./tor-switch start_tor
sudo ./tor-switch torrify_system_nftables # Prefer nftables (modern)
# sudo ./tor-switch torrify_system_iptables # Alternative: iptables (legacy)
./ip-fetch fetch # Fetch current IP info through Tor (ISP/ASN shows Tor exit node)
Multi-Protocol Routing
# Connect through various protocols
sudo ./routing-switch connect openvpn
sudo ./routing-switch connect shadowsocks
sudo ./routing-switch connect wireguard
sudo ./routing-switch status # Check active routing
sudo ./routing-switch list-protocols # List available protocols with scores
sudo ./routing-switch disconnect # Disconnect current protocol
Security Hardening
# System hardening workflow
sudo ./health-control set-random-hostname
sudo ./health-control mac-change-all
sudo ./permission-guard scan
./integrity-check check_integrity --json
DNS Configuration
# Secure DNS setup
sudo ./dns-switch switch --category encrypted # Use encrypted DNS
./dns-leak discover --json # Discover and analyze DNS configuration
sudo ./dns-switch random --type encrypted --count 3 # Use random encrypted resolvers
Emergency Response
# Quick privacy mode
sudo ./health-control panic-soft
sudo ./tor-switch restart_tor # Get new Tor circuit
# Complete shutdown
sudo ./health-control kill-network
sudo ./health-control wipe-logs
🛡️ Performance Metrics
| Metric | Value | Description |
|---|---|---|
| Binary Count | 13 | Complete security suite |
| Total Size | ~130MB | All binaries combined |
| Protocol Support | 12 | Routing protocols supported |
| DNS Resolvers | 50+ | Available DNS options |
| Tor Commands | 70+ | Tor management operations |
🛡️ Documentation Structure
User Guides
| Category | Description |
|---|---|
| Network Tools | Detailed guides for network and anonymization tools |
| Security Tools | Comprehensive security and authentication documentation |
| Protection Tools | System protection and monitoring guides |
| Infrastructure Tools | Service infrastructure and management documentation |
API Reference
| Reference | Description |
|---|---|
| Binary Reference | Complete command-line API documentation for all binaries |
🛡️ Security Considerations
Important Security Notice
These tools provide powerful capabilities that should be used responsibly and in accordance with local laws and regulations. Kodachi OS and its binaries are designed for legitimate privacy protection and security testing purposes only.
Security Implementation Details
| Feature | Implementation |
|---|---|
| Authentication | Services use KODACHI_CALLING_SERVICE environment variable for identity |
| Certificate Pinning | TLS 1.3 with pinned certificates for network operations |
| Error Handling | Comprehensive error propagation without crashes |
| Audit Trail | All operations logged through centralized logs-hook service |
Example JSON error response structure:
{
"status": "error",
"error": {
"code": "AUTH_FAILED",
"message": "Authentication required",
"details": "Service requires valid authentication token",
"timestamp": "2025-09-19T10:00:00Z"
}
}
Authentication Flow
| Step | Command | Purpose |
|---|---|---|
| 1 | sudo ./online-auth authenticate --keep-alive |
Initial authentication with keep-alive |
| 2 | ./online-auth check-login |
Check authentication status |
| 3 | Service usage | Authenticated services automatically verify before execution |
| 4 | ./online-auth logout |
Logout when finished |
🛡️ System Information
| Component | Version | Build Date | License |
|---|---|---|---|
| Kodachi OS | 9.0.1 | 2025 | Proprietary |
| Rust Binaries | 9.0.1 | 2025-09-18 | Proprietary |
| Documentation | 9.0.1 | 2025-09-19 | © 2025 Linux Kodachi |
| Author | Warith Al Maawali | - | All Rights Reserved |