{ "report_info": { "version": "9.0.1", "generated_at": "2026-03-07T18:01:33Z", "binary_name": "health-control" }, "binary": { "name": "health-control", "path": "/home/kodachi/k900/dashboard/hooks/health-control", "timestamp": "2026-03-07T18:01:33Z", "file_info": { "size": 10436320, "sha256": "5be1ef4892b2bf9abdd0a6328724d6932b3926003e864ea828a4443478509ad2" }, "flag_n": { "command": "info", "data": { "author": "Warith Al Maawali", "copyright": "© 2026 Kodachi", "description": "Health control system for Kodachi that includes network connectivity checks and system health monitoring", "features": [ "Network connectivity monitoring", "Internet traffic control", "Security hardening", "System integrity checking", "Offline system management" ], "license": "Proprietary", "name": "health-control", "securityFeatures": { "authentication": "Secure authentication with certificate pinning", "encryption": "TLS 1.3 for all network communications", "inputValidation": "All inputs are validated and sanitized", "rateLimiting": "Built-in rate limiting for network operations" }, "systemRequirements": { "dependencies": [ "OpenSSL", "libcurl" ], "os": "Linux (Debian-based)", "privileges": "root/sudo for system operations" }, "version": "9.0.1", "website": "https://www.digi77.com" }, "errors": [], "metadata": { "executionTime": 13, "hostname": "RHEL-8-Server", "user": "kodachi" }, "status": "success", "timestamp": "2026-03-07T18:01:33.702604945Z", "version": "9.0.1", "warnings": [] }, "flag_v": { "command": "version", "data": { "buildDate": "2026-03-07T18:01:33.763872917Z", "gitCommit": "unknown", "name": "health-control", "rustVersion": "1.82.0", "version": "9.0.1" }, "errors": [], "metadata": { "executionTime": 14, "hostname": "RHEL-8-Server", "user": "kodachi" }, "status": "success", "timestamp": "2026-03-07T18:01:33.779365974Z", "version": "9.0.1", "warnings": [] }, "flag_h": { "command": "help", "data": { "commandCategories": [ { "category": "Data Destruction", "commands": [ { "description": "Securely wipe a file with multiple passes", "examples": [ "health-control wipe-file --file /path/to/file.txt", "health-control wipe-file --file /path/to/file.txt --passes 7 --json" ], "name": "wipe-file", "options": [], "usage": "health-control wipe-file [OPTIONS]" }, { "description": "Securely wipe an entire directory and its contents", "examples": [ "health-control wipe-directory --path /tmp/sensitive_dir", "health-control wipe-directory --path /path/to/directory --passes 7 --json" ], "name": "wipe-directory", "options": [], "usage": "health-control wipe-directory [OPTIONS]" }, { "description": "Securely wipe a common user directory (downloads, desktop, documents)", "examples": [ "health-control wipe-user-dir --target downloads", "health-control wipe-user-dir --target desktop", "health-control wipe-user-dir --target documents --json" ], "name": "wipe-user-dir", "options": [], "usage": "health-control wipe-user-dir [OPTIONS]" }, { "description": "Securely wipe system logs (journal, syslog, auth.log, kern.log), user history (bash, zsh, python), and application cache logs", "examples": [ "health-control wipe-logs # Wipe all logs (system + user)", "health-control wipe-logs --type system # Wipe only system logs (/var/log/*, journal)", "health-control wipe-logs --type user # Wipe only user logs (history, cache)", "health-control wipe-logs --type all --json # Show detailed JSON output" ], "name": "wipe-logs", "options": [], "usage": "health-control wipe-logs [OPTIONS]" }, { "description": "Batch wipe multiple files", "examples": [ "# Multiple file paths as arguments:", "health-control wipe-batch file1.png file2.png --passes 7", "health-control wipe-batch /tmp/sensitive.doc /home/user/data.txt", "", "# Alternative comma-separated format:", "health-control wipe-batch --paths \"file1.png,file2.png\" --passes 7", "health-control wipe-batch --paths \"/tmp/file1,/tmp/file2\" --json", "", " ⚠ Security Note: Using actual paths may expose system directory structure" ], "name": "wipe-batch", "options": [], "usage": "health-control wipe-batch [OPTIONS]" }, { "description": "Wipe browser data and history", "examples": [ "health-control wipe-browser-data # Wipe all browsers", "health-control wipe-browser-data --browser firefox # Firefox only", "health-control wipe-browser-data --browser brave # Brave only", "health-control wipe-browser-data --browser tor # Tor Browser only", "health-control wipe-browser-data --browser all --json" ], "name": "wipe-browser-data", "options": [], "usage": "health-control wipe-browser-data [OPTIONS]" }, { "description": "Securely wipe free space on a mounted filesystem (use mount points like '/', '/home' or device paths)", "examples": [ "health-control wipe-free-space --device /", "health-control wipe-free-space --device /home", "health-control wipe-free-space --device /dev/sda1 --json", "health-control wipe-free-space --device /tmp" ], "name": "wipe-free-space", "options": [], "usage": "health-control wipe-free-space [OPTIONS]" }, { "description": "Wipe files matching pattern (use --pattern flag or positional argument)", "examples": [ "health-control wipe-pattern --pattern '*.tmp'", "health-control wipe-pattern '*.tmp'", "health-control wipe-pattern --pattern '*.log' --directory /var/log", "health-control wipe-pattern '*.log' --directory /var/log", "health-control wipe-pattern --pattern 'backup*' --json", "health-control wipe-pattern 'backup*' --json", "health-control wipe-pattern --pattern '*.cache' --directory ~/.cache", "health-control wipe-pattern '*.cache' --directory ~/.cache" ], "name": "wipe-pattern", "options": [], "usage": "health-control wipe-pattern [OPTIONS]" }, { "description": "Schedule automatic data wiping", "examples": [ "health-control wipe-schedule temp --frequency daily", "health-control wipe-schedule logs --frequency weekly", "health-control wipe-schedule browser --json" ], "name": "wipe-schedule", "options": [], "usage": "health-control wipe-schedule [OPTIONS]" }, { "description": "Verify that a file was wiped properly", "examples": [ "health-control wipe-verify --path /tmp/sensitive.txt", "health-control wipe-verify --path /home/user/data.bin --json" ], "name": "wipe-verify", "options": [], "usage": "health-control wipe-verify [OPTIONS]" } ] }, { "category": "Emergency Operations", "commands": [ { "description": "Arm the emergency kill switch - sets system to high-alert state for manual activation. NOTE: This prepares the system for rapid response but does NOT actively monitor for threats. It's a preparedness state that allows quick manual activation via kill-switch-activate command.", "examples": [ "health-control kill-switch-arm", "health-control kill-switch-arm --json" ], "name": "kill-switch-arm", "options": [], "usage": "health-control kill-switch-arm [OPTIONS]" }, { "description": "Disarm the emergency kill switch", "examples": [ "health-control kill-switch-disarm", "health-control kill-switch-disarm --json" ], "name": "kill-switch-disarm", "options": [], "usage": "health-control kill-switch-disarm [OPTIONS]" }, { "description": "Check if kill switch monitoring is armed/disarmed. Shows armed time, trigger count, and monitoring state. Does NOT activate anything - just displays current status.", "examples": [ "health-control kill-switch-status", "health-control kill-switch-status --json" ], "name": "kill-switch-status", "options": [], "usage": "health-control kill-switch-status [OPTIONS]" }, { "description": "IMMEDIATELY activate emergency procedures. Unlike 'arm' which monitors, this executes panic mode NOW. Choose level: soft (network+lock), medium (default: +kill processes), hard (+RAM wipe+shutdown)", "examples": [ "health-control kill-switch-activate", "health-control kill-switch-activate --level hard --force", "health-control kill-switch-activate --level soft --json" ], "name": "kill-switch-activate", "options": [], "usage": "health-control kill-switch-activate [OPTIONS]" }, { "description": "IMMEDIATE soft panic mode. Actions: Kill all network connections, clear clipboard, lock screen. NO CONFIRMATION. Reversible by restarting network. Use for quick privacy protection.", "examples": [ "health-control panic-soft", "health-control panic-soft --json", "health-control panic-soft --dry-run" ], "name": "panic-soft", "options": [], "usage": "health-control panic-soft [OPTIONS]" }, { "description": "IMMEDIATE hard panic mode with CONFIRMATION. CRITICAL: Kill network, clear clipboard, terminate ALL processes, clear memory, unmount devices, wipe RAM, IMMEDIATE SHUTDOWN. IRREVERSIBLE - system will shutdown!", "examples": [ "health-control panic-hard", "health-control panic-hard --json", "health-control panic-hard --dry-run" ], "name": "panic-hard", "options": [], "usage": "health-control panic-hard [OPTIONS]" }, { "description": "IMMEDIATE medium panic mode with CONFIRMATION. Actions: Kill network, clear clipboard, terminate non-essential processes, clear memory, unmount devices, lock screen. Requires manual system restart to fully restore.", "examples": [ "health-control panic-medium", "health-control panic-medium --json", "health-control panic-medium --dry-run" ], "name": "panic-medium", "options": [], "usage": "health-control panic-medium [OPTIONS]" }, { "description": "Configure automated emergency response profile that defines system actions during panic mode activation", "examples": [ "# Configure light security response (recommended for public wifi):", "health-control panic-profile --profile stealth", "", "# Configure maximum security lockdown (for high-risk situations):", "health-control panic-profile --profile paranoid", "", "# Configure recovery mode (to restore system to safe state):", "health-control panic-profile --profile recovery", "", "# Get JSON output with profile configuration details:", "health-control panic-profile --profile paranoid --json" ], "name": "panic-profile", "options": [], "usage": "health-control panic-profile [OPTIONS]" }, { "description": "Activate panic recovery mode", "examples": [ "health-control panic-recover", "health-control panic-recover --json" ], "name": "panic-recover", "options": [], "usage": "health-control panic-recover [OPTIONS]" }, { "description": "Create system recovery checkpoint", "examples": [ "health-control create-recovery-point", "health-control create-recovery-point --name pre-update", "health-control create-recovery-point --json" ], "name": "create-recovery-point", "options": [], "usage": "health-control create-recovery-point [OPTIONS]" }, { "description": "Execute emergency data destruction sequence (DANGEROUS - use --dry-run for testing)", "examples": [ "health-control nuke-execute --dry-run", "health-control nuke-execute --method fast --dry-run", "health-control nuke-execute --method paranoid --dry-run --json" ], "name": "nuke-execute", "options": [ { "default": "secure", "description": "Wipe method: fast, secure (default), paranoid", "flag": "--method, -m ", "required": false }, { "description": "Test mode - shows actions without executing", "flag": "--dry-run", "required": false }, { "description": "Skip confirmation prompt (DANGEROUS)", "flag": "--force, -f", "required": false } ], "usage": "health-control nuke-execute [--method fast|secure|paranoid] [--dry-run] [--force]" }, { "description": "Get current nuke mode execution progress", "examples": [ "health-control nuke-progress", "health-control nuke-progress --json" ], "name": "nuke-progress", "options": [], "usage": "health-control nuke-progress" }, { "description": "Detect storage type (SSD/HDD/NVMe) for a device", "examples": [ "health-control nuke-storage-detect --device /dev/sda", "health-control nuke-storage-detect -d /dev/nvme0n1 --json" ], "name": "nuke-storage-detect", "options": [ { "description": "Device path to check", "flag": "--device, -d ", "required": true } ], "usage": "health-control nuke-storage-detect --device /dev/sda" } ] }, { "category": "Hardware Security", "commands": [ { "description": "Verify hardware random number generator status", "examples": [ "health-control hardware-rng-verify", "health-control hardware-rng-verify --json" ], "name": "hardware-rng-verify", "options": [], "usage": "health-control hardware-rng-verify [OPTIONS]" }, { "description": "Check system entropy pool status and quality", "examples": [ "health-control entropy-status", "health-control entropy-status --json" ], "name": "entropy-status", "options": [], "usage": "health-control entropy-status [OPTIONS]" }, { "description": "Enable cold boot defense mechanisms", "examples": [ "health-control coldboot-defense-enable", "health-control coldboot-defense-enable --json" ], "name": "coldboot-defense-enable", "options": [], "usage": "health-control coldboot-defense-enable [OPTIONS]" }, { "description": "Disable cold boot defense mechanisms", "examples": [ "health-control coldboot-defense-disable", "health-control coldboot-defense-disable --json", "health-control coldboot-defense-disable --json-human" ], "name": "coldboot-defense-disable", "options": [], "usage": "health-control coldboot-defense-disable [OPTIONS]" }, { "description": "Check cold boot defense mechanisms status", "examples": [ "health-control coldboot-defense-status", "health-control coldboot-defense-status --json" ], "name": "coldboot-defense-status", "options": [], "usage": "health-control coldboot-defense-status [OPTIONS]" }, { "description": "Check boot chain integrity and security status", "examples": [ "health-control boot-integrity-check", "health-control boot-integrity-check --json" ], "name": "boot-integrity-check", "options": [], "usage": "health-control boot-integrity-check [OPTIONS]" } ] }, { "category": "Hostname Management", "commands": [ { "description": "Set the default hostname", "examples": [ "health-control set-default-hostname", "health-control set-default-hostname --json" ], "name": "set-default-hostname", "options": [], "usage": "health-control set-default-hostname [OPTIONS]" }, { "description": "Set a random hostname", "examples": [ "health-control set-random-hostname", "health-control set-random-hostname --json" ], "name": "set-random-hostname", "options": [], "usage": "health-control set-random-hostname [OPTIONS]" }, { "description": "Set a custom hostname", "examples": [ "health-control set-custom-hostname --name MyHost", "health-control set-custom-hostname --name secure-host --json" ], "name": "set-custom-hostname", "options": [], "usage": "health-control set-custom-hostname [OPTIONS]" } ] }, { "category": "Internet Traffic Control", "commands": [ { "description": "Block all internet traffic", "examples": [ "health-control block-internet", "health-control block-internet --method firewall", "health-control block-internet --method ufw", "health-control block-internet --method iptables", "health-control block-internet --method nftables", "health-control block-internet --method interfaces", "health-control block-internet --method all", "health-control block-internet --allow-local", "health-control block-internet --method iptables --allow-local", "health-control block-internet --method all --allow-local", "health-control block-internet --json" ], "name": "block-internet", "options": [], "usage": "health-control block-internet [OPTIONS]" }, { "description": "Unblock internet traffic", "examples": [ "health-control unblock-internet", "health-control unblock-internet --method firewall", "health-control unblock-internet --method ufw", "health-control unblock-internet --method iptables", "health-control unblock-internet --method nftables", "health-control unblock-internet --method interfaces", "health-control unblock-internet --method all", "health-control unblock-internet --json" ], "name": "unblock-internet", "options": [], "usage": "health-control unblock-internet [OPTIONS]" }, { "description": "Check internet blocking status", "examples": [ "health-control internet-status", "health-control internet-status --silent", "health-control internet-status --skipnotification", "health-control internet-status --skip-notification", "health-control internet-status --skipnotifcation", "health-control internet-status --json" ], "name": "internet-status", "options": [], "usage": "health-control internet-status [OPTIONS]" }, { "description": "Recover internet connectivity", "examples": [ "health-control recover-internet", "health-control recover-internet --check-dns", "health-control recover-internet --force", "health-control recover-internet --check-dns --force", "health-control recover-internet --silent", "health-control recover-internet --skipnotification", "health-control recover-internet --skip-notification", "health-control recover-internet --skipnotifcation", "health-control recover-internet --json" ], "name": "recover-internet", "options": [], "usage": "health-control recover-internet [OPTIONS]" }, { "description": "Fast internet recovery - bounce interface, restart NetworkManager, renew DHCP", "examples": [ "health-control fast-recover-internet", "health-control fast-recover-internet --force", "health-control fast-recover-internet --force --silent", "health-control fast-recover-internet --silent", "health-control fast-recover-internet --skipnotification", "health-control fast-recover-internet --skip-notification", "health-control fast-recover-internet --skipnotifcation", "health-control fast-recover-internet --json" ], "name": "fast-recover-internet", "options": [], "usage": "health-control fast-recover-internet [OPTIONS]" }, { "description": "Emergency network kill switch", "examples": [ "health-control kill-network", "health-control kill-network --json" ], "name": "kill-network", "options": [], "usage": "health-control kill-network [OPTIONS]" }, { "description": "Kill specific network interface", "examples": [ "health-control kill-network-interface --interface wlan0", "health-control kill-network-interface --interface eth0 --json" ], "name": "kill-network-interface", "options": [], "usage": "health-control kill-network-interface [OPTIONS]" }, { "description": "Kill specific process by name or PID", "examples": [ "health-control kill-process --process firefox", "health-control kill-process --process 1234 --json" ], "name": "kill-process", "options": [], "usage": "health-control kill-process [OPTIONS]" }, { "description": "Enable a watch-guard to monitor system changes and block internet on triggers", "examples": [ "health-control enable --type watch-guard --watch ip --method nftables", "health-control enable --type watch-guard --watch timezone --method iptables", "health-control enable --type watch-guard --watch timezone --method iptables --daemon", "health-control enable --type watch-guard --watch interfaces --method firewall", "health-control enable --type watch-guard --watch process --target tor --method all", "health-control enable --type watch-guard --watch process --target firefox --method auto", "health-control enable --type watch-guard --watch mac --method nftables --interval 5", "health-control enable --type watch-guard --watch hostname --method iptables", "health-control enable --type watch-guard --watch vpn --method nftables --interval 3", "health-control enable --type watch-guard --watch dns --method firewall", "health-control enable --type watch-guard --watch mac --method nftables --actions log_event,randomize_hostname", "health-control enable --type watch-guard --watch vpn --method nftables --actions log_event,show_alert,block_network" ], "name": "enable", "options": [], "usage": "health-control enable [OPTIONS]" }, { "description": "Disable an active watch-guard and optionally unblock internet", "examples": [ "health-control disable --type watch-guard ip", "health-control disable --type watch-guard timezone", "health-control disable --type watch-guard interfaces", "health-control disable --type watch-guard tor", "health-control disable --type watch-guard all", "health-control disable --type watch-guard all --no-unblock" ], "name": "disable", "options": [ { "description": "Type of command to disable", "flag": "--type", "required": true }, { "description": "Do not unblock internet after disabling watch-guard", "flag": "--no-unblock", "required": false } ], "usage": "health-control disable --type watch-guard " }, { "description": "Show status of active watch-guards", "examples": [ "health-control watch-guard status", "health-control watch-guard status --json" ], "name": "watch-guard", "options": [], "usage": "health-control watch-guard status" }, { "description": "Run watch-guard monitoring as a persistent daemon process", "examples": [ "health-control daemon --config-id timezone_iptables" ], "name": "daemon", "options": [ { "description": "Configuration ID to monitor", "flag": "--config-id", "required": true } ], "usage": "health-control daemon --config-id " } ] }, { "category": "MAC Address Management", "commands": [ { "description": "Change all MAC addresses", "examples": [ "health-control mac-change-all", "health-control mac-change-all --json" ], "name": "mac-change-all", "options": [], "usage": "health-control mac-change-all [OPTIONS]" }, { "description": "Force change all MAC addresses (disable interfaces first)", "examples": [ "health-control mac-force-change", "health-control mac-force-change --json" ], "name": "mac-force-change", "options": [], "usage": "health-control mac-force-change [OPTIONS]" }, { "description": "Change specific interface MAC address", "examples": [ "health-control mac-change-specific --interface eth0", "health-control mac-change-specific --interface wlan0 --json" ], "name": "mac-change-specific", "options": [], "usage": "health-control mac-change-specific [OPTIONS]" }, { "description": "Show available network interfaces", "examples": [ "health-control mac-show-interfaces", "health-control mac-show-interfaces --json" ], "name": "mac-show-interfaces", "options": [], "usage": "health-control mac-show-interfaces [OPTIONS]" }, { "description": "Show current MAC addresses", "examples": [ "health-control mac-show-macs", "health-control mac-show-macs --json" ], "name": "mac-show-macs", "options": [], "usage": "health-control mac-show-macs [OPTIONS]" }, { "description": "Reset all MAC addresses to default", "examples": [ "health-control mac-reset-all", "health-control mac-reset-all --json" ], "name": "mac-reset-all", "options": [], "usage": "health-control mac-reset-all [OPTIONS]" }, { "description": "Show active network interface", "examples": [ "health-control mac-active-interface", "health-control mac-active-interface --json" ], "name": "mac-active-interface", "options": [], "usage": "health-control mac-active-interface [OPTIONS]" } ] }, { "category": "Memory Management", "commands": [ { "description": "Clean memory caches and buffers", "examples": [ "sudo health-control memory-clean", "sudo health-control memory-clean --json" ], "name": "memory-clean", "options": [], "usage": "health-control memory-clean [OPTIONS]" }, { "description": "Force clean memory by killing top process", "examples": [ "sudo health-control memory-force-clean", "sudo health-control memory-force-clean --json" ], "name": "memory-force-clean", "options": [], "usage": "health-control memory-force-clean [OPTIONS]" }, { "description": "Secure RAM wipe (sdmem)", "examples": [ "sudo health-control memory-wipe", "sudo health-control memory-wipe --json" ], "name": "memory-wipe", "options": [], "usage": "health-control memory-wipe [OPTIONS]" }, { "description": "Wipe memory of specific process", "examples": [ "health-control memory-wipe-process --value firefox", "health-control memory-wipe-process --value 1234 --json" ], "name": "memory-wipe-process", "options": [], "usage": "health-control memory-wipe-process [OPTIONS]" }, { "description": "Manage process memory limits", "examples": [ "sudo health-control memory-limits", "sudo health-control memory-limits --value firefox --limit 1024", "sudo health-control memory-limits --value chrome --limit 2048", "sudo health-control memory-limits --value brave --limit 1536", "sudo health-control memory-limits --json" ], "name": "memory-limits", "options": [], "usage": "health-control memory-limits [OPTIONS]" }, { "description": "Display memory statistics and history", "examples": [ "health-control memory-stats", "health-control memory-stats --history --json" ], "name": "memory-stats", "options": [], "usage": "health-control memory-stats [OPTIONS]" }, { "description": "Configure swap settings", "examples": [ "health-control swap-configure --swappiness 10 --cache-pressure 50", "health-control swap-configure --swappiness 0 --json" ], "name": "swap-configure", "options": [], "usage": "health-control swap-configure [OPTIONS]" }, { "description": "Disable swap memory", "examples": [ "sudo health-control disable-swap", "sudo health-control disable-swap --json" ], "name": "disable-swap", "options": [], "usage": "health-control disable-swap [OPTIONS]" }, { "description": "Enable swap memory", "examples": [ "sudo health-control enable-swap", "sudo health-control enable-swap --size 2048", "sudo health-control enable-swap --size 4096", "sudo health-control enable-swap --json" ], "name": "enable-swap", "options": [], "usage": "health-control enable-swap [OPTIONS]" } ] }, { "category": "Network Connectivity", "commands": [ { "description": "Check network connectivity (IP and DNS only)", "examples": [ "health-control net-check", "health-control net-check --json", "health-control net-check --timeout 15", "health-control net-check --http --json", "health-control net-check --ip-only", "health-control net-check --domain-only", "health-control net-check --domain-only --dns-server 127.0.0.1:5353" ], "name": "net-check", "options": [ { "default": "10", "description": "Timeout in seconds for each connectivity check", "flag": "--timeout ", "required": false }, { "description": "Include HTTP connectivity check", "flag": "--http", "required": false }, { "description": "Check IP connectivity only, skip DNS checks", "flag": "--ip-only", "required": false }, { "description": "Check domain connectivity only, skip IP ping", "flag": "--domain-only", "required": false }, { "description": "Custom DNS server address (e.g., 127.0.0.1:5353 for Tor DNS)", "flag": "--dns-server ", "required": false } ], "usage": "health-control net-check [--timeout ] [--http] [--ip-only] [--domain-only] [--dns-server ]" }, { "description": "Check network connectivity including HTTP", "examples": [ "health-control net-check-http", "health-control net-check-http --timeout 15", "health-control net-check-http --json" ], "name": "net-check-http", "options": [], "usage": "health-control net-check-http [OPTIONS]" }, { "description": "List IPs used for connectivity testing", "examples": [ "health-control list-ips", "health-control list-ips --json" ], "name": "list-ips", "options": [], "usage": "health-control list-ips [OPTIONS]" }, { "description": "List domains used for connectivity testing", "examples": [ "health-control list-domains", "health-control list-domains --json" ], "name": "list-domains", "options": [], "usage": "health-control list-domains [OPTIONS]" } ] }, { "category": "Offline Actions", "commands": [ { "description": "Manage PostgreSQL database service", "examples": [ "health-control offline-postgresql --action disable", "health-control offline-postgresql --action enable", "health-control offline-postgresql --action check --json" ], "name": "offline-postgresql", "options": [], "usage": "health-control offline-postgresql [OPTIONS]" } ] }, { "category": "Password Generation", "commands": [ { "description": "Generate secure passwords using multiple methods (pass, pwgen, xkcdpass)", "examples": [ "health-control genpass", "health-control genpass --method pwgen", "health-control genpass --count 10", "health-control genpass --method pwgen --count 50", "health-control genpass --method xkcdpass --count 20 --json", "health-control genpass --length 32 --symbols \"@-_!#$\"" ], "name": "genpass", "options": [], "usage": "health-control genpass [OPTIONS]" } ] }, { "category": "Security", "commands": [ { "description": "Show comprehensive security status", "examples": [ "health-control security-status", "health-control security-status --category network", "health-control security-status --category all --json", "health-control security-status all", "health-control security-status network --json" ], "name": "security-status", "options": [], "usage": "health-control security-status [OPTIONS]" } ] }, { "category": "Security Assessment", "commands": [ { "description": "Calculate security score and get recommendations", "examples": [ "health-control security-score", "health-control security-score --json" ], "name": "security-score", "options": [], "usage": "health-control security-score [OPTIONS]" }, { "description": "Generate comprehensive security report", "examples": [ "health-control security-report", "health-control security-report --format detailed", "health-control security-report --format compliance --json" ], "name": "security-report", "options": [], "usage": "health-control security-report [OPTIONS]" }, { "description": "Set security profile and thresholds", "examples": [ "health-control security-profile --value minimal", "health-control security-profile --value balanced", "health-control security-profile --value paranoid", "health-control security-profile --value balanced --json" ], "name": "security-profile", "options": [], "usage": "health-control security-profile [OPTIONS]" }, { "description": "View security configuration history", "examples": [ "health-control security-history", "health-control security-history --days 30", "health-control security-history --json" ], "name": "security-history", "options": [], "usage": "health-control security-history [OPTIONS]" }, { "description": "Auto-remediate security issues", "examples": [ "health-control security-remediate", "health-control security-remediate --bool true", "health-control security-remediate --bool false --json" ], "name": "security-remediate", "options": [], "usage": "health-control security-remediate [OPTIONS]" }, { "description": "Schedule security scans (hourly, daily, weekly, monthly, disable)", "examples": [ "health-control security-schedule --value daily", "health-control security-schedule --value weekly", "health-control security-schedule --value disable --json" ], "name": "security-schedule", "options": [], "usage": "health-control security-schedule [OPTIONS]" }, { "description": "Enhanced rootkit scanning with multiple tools", "examples": [ "health-control rootkit-scan-enhanced", "health-control rootkit-scan-enhanced --deep", "health-control rootkit-scan-enhanced --json" ], "name": "rootkit-scan-enhanced", "options": [], "usage": "health-control rootkit-scan-enhanced [OPTIONS]" }, { "description": "Run Lynis security audit", "examples": [ "health-control lynis-audit", "health-control lynis-audit --value quick", "health-control lynis-audit --value pentest --json" ], "name": "lynis-audit", "options": [], "usage": "health-control lynis-audit [OPTIONS]" }, { "description": "Check Lynis installation status", "examples": [ "health-control lynis-status", "health-control lynis-status --json" ], "name": "lynis-status", "options": [], "usage": "health-control lynis-status [OPTIONS]" }, { "description": "Scan system with ClamAV antivirus", "examples": [ "health-control clamav-scan", "health-control clamav-scan --path /home --recursive", "health-control clamav-scan --quarantine --json" ], "name": "clamav-scan", "options": [], "usage": "health-control clamav-scan [OPTIONS]" }, { "description": "Perform comprehensive system security audit", "examples": [ "health-control system-audit", "health-control system-audit --level comprehensive", "health-control system-audit --modules network,filesystem --json" ], "name": "system-audit", "options": [], "usage": "health-control system-audit [OPTIONS]" } ] }, { "category": "Security Hardening", "commands": [ { "description": "Apply comprehensive security hardening", "examples": [ "health-control security-harden", "health-control security-harden --profile paranoid", "health-control security-harden --break-monitoring", "health-control security-harden --modules kernel,network --json" ], "name": "security-harden", "options": [], "usage": "health-control security-harden [OPTIONS]" }, { "description": "Verify if security hardening is properly applied (checks all 7 modules and reports their status)", "examples": [ "health-control security-verify", " # Check status of all 7 security modules:", " # - kernel: sysctl hardening (kptr_restrict, dmesg_restrict, etc.)", " # - process: isolation settings (hidepid, namespaces)", " # - filesystem: secure mount options (nosuid, nodev)", " # - network: firewall settings (tcp_syncookies, ip_forward)", " # - memory: protection (ASLR, protected symlinks/hardlinks)", " # - monitoring: auditd and syslog status", " # - sandboxing: AppArmor and seccomp availability", " # Shows: ENABLED/DISABLED and if properly configured", "", "health-control security-verify --profile paranoid", " # Verify against paranoid profile expectations", "", "health-control security-verify --json", " # Get detailed JSON output with all verification data" ], "name": "security-verify", "options": [], "usage": "health-control security-verify [OPTIONS]" }, { "description": "Temporarily revert security hardening (keeps framework enabled for quick re-hardening)", "examples": [ "# Temporarily revert security hardening (keeps framework ready for re-hardening)", "sudo health-control security-recover", "", "# After recovery, modules show 'ENABLED (needs configuration)'", "# This means: Framework is ready but no restrictions are enforced", "# Use this when: Troubleshooting issues, planning to re-harden later", "", "# Recover only specific modules", "sudo health-control security-recover --modules network,kernel", "", "# To re-apply hardening after recovery:", "sudo health-control security-harden" ], "name": "security-recover", "options": [], "usage": "health-control security-recover [OPTIONS]" }, { "description": "Completely disable all security modules and framework (permanent removal)", "examples": [ "# Completely disable all security modules and framework", "sudo health-control security-reset", "", "# After reset, modules show 'DISABLED'", "# This means: All security framework is completely turned off", "# Use this when: You want to permanently remove security hardening", "", "# Skip confirmation prompt", "sudo health-control security-reset --force", "", "# Warning: After reset, security-harden will need to rebuild framework" ], "name": "security-reset", "options": [], "usage": "health-control security-reset [OPTIONS]" }, { "description": "Enable system monitoring features", "examples": [ "health-control monitoring-enable", "health-control monitoring-enable --modules auditd,lkrg,file-integrity", "health-control monitoring-enable --json" ], "name": "monitoring-enable", "options": [], "usage": "health-control monitoring-enable [OPTIONS]" }, { "description": "Disable system monitoring features", "examples": [ "health-control monitoring-disable", "health-control monitoring-disable --modules auditd,lkrg", "health-control monitoring-disable --json" ], "name": "monitoring-disable", "options": [], "usage": "health-control monitoring-disable [OPTIONS]" }, { "description": "Check system security monitoring status", "examples": [ "health-control monitoring-status", "health-control monitoring-status --json" ], "name": "monitoring-status", "options": [], "usage": "health-control monitoring-status [OPTIONS]" }, { "description": "Disable IPv6 system-wide", "examples": [ "health-control ipv6-disable", "health-control ipv6-disable --json" ], "name": "ipv6-disable", "options": [], "usage": "health-control ipv6-disable [OPTIONS]" }, { "description": "Enable IPv6 system-wide", "examples": [ "health-control ipv6-enable", "health-control ipv6-enable --json" ], "name": "ipv6-enable", "options": [], "usage": "health-control ipv6-enable [OPTIONS]" }, { "description": "Enable Tirdad TCP ISN randomization", "examples": [ "health-control tirdad-enable", "health-control tirdad-enable --json" ], "name": "tirdad-enable", "options": [], "usage": "health-control tirdad-enable [OPTIONS]" }, { "description": "Disable Tirdad TCP ISN randomization", "examples": [ "health-control tirdad-disable", "health-control tirdad-disable --json" ], "name": "tirdad-disable", "options": [], "usage": "health-control tirdad-disable [OPTIONS]" }, { "description": "Check Tirdad TCP ISN randomization status", "examples": [ "health-control tirdad-status", "health-control tirdad-status --json" ], "name": "tirdad-status", "options": [], "usage": "health-control tirdad-status [OPTIONS]" }, { "description": "Check IPv6 status", "examples": [ "health-control ipv6-status", "health-control ipv6-status --json" ], "name": "ipv6-status", "options": [], "usage": "health-control ipv6-status [OPTIONS]" }, { "description": "Enable secure RAM wiping on shutdown", "examples": [ "health-control ram-wipe", "health-control ram-wipe --json" ], "name": "ram-wipe", "options": [], "usage": "health-control ram-wipe [OPTIONS]" }, { "description": "Install RAM wipe system (hooks + configuration) - Run this first if not already installed", "examples": [ "sudo health-control wipe-ram-install", "sudo health-control wipe-ram-install --policy kodachi-wiper", "sudo health-control wipe-ram-install --policy sdmem --passes 3", "sudo health-control wipe-ram-install --time 120", "sudo health-control wipe-ram-install --policy sdmem --passes 5", "sudo health-control wipe-ram-install --policy both --time 120 --passes 3", "sudo health-control wipe-ram-install --force", "sudo health-control wipe-ram-install --json" ], "name": "wipe-ram-install", "options": [], "usage": "health-control wipe-ram-install [OPTIONS]" }, { "description": "Show RAM wipe system status - Check this first before installing or configuring", "examples": [ "sudo health-control ram-wipe-status", "sudo health-control ram-wipe-status --json" ], "name": "ram-wipe-status", "options": [], "usage": "health-control ram-wipe-status [OPTIONS]" }, { "description": "Update RAM wipe configuration - Use this to modify settings after installation", "examples": [ "sudo health-control wipe-ram-config --policy auto", "sudo health-control wipe-ram-config --policy kodachi-wiper", "sudo health-control wipe-ram-config --time 120", "sudo health-control wipe-ram-config --passes 5", "sudo health-control wipe-ram-config --split 70", "sudo health-control wipe-ram-config --policy both --time 120", "sudo health-control wipe-ram-config --policy both --time 90 --passes 3 --split 60", "sudo health-control wipe-ram-config --json" ], "name": "wipe-ram-config", "options": [ { "description": "Set policy: kodachi-wiper (fast native wiper)|sdmem (secure multi-pass)|both (balanced hybrid)|auto (intelligent auto-detection: prefers kodachi-wiper, falls back to sdmem if unavailable)", "flag": "--policy " }, { "description": "Set time budget for shutdown RAM wiping. Recommended: 60-90s desktops, 120-300s servers", "flag": "--time " }, { "description": "Set number of sdmem passes (1-9). More = secure but slower. Recommended: 3 balanced, 7+ high-security", "flag": "--passes " }, { "description": "Set time split for 'both' mode (10-90). Example: 70 = 70% kodachi-wiper, 30% sdmem. Higher = faster but less secure", "flag": "--split " } ], "usage": "health-control wipe-ram-config [OPTIONS]" }, { "description": "Enable automatic RAM wiping on shutdown", "examples": [ "sudo health-control ram-wipe-enable", "sudo health-control ram-wipe-enable --schedule immediate", "sudo health-control ram-wipe-enable --schedule delay", "sudo health-control ram-wipe-enable --passes 5", "sudo health-control ram-wipe-enable --schedule shutdown --passes 3", "sudo health-control ram-wipe-enable --json" ], "name": "ram-wipe-enable", "options": [], "usage": "health-control ram-wipe-enable [OPTIONS]" }, { "description": "Disable automatic RAM wiping", "examples": [ "sudo health-control ram-wipe-disable", "sudo health-control ram-wipe-disable --preserve-config", "sudo health-control ram-wipe-disable --json" ], "name": "ram-wipe-disable", "options": [], "usage": "health-control ram-wipe-disable [OPTIONS]" }, { "description": "Test RAM wipe operation (dry-run with short time budget) - Run this to verify installation before relying on automatic wipes", "examples": [ "sudo health-control wipe-ram-test", "sudo health-control wipe-ram-test --policy kodachi-wiper", "sudo health-control wipe-ram-test --policy sdmem", "sudo health-control wipe-ram-test --policy both --time 60", "sudo health-control wipe-ram-test --time 30", "sudo health-control wipe-ram-test --policy kodachi-wiper --time 20", "sudo health-control wipe-ram-test --json" ], "name": "wipe-ram-test", "options": [ { "description": "Test specific wipe policy: kodachi-wiper (fast)|sdmem (secure DoD-standard)|both (hybrid)|auto (intelligent auto-selection)", "flag": "--policy " }, { "default": "10", "description": "Test time budget in seconds (default: 10). Quick test only - actual shutdown wipe uses configured time budget from wipe-ram-config", "flag": "--time " } ], "usage": "health-control wipe-ram-test [OPTIONS]" }, { "description": "Execute RAM wipe operation (primarily used by systemd/init shutdown hooks, but can be run manually for testing)", "examples": [ "sudo health-control wipe-ram", "sudo health-control wipe-ram --policy kodachi-wiper", "sudo health-control wipe-ram --policy sdmem", "sudo health-control wipe-ram --policy both --time 120", "sudo health-control wipe-ram --time 120", "sudo health-control wipe-ram --no-console", "sudo health-control wipe-ram --json", "sudo health-control wipe-ram --shutdown-mode" ], "name": "wipe-ram", "options": [ { "default": "false", "description": "INTERNAL USE - Shutdown-optimized mode for systemd/init hooks. Users should use 'wipe-ram' without this flag", "flag": "--shutdown-mode" }, { "default": "false", "description": "Disable console output for silent operation (useful in scripts and background tasks)", "flag": "--no-console" }, { "description": "Override wipe policy: kodachi-wiper (fast native wiper for quick shutdowns)|sdmem (secure DoD-standard multi-pass for maximum security)|both (hybrid approach: fast+secure)|auto (intelligent auto-selection based on system capabilities)", "flag": "--policy " }, { "description": "Override time budget in seconds (how long to spend wiping RAM). Higher values = more memory wiped but longer shutdown time", "flag": "--time " } ], "usage": "health-control wipe-ram [OPTIONS]" }, { "description": "Detect Kicksecure/Whonix RAM wipe installation", "examples": [ "sudo health-control ram-wipe-detect-kicksecure", "sudo health-control ram-wipe-detect-kicksecure --json", "sudo health-control ram-wipe-detect-kicksecure --json-human" ], "name": "ram-wipe-detect-kicksecure", "options": [], "usage": "health-control ram-wipe-detect-kicksecure" }, { "description": "Update RAM wipe configuration (alias for wipe-ram-config)", "examples": [ "sudo health-control ram-wipe-update --policy auto", "sudo health-control ram-wipe-update --policy both --time 150", "sudo health-control ram-wipe-update --policy kodachi-wiper", "sudo health-control ram-wipe-update --time 120", "sudo health-control ram-wipe-update --passes 5", "sudo health-control ram-wipe-update --json" ], "name": "ram-wipe-update", "options": [ { "description": "Set policy: kodachi-wiper (fast native wiper)|sdmem (secure multi-pass)|both (balanced hybrid)|auto (intelligent auto-detection: prefers kodachi-wiper, falls back to sdmem if unavailable)", "flag": "--policy " }, { "description": "Set time budget in seconds", "flag": "--time " }, { "description": "Set sdmem passes (1-9)", "flag": "--passes " }, { "description": "Set custom/sdmem split for 'both' mode (10-90)", "flag": "--split " } ], "usage": "health-control ram-wipe-update [OPTIONS]" }, { "description": "Check disk encryption status and security", "examples": [ "health-control disk-encryption-status", "health-control disk-encryption-status --json" ], "name": "disk-encryption-status", "options": [], "usage": "health-control disk-encryption-status [OPTIONS]" }, { "description": "Enable swap partition/file", "examples": [ "health-control swap-enable", "health-control swap-enable --json" ], "name": "swap-enable", "options": [], "usage": "health-control swap-enable [OPTIONS]" }, { "description": "Disable swap partition/file", "examples": [ "health-control swap-disable", "health-control swap-disable --json" ], "name": "swap-disable", "options": [], "usage": "health-control swap-disable [OPTIONS]" }, { "description": "Encrypt swap partition/file", "examples": [ "health-control swap-encrypt", "health-control swap-encrypt --json" ], "name": "swap-encrypt", "options": [], "usage": "health-control swap-encrypt [OPTIONS]" }, { "description": "Check swap status and configuration", "examples": [ "health-control swap-status", "health-control swap-status --json" ], "name": "swap-status", "options": [], "usage": "health-control swap-status [OPTIONS]" }, { "description": "Decrypt encrypted swap partition/file", "examples": [ "health-control swap-decrypt", "health-control swap-decrypt --device /dev/sda3", "health-control swap-decrypt --json" ], "name": "swap-decrypt", "options": [], "usage": "health-control swap-decrypt [OPTIONS]" }, { "description": "Check swap encryption status", "examples": [ "health-control swap-encrypt-status", "health-control swap-encrypt-status --json" ], "name": "swap-encrypt-status", "options": [], "usage": "health-control swap-encrypt-status [OPTIONS]" }, { "description": "List all USB devices", "examples": [ "health-control usb-list", "health-control usb-list --json" ], "name": "usb-list", "options": [], "usage": "health-control usb-list [OPTIONS]" }, { "description": "Manage LUKS nuke passwords", "examples": [ "# AUTOMATED HEADER BACKUP + Nuke Configuration", "", "# Check nuke password status", "sudo health-control luks-nuke --action status", " → Shows all LUKS devices and nuke password status", "", "# Check specific device", "sudo health-control luks-nuke --action status --device /dev/sda5", " → Shows nuke password status for /dev/sda5 only", "", "# Configure nuke password (FULLY AUTOMATED)", "sudo health-control luks-nuke --action configure --device /dev/sda5", " → Backs up LUKS header AUTOMATICALLY to /backups/", " → Encrypts backup with GPG automatically", " → Configures nuke password via cryptsetup-nuke-password", " → Verifies everything works", " → NO manual cryptsetup commands needed!", "", "# Configure with CLI password (INSECURE - visible in history)", "sudo health-control luks-nuke --action configure --device /dev/sda5 --password nuke123", " ⚠️ WARNING: Password visible in shell history!", " → Still backs up header automatically", "", "# Header backup location", "# Saved to: /backups/header-{device-name}-{timestamp}.img.gpg", "# Keep this file SAFE - it's your ONLY recovery option!", "", "# Remove nuke password", "sudo health-control luks-nuke --action remove --device /dev/sda5", " → Removes nuke password via cryptsetup-nuke-password", "", "# MANUAL EMERGENCY EXECUTE (IRREVERSIBLE)", "sudo health-control luks-nuke --action execute --device /dev/sda5 --force-execute", " → Immediately destroys LUKS key material on selected device.", " → Data becomes permanently unrecoverable.", "", "# ℹ️ FILE-BASED LUKS CONTAINERS SUPPORTED", "# Works with both block devices (/dev/*) AND file-based containers", "", "# Configure nuke for casper-rw persistence file (AUTOMATED)", "sudo health-control luks-nuke --action configure --device /tmp/casper-rw", " → Backs up header automatically", " → Supports file-based LUKS containers created by create-persistence", "", "# Check nuke status on encrypted persistence file", "sudo health-control luks-nuke --action status --device /media/kodachi/persistence/casper-rw", " → File must exist and be a valid LUKS container", "", "# Remove nuke from file-based container", "sudo health-control luks-nuke --action remove --device /tmp/encrypted-container.img", " → Works identically with files and block devices", "", "# COMPLETE AUTOMATED WORKFLOW", "# Create encrypted persistence with nuke password - ZERO manual steps", "", "# Step 1: List devices to find USB", "sudo health-control list-storage-devices", "", "# Step 2: Check device safety", "sudo health-control usb-safety-check --device /dev/sdc2", "", "# Step 3: Create encrypted persistence (AUTOMATED)", "sudo health-control create-persistence-other-os --device /dev/sdc2 --os-type kali --encrypted", " → Confirms device selection", " → Formats automatically", " → Creates persistence.conf automatically", " → Done!", "", "# Step 4: Configure nuke password (AUTOMATED)", "sudo health-control luks-nuke --action configure --device /dev/sdc2", " → Backs up header automatically to /backups/", " → Configures nuke password automatically", " → Verifies everything works", " → Done!", "", "# ✅ ZERO MANUAL COMMANDS!", "# ✅ NO manual mounting/unmounting!", "# ✅ NO manual backup commands!", "# ✅ Everything automated with safety confirmations!", "", "# EMERGENCY: Restore header if nuke password used accidentally", "gpg -d /backups/header-sdc2-*.img.gpg | sudo cryptsetup luksHeaderRestore /dev/sdc2", "", "# List available encrypted header backups", "sudo health-control luks-nuke --action list-backups --device /dev/sda1", "", "# Restore from encrypted backup", "sudo health-control luks-nuke --action restore-backup --device /dev/sda1 --backup-file header-sda1-20260304-014630.img.gpg", "", "# Delete old backup", "sudo health-control luks-nuke --action delete-backup --backup-file header-sda1-20260304-014630.img.gpg", " ⚠️ USE ONLY IF nuke password was accidentally entered!", "", "# JSON output for monitoring", "sudo health-control luks-nuke --action status --json" ], "name": "luks-nuke", "options": [], "usage": "health-control luks-nuke [OPTIONS]" }, { "description": "Detect valid LUKS devices on the system", "examples": [ "health-control luks-detect", "health-control luks-detect --all-devices", "health-control luks-detect --json" ], "name": "luks-detect", "options": [], "usage": "health-control luks-detect [OPTIONS]" }, { "description": "Manage LUKS encrypted devices", "examples": [ "health-control luks-manage --action list", "health-control luks-manage --action unlock --device /dev/sdb1", "health-control luks-manage --action lock --device /dev/sdb1" ], "name": "luks-manage", "options": [], "usage": "health-control luks-manage [OPTIONS]" }, { "description": "Advanced LUKS nuke configuration (emergency wipe)", "examples": [ "health-control luks-nuke-advanced --device /dev/sdb1 --password EMERGENCY", "health-control luks-nuke-advanced --device /dev/sda2 --json" ], "name": "luks-nuke-advanced", "options": [], "usage": "health-control luks-nuke-advanced [OPTIONS]" }, { "description": "Remove LUKS encryption from device", "examples": [ "health-control luks-remove /dev/sdb1", "health-control luks-remove /dev/sdb1 --force" ], "name": "luks-remove", "options": [], "usage": "health-control luks-remove [OPTIONS]" }, { "description": "Advanced LUKS device management", "examples": [ "health-control luks-manage-advanced --action backup-header --device /dev/sdb1 --backup-file /tmp/header.backup", "health-control luks-manage-advanced --action restore-header --device /dev/sdb1 --backup-file /tmp/header.backup", "health-control luks-manage-advanced --action add-key --device /dev/sdb1 --key-file /tmp/newkey" ], "name": "luks-manage-advanced", "options": [], "usage": "health-control luks-manage-advanced [OPTIONS]" }, { "description": "Create encrypted persistence file", "examples": [ "health-control create-persistence", "health-control create-persistence --size 8", "health-control create-persistence --encrypted", "health-control create-persistence --encrypted --size 8", "health-control create-persistence --encrypted --password 'MySecurePass123'", "health-control create-persistence --size 4 --output /tmp/persistence.img --json" ], "name": "create-persistence", "options": [], "usage": "health-control create-persistence [OPTIONS]" }, { "description": "Create persistence for other Linux distributions (Kali, Parrot, Tails)", "examples": [ "# FULLY AUTOMATED - No manual mounting needed!", "", "# RECOMMENDED: List devices first to see what's safe", "sudo health-control list-storage-devices", " → Shows which devices are SAFE vs DANGEROUS", "", "# Check if your device is safe", "sudo health-control usb-safety-check --device /dev/sdc2", " → Verifies device before formatting", "", "# Unencrypted persistence for Kali Linux (AUTOMATED)", "sudo health-control create-persistence-other-os --device /dev/sdc2 --os-type kali", " → Confirms device selection", " → Formats partition automatically", " → Creates persistence.conf automatically", " → Ready to use - NO manual mounting!", "", "# Encrypted persistence for Parrot OS (FULLY AUTOMATED)", "sudo health-control create-persistence-other-os --device /dev/sdc2 --os-type parrot --encrypted", " → Password prompted securely (not visible in history)", " → Confirms device selection", " → Encrypts partition automatically", " → Mounts, configures, unmounts automatically", " → Everything automated with safety confirmations!", "", "# Encrypted persistence for Tails with CLI password (INSECURE)", "sudo health-control create-persistence-other-os --device /dev/sdc2 --os-type tails --encrypted --password 'MyPass123'", " ⚠️ WARNING: Password visible in shell history!", "", "# Complete safe workflow (AUTOMATED)", "sudo health-control list-storage-devices && \\", "sudo health-control usb-safety-check --device /dev/sdc2 && \\", "sudo health-control create-persistence-other-os --device /dev/sdc2 --os-type kali --encrypted", " → Entire workflow automated - just type YES when prompted!", "", "# With JSON output", "sudo health-control create-persistence-other-os --device /dev/sdc2 --os-type kali --encrypted --json" ], "name": "create-persistence-other-os", "options": [], "usage": "health-control create-persistence-other-os [OPTIONS]" }, { "description": "Check storage encryption status", "examples": [ "# Check overall system encryption status", "health-control encryption-status", " → Shows: LUKS devices, encrypted filesystems, swap encryption", " → Shows: Home directory encryption, full disk encryption status", " → Reports: Encryption count summary (X/Y devices encrypted)", " → Lists: Active encrypted containers and their mount points", "", "# Typical output includes:", "# - LUKS devices: /dev/sda5 (/, 120 GB), /dev/sdb1 (backup, 500 GB)", "# - Encrypted swap: Yes (dm-crypt)", "# - Home encryption: Yes (LUKS)", "# - Full disk encryption: Yes (all partitions encrypted)", "# - Encryption strength: AES-256-XTS", "", "# JSON output for monitoring/scripting", "health-control encryption-status --json", " → Structured data: luks_devices[], encrypted_filesystems[]", " → Boolean flags: home_encryption, swap_encrypted, full_disk_encryption", " → Device details: cipher, key_size, device_path, mount_point, size", " → Use in monitoring scripts for encryption compliance" ], "name": "encryption-status", "options": [], "usage": "health-control encryption-status [OPTIONS]" }, { "description": "Create encrypted container", "examples": [ "# Create encrypted container (default: ext4, 1GB)", "health-control container-create --path /tmp/secure.img", " → Size: 1024 MB (default)", " → Filesystem: ext4 (default)", " → Creates sparse file (doesn't use full size immediately)", " → Ready to mount and use", "", "# Create large LUKS encrypted container", "health-control container-create --path /secure/data.img --size 5000 --fs-type luks", " → Size: 5000 MB (5 GB)", " → Prompts for strong password (8+ chars recommended)", " → Uses cryptsetup for LUKS2 format", " → Hardware crypto acceleration if available", "", "# Create VeraCrypt compatible container", "health-control container-create --path /backup/portable.img --size 2048 --fs-type veracrypt", " → Cross-platform compatibility (Windows, Mac, Linux)", " → Can be opened with VeraCrypt GUI", " → Good for external backup drives", "", "# Filesystem types explained:", "# --fs-type ext4:", "# - Standard Linux filesystem (fastest)", "# - No encryption by default", "# - Best for temporary/non-sensitive data", "", "# --fs-type luks:", "# - LUKS2 encrypted container (RECOMMENDED for sensitive data)", "# - AES-256-XTS encryption", "# - Linux native, best performance", "# - Requires password to mount", "", "# --fs-type veracrypt:", "# - VeraCrypt compatible (cross-platform)", "# - Works on Windows, Mac, Linux", "# - Slightly slower than LUKS", "# - Good for portability", "", "# Size guidelines:", "# Small (100-500 MB): Documents, passwords, keys", "# Medium (500-2000 MB): Photos, code projects", "# Large (2000-10000 MB): Videos, backups, archives", "# Very Large (10000+ MB): Full system backups" ], "name": "container-create", "options": [], "usage": "health-control container-create [OPTIONS]" }, { "description": "Mount encrypted container", "examples": [ "# Mount encrypted container (password prompted securely)", "health-control container-mount --container /path/to/secure.img --mount-point /mnt/secure", " → Prompts for LUKS password (not visible, not logged)", " → Creates /mnt/secure automatically if it doesn't exist", " → Opens LUKS device with cryptsetup", " → Mounts to /mnt/secure/ - ready to use", "", "# Complete workflow: create → mount → use → unmount", "", "# Step 1: Create encrypted container", "health-control container-create --path /tmp/data.img --size 500 --fs-type luks", "", "# Step 2: Mount container", "health-control container-mount --container /tmp/data.img --mount-point /mnt/data", "# Enter password when prompted", "", "# Step 3: Use the container (copy files, edit, etc.)", "cp -r /sensitive/documents /mnt/data/", "echo 'secret data' > /mnt/data/confidential.txt", "", "# Step 4: Unmount when done", "health-control container-unmount --mount-point /mnt/data", "", "# ✅ Complete encrypted container lifecycle!", "# ✅ Data encrypted at rest, decrypted only when mounted", "# ✅ Mount point automatically created and cleaned up" ], "name": "container-mount", "options": [], "usage": "health-control container-mount [OPTIONS]" }, { "description": "Unmount encrypted container", "examples": [ "# Safely unmount encrypted container", "health-control container-unmount --mount-point /mnt/secure", " → Unmounts filesystem from /mnt/secure", " → Closes LUKS mapper device automatically", " → Cleans up mount point (removes directory)", " → ⚠️ Close all files in /mnt/secure BEFORE unmounting!", "", "# Check if anything is using the mount before unmounting", "lsof +D /mnt/secure # List open files in mount point", "# If files are open, close them first, then:", "health-control container-unmount --mount-point /mnt/secure", "", "# Error handling: If unmount fails due to busy device", "# 1. Check for open files:", "lsof +D /mnt/secure", "# 2. Kill processes using the mount:", "fuser -km /mnt/secure # Kill processes (use with caution!)", "# 3. Try unmounting again:", "health-control container-unmount --mount-point /mnt/secure", "", "# Safe workflow: Always unmount before system shutdown", "# 1. Copy files out of container", "# 2. Close all applications accessing the mount", "# 3. Unmount container", "# 4. Container is now encrypted and safe to store/transport" ], "name": "container-unmount", "options": [], "usage": "health-control container-unmount [OPTIONS]" } ] }, { "category": "Security Tools", "commands": [ { "description": "Quick rootkit scan (fast, essential checks)", "examples": [ "health-control rootkit-scan", "health-control rootkit-scan --json" ], "name": "rootkit-scan", "options": [], "usage": "health-control rootkit-scan [OPTIONS]" }, { "description": "Check Kloak keyboard anonymization status", "examples": [ "health-control kloak-status", "health-control kloak-status --json" ], "name": "kloak-status", "options": [], "usage": "health-control kloak-status [OPTIONS]" }, { "description": "Enable Kloak keyboard anonymization", "examples": [ "health-control kloak-enable", "health-control kloak-enable --json" ], "name": "kloak-enable", "options": [], "usage": "health-control kloak-enable [OPTIONS]" }, { "description": "Disable Kloak keyboard anonymization", "examples": [ "health-control kloak-disable", "health-control kloak-disable --json" ], "name": "kloak-disable", "options": [], "usage": "health-control kloak-disable [OPTIONS]" }, { "description": "Configure Kloak keystroke anonymization settings", "examples": [ "health-control kloak-configure --delay 100", "health-control kloak-configure --mode aggressive --jitter 50", "health-control kloak-configure --json" ], "name": "kloak-configure", "options": [], "usage": "health-control kloak-configure [OPTIONS]" }, { "description": "Set Kloak event processing mode", "examples": [ "health-control kloak-event-mode --mode raw", "health-control kloak-event-mode --mode filtered", "health-control kloak-event-mode --mode adaptive --json" ], "name": "kloak-event-mode", "options": [], "usage": "health-control kloak-event-mode [OPTIONS]" }, { "description": "Show Kloak keystroke anonymization statistics", "examples": [ "health-control kloak-stats", "health-control kloak-stats --reset", "health-control kloak-stats --json" ], "name": "kloak-stats", "options": [], "usage": "health-control kloak-stats [OPTIONS]" }, { "description": "Update AIDE database after legitimate changes", "examples": [ "health-control aide-update", "health-control aide-update --accept-changes", "health-control aide-update --json" ], "name": "aide-update", "options": [], "usage": "health-control aide-update [OPTIONS]" }, { "description": "Check file integrity with AIDE", "examples": [ "health-control aide-check", "health-control aide-check --json" ], "name": "aide-check", "options": [], "usage": "health-control aide-check [OPTIONS]" }, { "description": "Initialize AIDE database for file integrity monitoring", "examples": [ "health-control aide-init", "health-control aide-init --config ./aide.conf", "health-control aide-init --timeout 7200", "health-control aide-init --background", "health-control aide-init --json" ], "name": "aide-init", "options": [], "usage": "health-control aide-init [OPTIONS]" }, { "description": "Reinitialize AIDE database (reset baseline)", "examples": [ "health-control aide-reinit", "health-control aide-reinit --force", "health-control aide-reinit --json" ], "name": "aide-reinit", "options": [], "usage": "health-control aide-reinit [OPTIONS]" }, { "description": "Scan specific directory with AIDE", "examples": [ "health-control aide-scan-dir ./config", "health-control aide-scan-dir /usr/bin --recursive", "health-control aide-scan-dir /home --json" ], "name": "aide-scan-dir", "options": [], "usage": "health-control aide-scan-dir [OPTIONS]" } ] }, { "category": "Storage & USB Security", "commands": [ { "description": "List all storage devices with safety information for persistence operations", "examples": [ "# List all storage devices with safety indicators", "sudo health-control list-storage-devices", " → Shows which devices are safe (USB) vs dangerous (system)", "", "# Include all devices (loop, ram, etc)", "sudo health-control list-storage-devices --all", "", "# JSON output for scripting", "sudo health-control list-storage-devices --json", "", "# Before creating persistence (recommended workflow)", "sudo health-control list-storage-devices && \\", "sudo health-control create-persistence-other-os --device /dev/sdc2 --os-type kali" ], "name": "list-storage-devices", "options": [], "usage": "health-control list-storage-devices [OPTIONS]" }, { "description": "Check if a device is safe for persistence/formatting operations", "examples": [ "# Check if device is safe for persistence", "sudo health-control usb-safety-check --device /dev/sdc2", " → Returns: SAFE, CAUTION, or DANGER with details", "", "# Check system drive (will warn)", "sudo health-control usb-safety-check --device /dev/sda1", " → Shows why device is dangerous (system drive)", "", "# JSON output for scripting", "sudo health-control usb-safety-check --device /dev/sdc2 --json" ], "name": "usb-safety-check", "options": [], "usage": "health-control usb-safety-check [OPTIONS]" } ] }, { "category": "Storage Security", "commands": [ { "description": "Securely wipe storage devices and free space", "examples": [ "health-control storage-wipe --free-space", "health-control storage-wipe --device /dev/sdb --json" ], "name": "storage-wipe", "options": [], "usage": "health-control storage-wipe [OPTIONS]" }, { "description": "Encrypt a storage device", "examples": [ "health-control storage-encrypt --device /dev/sdb1", "health-control storage-encrypt --device /dev/sdc --json" ], "name": "storage-encrypt", "options": [], "usage": "health-control storage-encrypt [OPTIONS]" }, { "description": "Optimize encryption performance and security settings", "examples": [ "# Understanding encryption performance profiles", "", "# Benchmark all ciphers and show recommendations (dry-run, no changes)", "health-control encryption-tune --profile performance --benchmark", " → Benchmarks all available ciphers", " → Recommends fastest cipher for your hardware", " → Shows throughput in MB/s", " → No changes applied (dry-run mode)", "", "# Apply performance optimizations", "health-control encryption-tune --profile performance --apply", " → Sets: aes-xts-plain64 cipher, 256-bit key", " → Optimizes: I/O scheduler (deadline), queue depth (256)", " → Enables hardware crypto acceleration", " → May require reboot for full effect", "", "# Security-focused tuning (paranoid mode)", "health-control encryption-tune --profile security --iter-time 5000 --apply", " → Maximizes key derivation time (slower unlock, more secure)", " → Uses strongest available cipher", " → 5000ms iteration time (vs 2000ms default)", " → Recommended for high-security environments", "", "# Balanced profile (default)", "health-control encryption-tune --profile balanced", " → Good balance between performance and security", " → aes-xts-plain64 with 256-bit key", " → Standard iteration time (2000ms)", " → Shows recommendations without applying (add --apply to implement)", "", "# Device-specific tuning for external drive", "health-control encryption-tune --device /dev/sdb1 --cipher aes-xts-plain64 --key-size 512", " → Applies settings to specific device only", " → 512-bit key for maximum security", " → Requires unlocking and reformatting (data loss!)", "", "# Check current tuning status", "health-control encryption-tune", " → Shows current encryption settings", " → Shows cipher, key size, iteration time", " → No changes made (default dry-run)", "", "# JSON output for scripting", "health-control encryption-tune --json", " → Structured output with recommendations", " → Cipher benchmarks and current settings" ], "name": "encryption-tune", "options": [], "usage": "health-control encryption-tune [OPTIONS]" } ] }, { "category": "System Control", "commands": [ { "description": "Get the current hostname", "examples": [ "health-control get-hostname", "health-control get-hostname --json" ], "name": "get-hostname", "options": [], "usage": "health-control get-hostname" }, { "description": "Change hostname (prompts for new hostname)", "examples": [ "health-control change-hostname", "health-control change-hostname new-hostname", "health-control change-hostname --json" ], "name": "change-hostname", "options": [], "usage": "health-control change-hostname [OPTIONS]" }, { "description": "List available hostnames by category", "examples": [ "health-control list-hostnames", "health-control list-hostnames --category all", "health-control list-hostnames --category windows", "health-control list-hostnames --category linux", "health-control list-hostnames --category apple", "health-control list-hostnames --category network", "health-control list-hostnames --category mobile", "health-control list-hostnames --category iot", "health-control list-hostnames --category gaming", "health-control list-hostnames --category fiction", "health-control list-hostnames --json" ], "name": "list-hostnames", "options": [], "usage": "health-control list-hostnames [OPTIONS]" }, { "description": "Set a random hostname from a specific category", "examples": [ "sudo health-control set-random-hostname-category", "sudo health-control set-random-hostname-category --category windows", "sudo health-control set-random-hostname-category --category linux", "sudo health-control set-random-hostname-category --category apple", "sudo health-control set-random-hostname-category --category network", "sudo health-control set-random-hostname-category --category fiction --json" ], "name": "set-random-hostname-category", "options": [], "usage": "health-control set-random-hostname-category [OPTIONS]" }, { "description": "Get the actual logged-in user (handles sudo correctly)", "examples": [ "health-control get-logged-user", "health-control get-logged-user --json", "sudo health-control get-logged-user", "sudo health-control get-logged-user --json-pretty" ], "name": "get-logged-user", "options": [], "usage": "health-control get-logged-user [OPTIONS]" }, { "description": "Show current system timezone", "examples": [ "health-control show-timezone", "health-control show-timezone --json" ], "name": "show-timezone", "options": [], "usage": "health-control show-timezone [OPTIONS]" }, { "description": "Sync timezone based on IP geolocation", "examples": [ "health-control sync-timezone", "health-control sync-timezone --json" ], "name": "sync-timezone", "options": [], "usage": "health-control sync-timezone [OPTIONS]" }, { "description": "Show timezone based on current IP location", "examples": [ "health-control show-remote-timezone", "health-control show-remote-timezone --json" ], "name": "show-remote-timezone", "options": [], "usage": "health-control show-remote-timezone [OPTIONS]" }, { "description": "Set system timezone", "examples": [ "health-control set-timezone --timezone America/New_York", "health-control set-timezone --timezone Europe/London", "health-control set-timezone --timezone Asia/Tokyo --json", "health-control set-timezone --value America/Chicago" ], "name": "set-timezone", "options": [], "usage": "health-control set-timezone [OPTIONS]" }, { "description": "List available timezones by category", "examples": [ "health-control list-timezones", "health-control list-timezones --category all", "health-control list-timezones --category africa", "health-control list-timezones --category americas", "health-control list-timezones --category asia", "health-control list-timezones --category europe", "health-control list-timezones --category australia", "health-control list-timezones --category pacific", "health-control list-timezones --category utc", "health-control list-timezones --json" ], "name": "list-timezones", "options": [], "usage": "health-control list-timezones [OPTIONS]" }, { "description": "Set a random timezone from a specific category", "examples": [ "sudo health-control set-random-timezone", "sudo health-control set-random-timezone --category americas", "sudo health-control set-random-timezone --category europe", "sudo health-control set-random-timezone --category asia", "sudo health-control set-random-timezone --category africa", "sudo health-control set-random-timezone --category pacific --json" ], "name": "set-random-timezone", "options": [], "usage": "health-control set-random-timezone [OPTIONS]" }, { "description": "Play notification sound", "examples": [ "health-control play-sound", "health-control play-sound --sound alert", "health-control play-sound success", "health-control play-sound warning -m mp3", "health-control play-sound alert --debug" ], "name": "play-sound", "options": [], "usage": "health-control play-sound [OPTIONS]" }, { "description": "Send desktop notification", "examples": [ "health-control notify --message \"Security check complete\"", "health-control notify --message \"Hello from Kodachi\"", "health-control notify --message \"Alert\" --body \"VPN connected\"", "health-control notify --message \"Warning\" --urgency critical --duration 30", "health-control notify --message \"Update\" --notify-icon \"/path/to/icon.png\"" ], "name": "notify", "options": [], "usage": "health-control notify [OPTIONS]" } ] }, { "category": "System Information", "commands": [ { "description": "Display comprehensive system information", "examples": [ "health-control offline-info-system", "health-control offline-info-system --json" ], "name": "offline-info-system", "options": [], "usage": "health-control offline-info-system [OPTIONS]" }, { "description": "Display hardware information", "examples": [ "health-control offline-info-hardware", "health-control offline-info-hardware --json" ], "name": "offline-info-hardware", "options": [], "usage": "health-control offline-info-hardware [OPTIONS]" }, { "description": "Display process information", "examples": [ "health-control offline-info-process", "health-control offline-info-process --json" ], "name": "offline-info-process", "options": [], "usage": "health-control offline-info-process [OPTIONS]" }, { "description": "Display security and encryption status", "examples": [ "health-control offline-info-security", "health-control offline-info-security --json" ], "name": "offline-info-security", "options": [], "usage": "health-control offline-info-security [OPTIONS]" }, { "description": "Display network information", "examples": [ "health-control offline-info-network", "health-control offline-info-network --json" ], "name": "offline-info-network", "options": [], "usage": "health-control offline-info-network [OPTIONS]" }, { "description": "Display user information", "examples": [ "health-control offline-info-user", "health-control offline-info-user --json" ], "name": "offline-info-user", "options": [], "usage": "health-control offline-info-user [OPTIONS]" }, { "description": "Display storage information", "examples": [ "health-control offline-info-storage", "health-control offline-info-storage --json" ], "name": "offline-info-storage", "options": [], "usage": "health-control offline-info-storage [OPTIONS]" }, { "description": "Display system services information", "examples": [ "health-control offline-info-services", "health-control offline-info-services --json" ], "name": "offline-info-services", "options": [], "usage": "health-control offline-info-services [OPTIONS]" }, { "description": "Display all system information", "examples": [ "health-control offline-info-all", "health-control offline-info-all --json" ], "name": "offline-info-all", "options": [], "usage": "health-control offline-info-all [OPTIONS]" }, { "description": "Ping a random privacy-respecting target and return latency", "examples": [ "health-control ping", "health-control ping --json" ], "name": "ping", "options": [], "usage": "health-control ping [OPTIONS]" }, { "description": "Get process uptime for VPN or Tor", "examples": [ "health-control process-age --process vpn", "health-control process-age --process tor", "health-control process-age --process vpn --json", "health-control process-age --process tor --json" ], "name": "process-age", "options": [], "usage": "health-control process-age [OPTIONS]" } ] }, { "category": "System Information & Offline Actions", "commands": [ { "description": "Enable/disable/check Bluetooth service", "examples": [ "health-control offline-bluetooth --action disable", "health-control offline-bluetooth --action enable", "health-control offline-bluetooth --action check --json" ], "name": "offline-bluetooth", "options": [], "usage": "health-control offline-bluetooth [OPTIONS]" }, { "description": "Manage WiFi connectivity", "examples": [ "health-control offline-wifi --action disable", "health-control offline-wifi --action enable", "health-control offline-wifi --action check --json" ], "name": "offline-wifi", "options": [], "usage": "health-control offline-wifi [OPTIONS]" }, { "description": "Manage USB storage devices", "examples": [ "health-control offline-usb-storage --action disable", "health-control offline-usb-storage --action enable", "health-control offline-usb-storage --action check --json" ], "name": "offline-usb-storage", "options": [], "usage": "health-control offline-usb-storage [OPTIONS]" }, { "description": "Manage webcam device", "examples": [ "health-control offline-webcam --action disable", "health-control offline-webcam --action enable", "health-control offline-webcam --action check --json" ], "name": "offline-webcam", "options": [], "usage": "health-control offline-webcam [OPTIONS]" }, { "description": "Manage microphone device", "examples": [ "health-control offline-microphone --action disable", "health-control offline-microphone --action enable", "health-control offline-microphone --action check --json" ], "name": "offline-microphone", "options": [], "usage": "health-control offline-microphone [OPTIONS]" }, { "description": "Manage system logging", "examples": [ "health-control offline-systemlogs --action disable", "health-control offline-systemlogs --action enable", "health-control offline-systemlogs --action check --json" ], "name": "offline-systemlogs", "options": [], "usage": "health-control offline-systemlogs [OPTIONS]" }, { "description": "Manage CUPS printing service", "examples": [ "health-control offline-cups --action disable # Disable printer service (CUPS)", "health-control offline-cups --action enable # Enable printer service (CUPS)", "health-control offline-cups --action check --json" ], "name": "offline-cups", "options": [], "usage": "health-control offline-cups [OPTIONS]" }, { "description": "Manage NetworkManager service", "examples": [ "health-control offline-networkmanager --action disable", "health-control offline-networkmanager --action enable", "health-control offline-networkmanager --action check --json" ], "name": "offline-networkmanager", "options": [], "usage": "health-control offline-networkmanager [OPTIONS]" }, { "description": "Manage NumLock configuration", "examples": [ "health-control offline-numlock --action enable", "health-control offline-numlock --action disable", "health-control offline-numlock --action check --json" ], "name": "offline-numlock", "options": [], "usage": "health-control offline-numlock [OPTIONS]" }, { "description": "Manage command history", "examples": [ "health-control offline-cmdhistory --action disable", "health-control offline-cmdhistory --action enable", "health-control offline-cmdhistory --action check --json" ], "name": "offline-cmdhistory", "options": [], "usage": "health-control offline-cmdhistory [OPTIONS]" }, { "description": "Enable/disable/check auto-login functionality", "examples": [ "health-control offline-autologin --action disable", "health-control offline-autologin --action enable", "health-control offline-autologin --action check --json" ], "name": "offline-autologin", "options": [], "usage": "health-control offline-autologin [OPTIONS]" }, { "description": "Manage screen locking", "examples": [ "health-control offline-screen-lock --action enable", "health-control offline-screen-lock --action disable", "health-control offline-screen-lock --action check --json" ], "name": "offline-screen-lock", "options": [], "usage": "health-control offline-screen-lock [OPTIONS]" }, { "description": "Enable/disable/check file descriptor limits", "examples": [ "health-control offline-fdlimit --action enable --soft-limit 1024 --hard-limit 4096", "health-control offline-fdlimit --action disable", "health-control offline-fdlimit --action check --json" ], "name": "offline-fdlimit", "options": [], "usage": "health-control offline-fdlimit [OPTIONS]" }, { "description": "Enable/disable/check network optimization", "examples": [ "health-control offline-netoptimize --action enable", "health-control offline-netoptimize --action disable", "health-control offline-netoptimize --action check --json" ], "name": "offline-netoptimize", "options": [], "usage": "health-control offline-netoptimize [OPTIONS]" }, { "description": "Enable/disable/check BBR congestion control", "examples": [ "health-control offline-bbr --action enable", "health-control offline-bbr --action disable", "health-control offline-bbr --action check --json" ], "name": "offline-bbr", "options": [], "usage": "health-control offline-bbr [OPTIONS]" }, { "description": "Enable/disable/check interface speed optimization", "examples": [ "health-control offline-ifspeed --action enable --interface eth0 --speed 1000", "health-control offline-ifspeed --action disable", "health-control offline-ifspeed --action check --json", "health-control offline-ifspeed --action enable --interface wlan0" ], "name": "offline-ifspeed", "options": [], "usage": "health-control offline-ifspeed [OPTIONS]" }, { "description": "Manage Avahi daemon service", "examples": [ "health-control offline-avahi --action disable", "health-control offline-avahi --action enable", "health-control offline-avahi --action check --json" ], "name": "offline-avahi", "options": [], "usage": "health-control offline-avahi [OPTIONS]" }, { "description": "Manage ModemManager service", "examples": [ "health-control offline-modem-manager --action disable", "health-control offline-modem-manager --action enable", "health-control offline-modem-manager --action check --json" ], "name": "offline-modem-manager", "options": [], "usage": "health-control offline-modem-manager [OPTIONS]" }, { "description": "Manage SSH daemon service", "examples": [ "health-control offline-ssh --action disable", "health-control offline-ssh --action enable", "health-control offline-ssh --action check --json" ], "name": "offline-ssh", "options": [], "usage": "health-control offline-ssh [OPTIONS]" }, { "description": "Manage Apache web server service", "examples": [ "health-control offline-apache --action disable", "health-control offline-apache --action enable", "health-control offline-apache --action check --json" ], "name": "offline-apache", "options": [], "usage": "health-control offline-apache [OPTIONS]" }, { "description": "Manage Nginx web server service", "examples": [ "health-control offline-nginx --action disable", "health-control offline-nginx --action enable", "health-control offline-nginx --action check --json" ], "name": "offline-nginx", "options": [], "usage": "health-control offline-nginx [OPTIONS]" }, { "description": "Manage Docker container service", "examples": [ "health-control offline-docker --action disable", "health-control offline-docker --action enable", "health-control offline-docker --action check --json" ], "name": "offline-docker", "options": [], "usage": "health-control offline-docker [OPTIONS]" }, { "description": "Manage MySQL database service", "examples": [ "health-control offline-mysql --action disable", "health-control offline-mysql --action enable", "health-control offline-mysql --action check --json" ], "name": "offline-mysql", "options": [], "usage": "health-control offline-mysql [OPTIONS]" } ] }, { "category": "System Maintenance", "commands": [ { "description": "Enable automatic security updates", "examples": [ "health-control auto-updates-enable", "health-control auto-updates-enable --json" ], "name": "auto-updates-enable", "options": [], "usage": "health-control auto-updates-enable [OPTIONS]" }, { "description": "Disable automatic security updates", "examples": [ "health-control auto-updates-disable", "health-control auto-updates-disable --json" ], "name": "auto-updates-disable", "options": [], "usage": "health-control auto-updates-disable [OPTIONS]" }, { "description": "Check automatic updates status", "examples": [ "health-control auto-updates-status", "health-control auto-updates-status --json" ], "name": "auto-updates-status", "options": [], "usage": "health-control auto-updates-status [OPTIONS]" }, { "description": "Enable system maintenance settings", "examples": [ "health-control system-maintenance-enable", "health-control system-maintenance-enable --json" ], "name": "system-maintenance-enable", "options": [], "usage": "health-control system-maintenance-enable [OPTIONS]" }, { "description": "Disable system maintenance settings", "examples": [ "health-control system-maintenance-disable", "health-control system-maintenance-disable --json" ], "name": "system-maintenance-disable", "options": [], "usage": "health-control system-maintenance-disable [OPTIONS]" }, { "description": "Check system maintenance status", "examples": [ "health-control system-maintenance-status", "health-control system-maintenance-status --json" ], "name": "system-maintenance-status", "options": [], "usage": "health-control system-maintenance-status [OPTIONS]" }, { "description": "Enable password policy enforcement", "examples": [ "health-control password-policy-enable", "health-control password-policy-enable --json" ], "name": "password-policy-enable", "options": [], "usage": "health-control password-policy-enable [OPTIONS]" }, { "description": "Disable password policy enforcement", "examples": [ "health-control password-policy-disable", "health-control password-policy-disable --json" ], "name": "password-policy-disable", "options": [], "usage": "health-control password-policy-disable [OPTIONS]" }, { "description": "Check password policy status", "examples": [ "health-control password-policy-status", "health-control password-policy-status --json" ], "name": "password-policy-status", "options": [], "usage": "health-control password-policy-status [OPTIONS]" }, { "description": "Enable user security hardening", "examples": [ "health-control user-security-enable", "health-control user-security-enable --json" ], "name": "user-security-enable", "options": [], "usage": "health-control user-security-enable [OPTIONS]" }, { "description": "Disable user security hardening", "examples": [ "health-control user-security-disable", "health-control user-security-disable --json" ], "name": "user-security-disable", "options": [], "usage": "health-control user-security-disable [OPTIONS]" }, { "description": "Check user security status", "examples": [ "health-control user-security-status", "health-control user-security-status --json" ], "name": "user-security-status", "options": [], "usage": "health-control user-security-status [OPTIONS]" }, { "description": "Enable two-factor authentication", "examples": [ "# ⚠️ WARNING: 2FA has known bugs with XFCE/LightDM login!", "# Works reliably for: SSH, sudo | Unreliable for: XFCE login, lock screen", "health-control 2fa-enable", "health-control 2fa-enable --value $(whoami) --json", " ⚠ Security Note: Using $(whoami) exposes current username in command history" ], "name": "2fa-enable", "options": [], "usage": "health-control 2fa-enable [OPTIONS]" }, { "description": "Disable two-factor authentication", "examples": [ "# ⚠️ WARNING: 2FA has known bugs with XFCE/LightDM login!", "health-control 2fa-disable", "health-control 2fa-disable --json" ], "name": "2fa-disable", "options": [], "usage": "health-control 2fa-disable [OPTIONS]" }, { "description": "Check two-factor authentication status", "examples": [ "# ⚠️ WARNING: 2FA has known bugs with XFCE/LightDM login!", "# Works reliably for: SSH, sudo | Unreliable for: XFCE login, lock screen", "health-control 2fa-status", "health-control 2fa-status --json" ], "name": "2fa-status", "options": [], "usage": "health-control 2fa-status [OPTIONS]" }, { "description": "Check and install required packages", "examples": [ "health-control check-and-install tor openvpn", "health-control check-and-install rkhunter chkrootkit --json" ], "name": "check-and-install", "options": [], "usage": "health-control check-and-install [OPTIONS]" }, { "description": "Execute installation after checking dependencies", "examples": [ "health-control check-and-install-do", "health-control check-and-install-do --json" ], "name": "check-and-install-do", "options": [], "usage": "health-control check-and-install-do [OPTIONS]" }, { "description": "Clean up unnecessary packages", "examples": [ "health-control package-cleanup", "health-control package-cleanup --json" ], "name": "package-cleanup", "options": [], "usage": "health-control package-cleanup [OPTIONS]" }, { "description": "Clear system memory caches", "examples": [ "sudo health-control clear-cache", "sudo health-control clear-cache --level 1", "sudo health-control clear-cache --level 2", "sudo health-control clear-cache --level 3", "sudo health-control clear-cache --json" ], "name": "clear-cache", "options": [], "usage": "health-control clear-cache [OPTIONS]" } ] }, { "category": "System Recovery", "commands": [ { "description": "Fix broken sudo permissions (uses pkexec/su, no sudo required)", "examples": [ "health-control fix-sudo", "health-control fix-sudo --json", "# This command tries pkexec first, then su -c, to fix sudo without sudo" ], "name": "fix-sudo", "options": [], "usage": "health-control fix-sudo [OPTIONS]" }, { "description": "Check sudo installation status and permissions", "examples": [ "health-control check-sudo", "health-control check-sudo --json" ], "name": "check-sudo", "options": [], "usage": "health-control check-sudo [OPTIONS]" } ] }, { "category": "USB Security", "commands": [ { "description": "Check USB Guard protection status", "examples": [ "health-control usb-status", "health-control usb-status --json" ], "name": "usb-status", "options": [], "usage": "health-control usb-status [OPTIONS]" }, { "description": "Enable USB Guard protection", "examples": [ "health-control usb-guard-enable", "health-control usb-guard-enable --json" ], "name": "usb-guard-enable", "options": [], "usage": "health-control usb-guard-enable [OPTIONS]" }, { "description": "Disable USB Guard protection", "examples": [ "health-control usb-guard-disable", "health-control usb-guard-disable --json" ], "name": "usb-guard-disable", "options": [], "usage": "health-control usb-guard-disable [OPTIONS]" }, { "description": "Manage USB device policies", "examples": [ "health-control usb-policy --action list", "health-control usb-policy --action add --device-id 1234:5678 --allow", "health-control usb-policy --action remove --device-id 1234:5678" ], "name": "usb-policy", "options": [], "usage": "health-control usb-policy [OPTIONS]" }, { "description": "Monitor USB device connections in real-time", "examples": [ "health-control usb-monitor", "health-control usb-monitor --duration 300", "health-control usb-monitor --alert", "health-control usb-monitor --block-unauthorized --log-only", "health-control usb-monitor --json" ], "name": "usb-monitor", "options": [], "usage": "health-control usb-monitor [OPTIONS]" }, { "description": "View USB device connection history", "examples": [ "health-control usb-history", "health-control usb-history --days 30", "health-control usb-history --device-id 1234:5678", "health-control usb-history --clear --days 90", "health-control usb-history --json" ], "name": "usb-history", "options": [], "usage": "health-control usb-history [OPTIONS]" }, { "description": "Manage USB device whitelist", "examples": [ "# Find device IDs first (use lsusb)", "lsusb # Shows vendor:product IDs (e.g., 1234:5678)", " → Bus 003 Device 002: ID 1234:5678 Vendor Name Product Name", "", "# List current whitelist", "sudo health-control usb-whitelist --action list", " → Shows all whitelisted device IDs", "", "# Add device to whitelist", "sudo health-control usb-whitelist --action add --device-id 1234:5678", " → Device allowed to connect automatically", "", "# Remove device from whitelist", "sudo health-control usb-whitelist --action remove --device-id 1234:5678", " → Device will be blocked on next connection", "", "# Export whitelist (backup configuration)", "sudo health-control usb-whitelist --action export --file ~/usb-whitelist-backup.json", " → Saves whitelist to JSON file for backup/transfer", "", "# Import whitelist (restore configuration)", "sudo health-control usb-whitelist --action import --file ~/usb-whitelist-backup.json", " → Restores whitelist from JSON backup file", "", "# Clear all whitelisted devices", "sudo health-control usb-whitelist --action clear", " ⚠️ WARNING: Removes ALL whitelisted devices - use with caution!", "", "# JSON output for scripting", "sudo health-control usb-whitelist --action list --json" ], "name": "usb-whitelist", "options": [], "usage": "health-control usb-whitelist [OPTIONS]" } ] } ], "description": "Health control system for Kodachi that includes network connectivity checks and system health monitoring", "environmentVariables": [ { "default": "info", "description": "Set logging level", "name": "RUST_LOG", "values": "error|warn|info|debug|trace" }, { "default": "unset", "description": "Disable all colored output when set", "name": "NO_COLOR", "values": "1|true|yes (any value disables color)" } ], "exitCodes": { "0": "Success", "1": "General error", "2": "Invalid arguments", "3": "Permission denied", "4": "Network error", "5": "File not found" }, "globalOptions": [ { "description": "Print help information", "flag": "-h, --help" }, { "description": "Print version information", "flag": "-v, --version" }, { "description": "Display detailed information", "flag": "-n, --info" }, { "description": "Show usage examples", "flag": "-e, --examples" }, { "description": "Output in JSON format", "flag": "--json" }, { "description": "Pretty-print JSON output with indentation", "flag": "--json-pretty" }, { "description": "Enhanced JSON output with improved formatting (like jq)", "flag": "--json-human" }, { "description": "Enable verbose output", "flag": "--verbose" }, { "description": "Suppress non-essential output", "flag": "--quiet" }, { "description": "Disable colored output", "flag": "--no-color" }, { "description": "Use custom configuration file", "flag": "--config " }, { "description": "Set timeout (default: 30)", "flag": "--timeout " }, { "description": "Retry attempts (default: 3)", "flag": "--retry " } ], "name": "health-control", "usage": "health-control [OPTIONS] [COMMAND] [ARGS]" }, "errors": [], "metadata": { "executionTime": 18, "hostname": "RHEL-8-Server", "user": "kodachi" }, "status": "success", "timestamp": "2026-03-07T18:01:33.863797862Z", "version": "9.0.1", "warnings": [] }, "flag_e": { "command": "examples", "data": { "categories": [ { "description": "Test network connectivity and configuration", "examples": [ { "command": "sudo health-control net-check", "description": "Test both IP and domain connectivity (DNS only)", "expectedOutput": "Network connectivity status" }, { "command": "sudo health-control net-check --http", "description": "Test IP and domain connectivity including HTTP", "expectedOutput": "HTTP connectivity test results" }, { "command": "sudo health-control net-check --json", "description": "Network check with JSON output for automation", "expectedOutput": "JSON formatted network status" }, { "command": "sudo health-control net-check --http --json", "description": "HTTP network check with JSON output", "expectedOutput": "JSON formatted HTTP connectivity results" }, { "command": "sudo health-control net-check --ip-only", "description": "Check IP connectivity only, skip DNS checks", "expectedOutput": "IP connectivity test results" }, { "command": "sudo health-control net-check --domain-only", "description": "Check domain connectivity only, skip IP ping", "expectedOutput": "Domain connectivity test results" }, { "command": "sudo health-control net-check --timeout 15", "description": "Use custom timeout for network checks", "expectedOutput": "Network check with 15 second timeout" }, { "command": "sudo health-control net-check --ip-only --json", "description": "IP-only connectivity check with JSON output", "expectedOutput": "JSON formatted IP connectivity results" }, { "command": "sudo health-control net-check --domain-only --timeout 20", "description": "Domain-only connectivity check with custom timeout", "expectedOutput": "Domain connectivity test with 20 second timeout" }, { "command": "sudo health-control list-ips", "description": "Show IPs used for connectivity testing", "expectedOutput": "List of test IP addresses" }, { "command": "sudo health-control list-domains", "description": "Show domains used for connectivity testing", "expectedOutput": "List of test domain names" } ], "id": "1_network_connectivity", "title": "Network Connectivity" }, { "description": "Block and unblock internet traffic", "examples": [ { "command": "sudo health-control block-internet", "description": "Block internet using auto-detected method (tries nftables, then iptables, then UFW, then interfaces)", "expectedOutput": "Internet blocked successfully", "notes": "Without --method specified, health-control automatically selects the best available method" }, { "command": "sudo health-control block-internet --method iptables", "description": "Block using iptables firewall rules", "expectedOutput": "Iptables rules applied successfully" }, { "command": "sudo health-control block-internet --method nftables", "description": "Block using nftables firewall rules (preferred modern firewall)", "expectedOutput": "Nftables rules applied successfully" }, { "command": "sudo health-control block-internet --method firewall", "description": "Block using UFW (Uncomplicated Firewall)", "expectedOutput": "UFW rules applied successfully" }, { "command": "sudo health-control block-internet --method interfaces", "description": "Block by disabling network interfaces", "expectedOutput": "Network interfaces disabled successfully" }, { "command": "sudo health-control block-internet --method all", "description": "Block using ALL methods (UFW, nftables, iptables, and interfaces)", "expectedOutput": "All blocking methods applied successfully", "notes": "Applies all available blocking methods for maximum security" }, { "command": "sudo health-control block-internet --allow-local", "description": "Block internet but allow local network traffic", "expectedOutput": "Internet blocked, local traffic allowed" }, { "command": "sudo health-control block-internet --json", "description": "Block internet with JSON output", "expectedOutput": "JSON formatted blocking status" }, { "command": "sudo health-control block-internet --method iptables --allow-local --json", "description": "Block internet with iptables, allow local, JSON output", "expectedOutput": "JSON formatted blocking status with details" }, { "command": "sudo health-control block-internet --method all --allow-local", "description": "Block using ALL methods but allow local network traffic", "expectedOutput": "All blocking methods applied, local traffic allowed" }, { "command": "sudo health-control unblock-internet", "description": "Unblock internet traffic", "expectedOutput": "Internet unblocked successfully" }, { "command": "sudo health-control unblock-internet --method nftables", "description": "Unblock using nftables specifically", "expectedOutput": "Internet unblocked using nftables" }, { "command": "sudo health-control unblock-internet --method iptables", "description": "Unblock using iptables specifically", "expectedOutput": "Internet unblocked using iptables" }, { "command": "sudo health-control unblock-internet --method firewall", "description": "Unblock using UFW specifically", "expectedOutput": "Internet unblocked using UFW" }, { "command": "sudo health-control unblock-internet --method all", "description": "Unblock ALL methods (clears UFW, nftables, iptables, and re-enables interfaces)", "expectedOutput": "All blocking methods cleared successfully", "notes": "Ensures complete restoration by clearing all possible blocks" }, { "command": "sudo health-control unblock-internet --json", "description": "Unblock internet with JSON output", "expectedOutput": "JSON formatted unblocking status" }, { "command": "sudo health-control internet-status", "description": "Check current internet blocking status", "expectedOutput": "Internet traffic status" }, { "command": "sudo health-control internet-status --json", "description": "Check if internet traffic is blocked with JSON output", "expectedOutput": "JSON formatted block status" }, { "command": "sudo health-control kill-switch-arm", "description": "ARM the emergency kill switch - sets system to high-alert monitoring mode", "expectedOutput": "Kill switch ARMED - Monitoring mode active", "notes": "MONITORING MODE: Sets up automated threat detection using multiple monitoring methods:\n• NETWORK MONITORING: Uses netstat, ss, and iptables logs to detect unauthorized connections\n• FILE SYSTEM WATCHING: Monitors critical system files via inotify for unauthorized modifications\n• PROCESS MONITORING: Tracks running processes using ps/proc for suspicious behavior patterns\n• AUTH MONITORING: Watches /var/log/auth.log for failed login attempts (threshold: 5 failures)\n• SYSTEM INTEGRITY: Checks system file hashes and permissions for tampering\nDoes NOT take action until triggered - only prepares for rapid response. Auto-activates MEDIUM panic level when threats detected." }, { "command": "sudo health-control kill-switch-disarm", "description": "DISARM kill switch monitoring", "expectedOutput": "Kill switch DISARMED", "notes": "Stops monitoring mode. Use after threat has passed or false alarm." }, { "command": "sudo health-control kill-switch-status", "description": "Check if monitoring is armed/disarmed", "expectedOutput": "Shows armed status, trigger count, armed time", "notes": "READ-ONLY: Just displays current state, takes no action" }, { "command": "sudo health-control kill-switch-activate", "description": "IMMEDIATELY activate kill switch (default: medium panic)", "expectedOutput": "KILL SWITCH ACTIVATED - emergency procedures executed", "notes": "IMMEDIATE ACTION: Unlike 'arm', this executes panic NOW. Prompts for confirmation. Use --level soft/medium/hard" }, { "command": "sudo health-control panic-soft", "description": "IMMEDIATE soft panic (NO confirmation)", "expectedOutput": "Soft panic activated", "notes": "Actions: Kill network, clear clipboard, lock screen. Reversible." }, { "command": "sudo health-control panic-medium", "description": "IMMEDIATE medium panic (WITH confirmation)", "expectedOutput": "Medium panic activated", "notes": "Actions: Kill network, terminate processes, clear memory, unmount devices. Requires manual restart." }, { "command": "sudo health-control panic-hard", "description": "IMMEDIATE hard panic with SHUTDOWN (WITH confirmation)", "expectedOutput": "Hard panic activated - system will shutdown", "notes": "CRITICAL: Wipes RAM, unmounts all, IMMEDIATE SHUTDOWN. IRREVERSIBLE!" }, { "command": "sudo health-control panic-recover", "description": "Recover from panic mode", "expectedOutput": "System recovered from panic mode", "notes": "Re-enables network, remounts volumes, restores services" } ], "id": "2_internet_traffic_control", "title": "Internet Traffic Control" }, { "description": "Monitor system changes and block internet on triggers", "examples": [ { "command": "sudo health-control enable --type watch-guard --watch ip --method nftables", "description": "Enable watch-guard to block internet if IP changes (VPN protection)", "expectedOutput": "Watch-guard enabled message with initial IP", "notes": "Blocks internet using nftables if external IP changes" }, { "command": "sudo health-control enable --type watch-guard --watch timezone --method iptables", "description": "Enable watch-guard for timezone changes", "expectedOutput": "Watch-guard enabled with current timezone", "notes": "Detects system time manipulation attempts" }, { "command": "sudo health-control enable --type watch-guard --watch interfaces --method firewall", "description": "Monitor network interfaces for changes", "expectedOutput": "Watch-guard monitoring interface list", "notes": "Blocks if new interfaces appear or existing ones change" }, { "command": "sudo health-control enable --type watch-guard --watch process --target tor --method interfaces", "description": "Monitor Tor process and block if it dies", "expectedOutput": "Watch-guard watching Tor process count", "notes": "Ensures no clearnet traffic if Tor crashes" }, { "command": "sudo health-control enable --type watch-guard --watch process --target firefox --method all", "description": "Monitor Firefox and use all block methods if it stops", "expectedOutput": "Watch-guard active for Firefox process", "notes": "Maximum blocking using all available methods" }, { "command": "sudo health-control watch-guard status", "description": "Show all active watch-guards and their trigger counts", "expectedOutput": "List of active watch-guards with details" }, { "command": "sudo health-control disable --type watch-guard ip", "description": "Disable IP watch-guard and unblock internet", "expectedOutput": "Watch-guard disabled confirmation", "notes": "Automatically unblocks internet unless --no-unblock used" }, { "command": "sudo health-control disable --type watch-guard all --no-unblock", "description": "Disable all watch-guards but keep internet blocked", "expectedOutput": "All watch-guards disabled message", "notes": "Use when you want manual control over unblocking" } ], "id": "3_watchguard", "title": "Watch-Guard Management" }, { "description": "Diagnose and fix connectivity issues", "examples": [ { "command": "sudo health-control recover-internet", "description": "Automatically diagnose and fix connectivity issues", "expectedOutput": "Recovery steps performed and status" }, { "command": "sudo health-control recover-internet --check-dns", "description": "Include DNS resolution testing and fixes", "expectedOutput": "Recovery with DNS diagnostics" }, { "command": "sudo health-control recover-internet --force", "description": "Force recovery even if connectivity appears working", "expectedOutput": "Forced recovery completion status" }, { "command": "sudo health-control recover-internet --silent", "description": "Run full internet recovery without desktop/terminal notifications", "expectedOutput": "Recovery runs silently (no notifications)", "notes": "Also supports --skipnotification, --skip-notification, and typo-compatible --skipnotifcation" }, { "command": "sudo health-control fast-recover-internet", "description": "Fast recovery: bounce interface + restart NetworkManager + DHCP renew", "expectedOutput": "FAST_RECOVER: SUCCESS", "notes": "Lightweight alternative to recover-internet — tries quick fix before full 9-method recovery" }, { "command": "sudo health-control fast-recover-internet --silent", "description": "Run fast recovery without desktop/terminal notifications", "expectedOutput": "FAST_RECOVER runs silently (no notifications)", "notes": "Also supports --skipnotification, --skip-notification, and typo-compatible --skipnotifcation" }, { "command": "sudo health-control fast-recover-internet --json", "description": "Fast recovery with JSON output", "expectedOutput": "JSON envelope with success status and method details" } ], "id": "4_network_recovery", "title": "Network Recovery" }, { "description": "Manage system timezone settings", "examples": [ { "command": "sudo health-control sync-timezone", "description": "Sync timezone based on IP geolocation", "expectedOutput": "Timezone synchronized to detected location" }, { "command": "sudo health-control show-timezone", "description": "Show current system timezone", "expectedOutput": "Current timezone information" }, { "command": "sudo health-control set-timezone --timezone \"America/New_York\"", "description": "Set specific timezone", "expectedOutput": "Timezone set to America/New_York" }, { "command": "sudo health-control show-remote-timezone", "description": "Show timezone based on current IP location", "expectedOutput": "Remote location timezone information" }, { "command": "health-control list-timezones", "description": "List all timezone categories", "expectedOutput": "List of timezone categories with counts" }, { "command": "health-control list-timezones --category all", "description": "List all available timezones", "expectedOutput": "Complete list of timezones" }, { "command": "health-control list-timezones --category africa", "description": "List African timezones", "expectedOutput": "List of African timezones" }, { "command": "health-control list-timezones --category americas", "description": "List American timezones", "expectedOutput": "List of North and South American timezones" }, { "command": "health-control list-timezones --category asia", "description": "List Asian timezones", "expectedOutput": "List of Asian timezones" }, { "command": "health-control list-timezones --category europe", "description": "List European timezones", "expectedOutput": "List of European timezones" }, { "command": "health-control list-timezones --category australia", "description": "List Australian timezones", "expectedOutput": "List of Australian timezones" }, { "command": "health-control list-timezones --category pacific", "description": "List Pacific timezones", "expectedOutput": "List of Pacific timezones" }, { "command": "health-control list-timezones --category utc", "description": "List UTC timezones", "expectedOutput": "List of UTC timezones" }, { "command": "health-control list-timezones --json", "description": "List timezone categories in JSON format", "expectedOutput": "JSON output of timezone categories" }, { "command": "sudo health-control set-random-timezone", "description": "Set a random timezone from all available", "expectedOutput": "Timezone set to random value", "notes": "Requires sudo privileges" }, { "command": "sudo health-control set-random-timezone --category americas", "description": "Set random American timezone", "expectedOutput": "Timezone set to random American timezone", "notes": "Requires sudo privileges" }, { "command": "sudo health-control set-random-timezone --category europe", "description": "Set random European timezone", "expectedOutput": "Timezone set to random European timezone", "notes": "Requires sudo privileges" }, { "command": "sudo health-control set-random-timezone --category asia", "description": "Set random Asian timezone", "expectedOutput": "Timezone set to random Asian timezone", "notes": "Requires sudo privileges" }, { "command": "sudo health-control set-random-timezone --category africa", "description": "Set random African timezone", "expectedOutput": "Timezone set to random African timezone", "notes": "Requires sudo privileges" }, { "command": "sudo health-control set-random-timezone --category pacific --json", "description": "Set random Pacific timezone with JSON output", "expectedOutput": "JSON output of timezone change", "notes": "Requires sudo privileges" } ], "id": "5_timezone_management", "title": "Timezone Management" }, { "description": "Change and manage MAC addresses", "examples": [ { "command": "sudo health-control mac-change-all", "description": "Change MAC addresses for all interfaces", "expectedOutput": "All MAC addresses changed" }, { "command": "sudo health-control mac-force-change", "description": "Force change MAC addresses", "expectedOutput": "MAC addresses force-changed", "notes": "Use when regular change fails" }, { "command": "sudo health-control mac-change-specific --interface eth0", "description": "Change MAC for specific interface", "expectedOutput": "MAC address changed for eth0" }, { "command": "sudo health-control mac-show-interfaces", "description": "Show all network interfaces", "expectedOutput": "List of network interfaces" }, { "command": "sudo health-control mac-show-macs", "description": "Show current MAC addresses", "expectedOutput": "List of interfaces and MAC addresses" }, { "command": "sudo health-control mac-reset-all", "description": "Reset all MACs to original values", "expectedOutput": "MAC addresses reset to original" }, { "command": "sudo health-control mac-active-interface", "description": "Show active network interface", "expectedOutput": "Currently active network interface" } ], "id": "6_mac_address_management", "title": "MAC Address Management" }, { "description": "Get and set system hostname", "examples": [ { "command": "sudo health-control get-hostname", "description": "Get current system hostname", "expectedOutput": "Current hostname" }, { "command": "sudo health-control get-hostname --json", "description": "Get hostname in JSON format", "expectedOutput": "JSON formatted hostname" }, { "command": "health-control get-logged-user", "description": "Get the actual logged-in user (handles sudo correctly)", "expectedOutput": "Username of logged-in user", "notes": "Returns actual user even when run with sudo" }, { "command": "sudo health-control get-logged-user --json", "description": "Get logged user with additional info in JSON format", "expectedOutput": "JSON with username, home directory, and detection method" }, { "command": "sudo health-control set-default-hostname", "description": "Set default system hostname", "expectedOutput": "Default hostname set" }, { "command": "sudo health-control set-random-hostname", "description": "Set random hostname for privacy", "expectedOutput": "Random hostname set" }, { "command": "sudo health-control set-random-hostname --json", "description": "Set random hostname with JSON output", "expectedOutput": "JSON formatted hostname change result" }, { "command": "sudo health-control set-custom-hostname --name MyHost", "description": "Set custom hostname", "expectedOutput": "Hostname set to MyHost" }, { "command": "sudo health-control set-custom-hostname --name privacy-machine", "description": "Set descriptive custom hostname", "expectedOutput": "Hostname set to privacy-machine" }, { "command": "sudo health-control set-custom-hostname --name secure-workstation --json", "description": "Set custom hostname with JSON output", "expectedOutput": "JSON formatted hostname change result" }, { "command": "health-control list-hostnames", "description": "List all hostname categories", "expectedOutput": "List of available hostname categories with counts" }, { "command": "health-control list-hostnames --category all", "description": "List all available hostnames", "expectedOutput": "Complete list of all predefined hostnames" }, { "command": "health-control list-hostnames --category windows", "description": "List Windows hostnames", "expectedOutput": "List of Windows-style hostnames" }, { "command": "health-control list-hostnames --category linux", "description": "List Linux hostnames", "expectedOutput": "List of Linux distribution hostnames" }, { "command": "health-control list-hostnames --category apple", "description": "List Apple/Mac hostnames", "expectedOutput": "List of macOS and Apple device hostnames" }, { "command": "health-control list-hostnames --json", "description": "List hostname categories in JSON format", "expectedOutput": "JSON formatted category list with counts" }, { "command": "sudo health-control set-random-hostname-category", "description": "Set random hostname from all categories", "expectedOutput": "Random hostname selected and set" }, { "command": "sudo health-control set-random-hostname-category --category windows", "description": "Set random Windows hostname", "expectedOutput": "Random Windows-style hostname set" }, { "command": "sudo health-control set-random-hostname-category --category linux", "description": "Set random Linux hostname", "expectedOutput": "Random Linux distribution hostname set" }, { "command": "sudo health-control set-random-hostname-category --category fiction --json", "description": "Set random fictional hostname with JSON output", "expectedOutput": "Random fictional hostname set with JSON result" } ], "id": "7_hostname_management", "title": "Hostname Management" }, { "description": "Control and monitor IPv6 protocol settings", "examples": [ { "command": "sudo health-control ipv6-status", "description": "Check current IPv6 configuration status", "expectedOutput": "IPv6 Status: ENABLED/DISABLED with interface details", "notes": "Shows runtime status, boot config, and active interfaces" }, { "command": "sudo health-control ipv6-disable", "description": "Disable IPv6 system-wide (sysctl and GRUB)", "expectedOutput": "IPv6 disabled with details of changes applied", "notes": "Reboot recommended for full effect" }, { "command": "sudo health-control ipv6-enable", "description": "Enable IPv6 system-wide", "expectedOutput": "IPv6 enabled with details of changes applied", "notes": "Reboot recommended for full effect" }, { "command": "sudo health-control ipv6-status --json", "description": "Get detailed IPv6 status in JSON format", "expectedOutput": "Complete IPv6 configuration including runtime, boot config, and interfaces" } ], "id": "8_ipv6_management", "title": "IPv6 Management" }, { "description": "Apply and verify comprehensive security settings (7 modules: kernel, process, filesystem, network, memory, monitoring, sandboxing)", "examples": [ { "command": "sudo health-control security-harden", "description": "Apply standard security hardening (network-safe): kernel hardening, process isolation, filesystem security, memory protection, monitoring, sandboxing - PRESERVES internet connectivity", "expectedOutput": "Security hardening completed (network connectivity preserved)", "notes": "Standard profile maintains system usability and network connectivity" }, { "command": "sudo health-control security-harden --profile paranoid", "description": "Apply PARANOID profile - WARNING: WILL BREAK INTERNET CONNECTIVITY: All hardening PLUS network isolation, DNS blocking, disabled IP forwarding", "expectedOutput": "Paranoid security applied (network isolated)", "notes": "⚠️ INTERNET CONNECTIVITY DISABLED - To recover: sudo health-control recover-internet" }, { "command": "sudo health-control security-harden --break-monitoring", "description": "Apply paranoid profile plus break-monitoring mode: forces /sys/class/net to root-only and breaks non-root monitoring tools (btop/conky/dashboard)", "expectedOutput": "Paranoid hardening applied with monitoring intentionally restricted", "notes": "⚠️ ALSO BREAKS NON-ROOT MONITORING - Use only when this behavior is explicitly required" }, { "command": "sudo health-control security-verify", "description": "Check if all 7 security modules are enabled and properly configured", "expectedOutput": "Shows each module: ENABLED/DISABLED and configuration status", "notes": "Use after security-harden to verify settings are applied" }, { "command": "sudo health-control security-harden --modules kernel,network", "description": "Apply only specific modules (kernel sysctl and network firewall)", "expectedOutput": "Applied 2 modules: kernel and network hardening", "notes": "Modules: kernel, process, filesystem, network, memory, monitoring, sandboxing" }, { "command": "sudo health-control security-recover", "description": "Temporarily revert security hardening (keeps framework ready for quick re-hardening)", "expectedOutput": "Security recovery completed - modules show 'ENABLED (needs configuration)'", "notes": "Use for troubleshooting. Framework remains enabled for easy re-hardening with security-harden." }, { "command": "sudo health-control security-recover --modules network,kernel", "description": "Recover only specific security modules", "expectedOutput": "Selected modules recovered", "notes": "Available modules: kernel, filesystem, network, memory, monitoring, smt" }, { "command": "sudo health-control security-reset", "description": "Completely disable all security modules and framework (permanent removal)", "expectedOutput": "All modules show 'DISABLED' - framework completely removed", "notes": "WARNING: Unlike security-recover, this permanently disables the framework. Requires rebuilding to re-enable." }, { "command": "sudo health-control security-reset --force", "description": "Reset security framework without confirmation prompt", "expectedOutput": "Security framework completely disabled", "notes": "Use --force to skip the confirmation prompt in automation scripts" }, { "command": "sudo health-control monitoring-enable", "description": "Enable system security monitoring (auditd, LKRG, file integrity, auth events)", "expectedOutput": "Security monitoring enabled", "notes": "Enables auditd for system call auditing, LKRG for kernel integrity, file integrity monitoring (AIDE/Tripwire), and auth event logging" }, { "command": "sudo health-control monitoring-disable", "description": "Disable system security monitoring services", "expectedOutput": "Security monitoring disabled", "notes": "Stops all security monitoring services - reduces system overhead but decreases security visibility" }, { "command": "sudo health-control monitoring-status", "description": "Check current system security monitoring status", "expectedOutput": "Security monitoring status details", "notes": "Shows status of auditd, LKRG, AIDE, and auth logging - helps verify which monitoring services are active" }, { "command": "sudo health-control tirdad-enable", "description": "Enable Tirdad kernel module for TCP ISN randomization (prevents OS fingerprinting)", "expectedOutput": "Tirdad enabled successfully", "notes": "Randomizes TCP Initial Sequence Numbers to prevent remote OS fingerprinting attacks and TCP sequence prediction" }, { "command": "sudo health-control tirdad-disable", "description": "Disable Tirdad TCP ISN randomization module", "expectedOutput": "Tirdad disabled successfully", "notes": "Restores default TCP ISN generation - may make system identifiable via network fingerprinting" }, { "command": "sudo health-control tirdad-status", "description": "Check Tirdad TCP ISN randomization module status", "expectedOutput": "Tirdad status: ENABLED/DISABLED", "notes": "Shows if kernel module is loaded and TCP ISN randomization is active" }, { "command": "sudo health-control disk-encryption-status", "description": "Check disk encryption status", "expectedOutput": "Disk encryption configuration", "notes": "Displays LUKS encryption status for all disks, cipher algorithms, and key slot usage" }, { "command": "sudo health-control usb-list", "description": "List all USB devices", "expectedOutput": "Connected USB devices", "notes": "Shows all connected USB devices with vendor/product IDs for security auditing" }, { "command": "sudo health-control create-persistence", "description": "Create unencrypted persistence file", "expectedOutput": "Persistence file created successfully", "notes": "Creates a 4GB unencrypted ext4 persistence file (casper-rw) for live USB systems. Use --encrypted for LUKS encryption, --size to change size." }, { "command": "sudo health-control create-persistence --encrypted", "description": "Create encrypted persistence (interactive)", "expectedOutput": "Encrypted persistence file created", "notes": "Creates LUKS2-encrypted persistence with interactive password prompt. Secure method - password not visible in history." }, { "command": "sudo health-control create-persistence --encrypted --password 'pass123'", "description": "Create encrypted persistence (CLI password)", "expectedOutput": "Encrypted persistence file created", "notes": "⚠️ INSECURE: Password visible in shell history! Shows security warnings. Use interactive mode instead." }, { "command": "sudo health-control encryption-status", "description": "Show overall encryption status", "expectedOutput": "System encryption status report", "notes": "Comprehensive report of all encryption: disks, swap, home directories, and key management" } ], "id": "9_security_hardening", "title": "Security Hardening" }, { "description": "Monitor system health and run security audits", "examples": [ { "command": "sudo health-control system-audit", "description": "Perform comprehensive system security audit", "expectedOutput": "System audit status report" }, { "command": "sudo health-control rootkit-scan", "description": "Scan system for rootkits", "expectedOutput": "Rootkit scan results" }, { "command": "sudo health-control security-status --json", "description": "Check system security status", "expectedOutput": "JSON formatted security status info" }, { "command": "sudo health-control lynis-audit", "description": "Run comprehensive Lynis security audit", "expectedOutput": "Complete Lynis audit report", "notes": "Comprehensive security assessment" }, { "command": "sudo health-control lynis-status", "description": "Check Lynis installation and status", "expectedOutput": "Lynis service status" }, { "command": "sudo health-control aide-init", "description": "Initialize AIDE database", "expectedOutput": "AIDE database created successfully", "notes": "First time setup required" }, { "command": "sudo health-control aide-check", "description": "Check file integrity with AIDE", "expectedOutput": "File integrity check results" }, { "command": "sudo health-control kloak-status", "description": "Check kloak keystroke anonymization status", "expectedOutput": "Kloak service status and configuration" }, { "command": "sudo health-control kloak-enable", "description": "Enable kloak keystroke anonymization", "expectedOutput": "Kloak enabled successfully" }, { "command": "sudo health-control kloak-disable", "description": "Disable kloak keystroke anonymization", "expectedOutput": "Kloak disabled successfully" } ], "id": "10_system_health_security", "title": "System Health & Security Tools" }, { "description": "LUKS nuke passwords for emergency data destruction", "examples": [ { "command": "sudo health-control luks-nuke --action status", "description": "List all LUKS devices and nuke password status", "expectedOutput": "LUKS device status and configuration", "notes": "Shows which devices have nuke passwords configured" }, { "command": "sudo health-control luks-nuke --action status --device /dev/sda5", "description": "⚠️ STEP 1: Check current nuke status for target device", "expectedOutput": "Current LUKS nuke configuration status for /dev/sda5", "notes": "⚠️ ALWAYS backup header BEFORE configuring nuke password. This status check helps confirm current device state before changes." }, { "command": "sudo health-control luks-nuke --action configure --device /dev/sda5 --password 'StrongNukePassword123!'", "description": "⚠️ STEP 2: Configure nuke password (DATA DESTRUCTION FEATURE)", "expectedOutput": "Nuke password configured in keyslot 7", "notes": "⚠️ CRITICAL WARNING: This creates a password that will PERMANENTLY DESTROY all data on /dev/sda5 when entered! Use only if you understand the consequences. Requires header backup from STEP 1. Password must be strong (12+ chars, mixed case, numbers, symbols). Avoid obvious words like 'nuke', 'destroy', 'emergency'." }, { "command": "sudo health-control luks-nuke --action remove --device /dev/sda5", "description": "Remove nuke password from device", "expectedOutput": "Nuke password removed from keyslot 7", "notes": "Removes the data destruction feature from the device. You will be prompted to confirm which keyslot to remove (usually keyslot 7). Requires current LUKS password." }, { "command": "gpg -d ~/Desktop/header-backup-*.img.gpg | sudo cryptsetup luksHeaderRestore /dev/sda5", "description": "⚠️ EMERGENCY: Restore LUKS header after nuke password was used", "expectedOutput": "LUKS header restored from backup", "notes": "⚠️ USE ONLY IF nuke password was accidentally used! This restores the LUKS header from your encrypted backup. You MUST have created a header backup BEFORE the nuke password was triggered. After restoration, you can unlock the device with your original LUKS password. Without a backup, data is PERMANENTLY LOST." } ], "id": "11_luks_nuke_operations", "title": "LUKS Nuke & Data Destruction" }, { "description": "Full system data destruction for emergency situations. IRREVERSIBLE - use with extreme caution.", "examples": [ { "command": "health-control nuke-execute --dry-run", "description": "⚠️ TEST MODE: Preview what would be destroyed without actually wiping", "expectedOutput": "[DRY_RUN] messages showing all files/directories that would be wiped", "notes": "ALWAYS test with --dry-run first! Shows exactly what will be destroyed including: SSH keys, GPG keys, crypto wallets, browser data, messaging apps, email, documents, and system logs." }, { "command": "health-control nuke-execute --method fast --dry-run", "description": "Fast wipe mode (1-pass) - quickest destruction (~27 seconds)", "expectedOutput": "Fast wipe simulation with single-pass overwrite", "notes": "Best for SSDs where multi-pass is ineffective. Uses blkdiscard for SSDs, single shred pass for HDDs." }, { "command": "health-control nuke-execute --method secure --dry-run", "description": "Secure wipe mode (3-pass DoD) - balanced security (~45 seconds)", "expectedOutput": "Secure wipe simulation with 3-pass DoD standard", "notes": "DEFAULT mode. 3-pass overwrite following DoD 5220.22-M standard. Good balance of speed and security for HDDs." }, { "command": "health-control nuke-execute --method paranoid --dry-run", "description": "Paranoid wipe mode (7-pass) - maximum security (~60 seconds)", "expectedOutput": "Paranoid wipe simulation with 7-pass Gutmann-style", "notes": "Maximum security. 7-pass overwrite. Also wipes boot sector, GRUB, kernel, initrd, and MBR. System will be unbootable." }, { "command": "health-control nuke-execute --method fast --force", "description": "⚠️ DANGER: Execute REAL fast wipe - DESTROYS ALL DATA", "expectedOutput": "Data destruction in progress... System will reboot when complete.", "notes": "⚠️ IRREVERSIBLE! This PERMANENTLY DESTROYS: ~/.ssh, ~/.gnupg, crypto wallets (Bitcoin/Monero/Electrum), all browsers, Signal/Telegram/Discord, Thunderbird, Documents/Downloads/Desktop, AWS/Docker/Kube credentials, bash history, system logs. System forces reboot after completion." }, { "command": "health-control nuke-progress", "description": "Check current nuke operation progress", "expectedOutput": "Phase: 5 - browser_data, Complete: false, Active: true", "notes": "Monitor ongoing destruction progress. Shows current phase, completion status, and any errors." }, { "command": "health-control nuke-storage-detect --device /dev/sda", "description": "Detect storage type for optimal wipe method", "expectedOutput": "Device: /dev/sda, Storage Type: SSD", "notes": "Detects if device is SSD, HDD, or NVMe. SSDs use blkdiscard (instant secure erase), HDDs use shred (multi-pass overwrite), NVMe uses nvme format command." } ], "id": "11b_emergency_nuke_operations", "title": "Emergency Nuke Operations" }, { "description": "Complete USB security management - device listing, USBGuard policies, storage control, and monitoring", "examples": [ { "command": "", "description": "UNDERSTANDING USB SECURITY LAYERS", "expectedOutput": "", "notes": "USB security has TWO independent control systems:\n\n1. USBGuard (usb-guard-* commands):\n- Controls WHICH devices are allowed/blocked\n- Device authorization policy management\n- Works at the USBGuard daemon level\n\n2. USB Storage Modules (offline-usb-storage):\n- Controls IF USB storage drivers are loaded at all\n- Manages kernel modules (usb_storage, uas)\n- Manages device authorization at kernel level\n- Integrates with USBGuard automatically\n\n⚠️ CRITICAL: For USB drives to work, you need:\n- USB storage modules enabled (offline-usb-storage --action enable)\n- USBGuard allowing the device (or disabled)\n- Device authorized at kernel level (handled by offline-usb-storage)\n\n💡 TIP: Use 'offline-usb-storage --action enable' for complete USB storage access.\nIt handles all 4 layers automatically!" }, { "command": "sudo health-control usb-list", "description": "List all connected USB devices", "expectedOutput": "USB device list with security status" }, { "command": "sudo health-control offline-usb-storage --action check", "description": "Check USB storage module status (all 4 layers)", "expectedOutput": "Modules loaded: yes/no, Blacklist exists: yes/no, USBGuard active: yes/no, Authorized devices: N", "notes": "Shows complete status of all USB storage control layers" }, { "command": "sudo health-control offline-usb-storage --action enable", "description": "Enable USB storage completely (recommended)", "expectedOutput": "USB storage enabled successfully - All layers configured", "notes": "Handles ALL 4 layers: Removes blacklist, loads modules, authorizes devices, integrates with USBGuard.\nYour USB drives should appear immediately in 'lsblk' after this command." }, { "command": "sudo health-control offline-usb-storage --action enable --verbose", "description": "Enable USB storage with detailed layer-by-layer output", "expectedOutput": "Shows: modules loaded → devices authorized → USBGuard integration → udev triggered", "notes": "Use verbose mode to see exactly what happens at each layer" }, { "command": "sudo health-control offline-usb-storage --action disable", "description": "Disable USB storage completely (security lockdown)", "expectedOutput": "USB storage disabled successfully - All layers configured", "notes": "Blocks USB storage at all 4 layers: deauthorizes devices, blocks in USBGuard, unloads modules, creates blacklist" }, { "command": "sudo health-control usb-guard-enable", "description": "Enable USB Guard protection service", "expectedOutput": "USB Guard enabled successfully", "notes": "⚠️ This only enables USBGuard service - does NOT enable USB storage modules!\nIf USB storage modules are blocked, your drives won't appear even with USBGuard enabled.\nUse 'offline-usb-storage --action enable' for complete access." }, { "command": "sudo health-control usb-guard-disable", "description": "Disable USB Guard protection service", "expectedOutput": "USB Guard disabled successfully", "notes": "Disables USBGuard service but does NOT affect USB storage modules.\nStorage modules may still be blocked separately." }, { "command": "sudo health-control usb-policy --action add --device-id 1234:5678 --allow", "description": "Add USB device to USBGuard allow policy", "expectedOutput": "USB device policy added", "notes": "Use lsusb to find device IDs. This manages USBGuard policy only.\nDevice must also be authorized at kernel level (handled by offline-usb-storage)." }, { "command": "sudo health-control usb-policy --action list", "description": "List all USB policies in USBGuard", "expectedOutput": "Current USB device policies" }, { "command": "sudo health-control usb-policy --action status", "description": "Check USB security policies", "expectedOutput": "USB security policy assessment" }, { "command": "sudo health-control usb-monitor", "description": "Start USB device monitoring", "expectedOutput": "USB monitoring started" }, { "command": "sudo health-control usb-history --days 7", "description": "View USB device history for last 7 days", "expectedOutput": "USB device connection history" } ], "id": "12_usb_device_security", "title": "USB & Device Security" }, { "description": "Secure data wiping procedures", "examples": [ { "command": "sudo health-control wipe-file --file /path/to/file --passes 7", "description": "Securely wipe file with 7 passes", "expectedOutput": "File securely wiped and unrecoverable", "notes": "Multiple passes increase security" }, { "command": "sudo health-control wipe-directory --path /path/to/directory --passes 3", "description": "Securely wipe entire directory", "expectedOutput": "Directory and contents wiped securely", "notes": "All files in directory will be destroyed" }, { "command": "sudo health-control wipe-free-space --device /dev/sda1", "description": "Wipe free space on device", "expectedOutput": "Free space wiped securely", "notes": "Prevents recovery of deleted files" }, { "command": "sudo health-control wipe-logs", "description": "Wipe system and application logs", "expectedOutput": "Logs wiped successfully", "notes": "Removes log file traces" }, { "command": "sudo health-control wipe-browser-data", "description": "Wipe browser history and data", "expectedOutput": "Browser data wiped", "notes": "Removes browsing history and cache" }, { "command": "sudo health-control wipe-schedule temp --frequency daily", "description": "Schedule automatic temporary file wiping daily", "expectedOutput": "File wipe scheduled successfully", "notes": "Automatically wipes temp files based on frequency" }, { "command": "sudo health-control wipe-pattern \"*.tmp\"", "description": "Wipe all temporary files matching pattern", "expectedOutput": "Files matching pattern wiped", "notes": "Uses glob patterns to match files for wiping" }, { "command": "sudo health-control wipe-verify /path/to/file", "description": "Verify file has been securely wiped", "expectedOutput": "File wipe verification results" }, { "command": "sudo health-control wipe-batch /path1 /path2 /path3 --passes 7", "description": "Batch wipe multiple files with 7 passes", "expectedOutput": "Batch file wiping completed", "notes": "Space-separated file paths" } ], "id": "13_data_destruction", "title": "Data Destruction & Secure Wiping" }, { "description": "Automated updates, password policies, and system maintenance", "examples": [ { "command": "sudo health-control auto-updates-enable", "description": "Enable automatic security updates", "expectedOutput": "Automatic security updates enabled" }, { "command": "sudo health-control auto-updates-disable", "description": "Disable automatic updates", "expectedOutput": "Automatic updates disabled" }, { "command": "sudo health-control auto-updates-status", "description": "Check automatic updates status", "expectedOutput": "Auto-updates configuration status" }, { "command": "sudo health-control password-policy-enable", "description": "Enable strong password policy", "expectedOutput": "Strong password policy enforced" }, { "command": "sudo health-control password-policy-disable", "description": "Disable strong password policy", "expectedOutput": "Password policy disabled" }, { "command": "sudo health-control user-security-enable", "description": "Enable user security checks", "expectedOutput": "User security policies enabled" }, { "command": "sudo health-control 2fa-enable --value username", "description": "Enable 2FA for specific user", "expectedOutput": "Two-factor authentication enabled" }, { "command": "sudo health-control 2fa-disable --user username", "description": "Disable 2FA for user", "expectedOutput": "Two-factor authentication disabled" }, { "command": "sudo health-control system-maintenance-enable", "description": "Enable automatic system maintenance", "expectedOutput": "System maintenance automation enabled" }, { "command": "sudo health-control package-cleanup", "description": "Clean up unnecessary packages", "expectedOutput": "System packages cleaned and optimized" }, { "command": "sudo health-control password-policy-status", "description": "Check password policy status", "expectedOutput": "Current password policy configuration" }, { "command": "sudo health-control user-security-disable", "description": "Disable user security checks", "expectedOutput": "User security policies disabled" }, { "command": "sudo health-control user-security-status", "description": "Check user security status", "expectedOutput": "User security configuration status" }, { "command": "sudo health-control 2fa-status", "description": "Check 2FA status for users", "expectedOutput": "Two-factor authentication status" }, { "command": "sudo health-control system-maintenance-disable", "description": "Disable automatic system maintenance", "expectedOutput": "System maintenance automation disabled" }, { "command": "sudo health-control system-maintenance-status", "description": "Check system maintenance status", "expectedOutput": "System maintenance configuration status" } ], "id": "14_system_maintenance", "title": "System Maintenance & Updates" }, { "description": "System configuration and control operations", "examples": [ { "command": "sudo health-control play-sound --sound alert", "description": "Play system alert sound", "expectedOutput": "Sound played successfully" }, { "command": "sudo health-control play-sound success", "description": "Play success notification sound", "expectedOutput": "Success sound played" }, { "command": "sudo health-control play-sound warning -m mp3", "description": "Play warning sound in MP3 format", "expectedOutput": "Warning sound played in MP3" }, { "command": "sudo health-control play-sound alert --debug", "description": "Play alert sound with debug output", "expectedOutput": "Alert sound played with debug info" }, { "command": "health-control notify --message \"Security check complete\"", "description": "Send system notification", "expectedOutput": "Notification sent successfully" }, { "command": "health-control notify --message \"Hello from Kodachi\"", "description": "Send basic notification message", "expectedOutput": "Notification sent successfully" }, { "command": "health-control notify --message \"Alert\" --body \"VPN connected\"", "description": "Send notification with message body", "expectedOutput": "Detailed notification sent" }, { "command": "health-control notify --message \"Warning\" --urgency critical --duration 30", "description": "Send critical notification with 30 second duration", "expectedOutput": "Critical notification sent" }, { "command": "health-control notify --message \"Update\" --notify-icon \"/path/to/icon.png\"", "description": "Send notification with custom icon", "expectedOutput": "Notification with icon sent" } ], "id": "15_system_control", "title": "System Control & Notifications" }, { "description": "Emergency security measures with two modes: MONITORING (arm/disarm) prepares for threats, IMMEDIATE (panic/activate) executes emergency procedures", "examples": [ { "command": "sudo health-control kill-switch-arm", "description": "ARM kill switch monitoring (preparation mode)", "expectedOutput": "Kill switch ARMED - Monitoring mode active", "notes": "MONITORING MODE: Sets up automated threat detection using multiple monitoring methods:\n• NETWORK MONITORING: Uses netstat, ss, and iptables logs to detect unauthorized connections\n• FILE SYSTEM WATCHING: Monitors critical system files via inotify for unauthorized modifications\n• PROCESS MONITORING: Tracks running processes using ps/proc for suspicious behavior patterns\n• AUTH MONITORING: Watches /var/log/auth.log for failed login attempts (threshold: 5 failures)\n• SYSTEM INTEGRITY: Checks system file hashes and permissions for tampering\nDoes NOT take action until triggered - only prepares for rapid response. Auto-activates MEDIUM panic level when threats detected." }, { "command": "sudo health-control kill-switch-disarm", "description": "DISARM kill switch monitoring", "expectedOutput": "Kill switch DISARMED", "notes": "Stops monitoring mode. Use after threat has passed or false alarm." }, { "command": "sudo health-control kill-switch-status", "description": "Check if monitoring is armed/disarmed", "expectedOutput": "Shows armed status, trigger count, armed time", "notes": "READ-ONLY: Just displays current state, takes no action" }, { "command": "sudo health-control kill-switch-activate", "description": "IMMEDIATELY activate kill switch (default: medium panic)", "expectedOutput": "KILL SWITCH ACTIVATED - emergency procedures executed", "notes": "IMMEDIATE ACTION: Unlike 'arm', this executes panic NOW. Prompts for confirmation. Use --level soft/medium/hard" }, { "command": "sudo health-control panic-soft", "description": "IMMEDIATE soft panic (NO confirmation)", "expectedOutput": "Network killed, clipboard cleared, screen locked", "notes": "INSTANT: Kill network + clear clipboard + lock screen. Reversible. Good for quick privacy." }, { "command": "sudo health-control panic-medium", "description": "IMMEDIATE medium panic (requires confirmation)", "expectedOutput": "Panic mode activated after confirmation", "notes": "WITH CONFIRMATION: Kill network + clear clipboard + terminate processes + clear memory + unmount devices + lock screen (6 actions). Requires manual restart to restore." }, { "command": "sudo health-control panic-hard", "description": "IMMEDIATE hard panic (double confirmation)", "expectedOutput": "System shutdown initiated", "notes": "CRITICAL - DOUBLE CONFIRM: All medium actions + RAM wipe + IMMEDIATE shutdown (7 actions total). IRREVERSIBLE! System shuts down NOW!" }, { "command": "sudo health-control create-recovery-point", "description": "Create recovery checkpoint BEFORE panic", "expectedOutput": "Recovery point created", "notes": "Create BEFORE activating panic modes. Allows restoration of configs after emergency." }, { "command": "sudo health-control panic-recover", "description": "Restore system after panic activation", "expectedOutput": "System recovered from panic mode", "notes": "Use AFTER panic to restore normal operation. Restarts services, fixes permissions." }, { "command": "sudo health-control panic-profile --profile paranoid", "description": "Configure panic response to paranoid security level", "expectedOutput": "Panic profile set: paranoid\nActions configured: 12", "notes": "PROFILE MODES:\n• STEALTH: Light response (network blocking only, preserve user data)\n• PARANOID: Maximum security (network kill, data wipe, process termination, interface shutdown)\n• RECOVERY: System restoration (restart services, fix permissions, restore connectivity)\n\nProfile determines automatic actions when panic mode triggers. Use 'kill-switch-activate' to manually trigger the configured profile." }, { "command": "sudo health-control kill-network-interface --interface eth0", "description": "Kill specific network interface", "expectedOutput": "Network interface eth0 terminated", "notes": "Selective network isolation" }, { "command": "sudo health-control kill-process --process firefox", "description": "Terminate specific process immediately", "expectedOutput": "Process firefox terminated", "notes": "Emergency process termination" } ], "id": "16_emergency_operations", "title": "Emergency Operations - Kill Switch & Panic Modes" }, { "description": "Storage device encryption, secure wiping, LUKS encrypted containers, and volume management", "examples": [ { "command": "sudo health-control list-storage-devices", "description": "List all storage devices with safety indicators (SAFE/CAUTION/DANGER)", "expectedOutput": "Shows devices categorized by safety level for persistence operations", "notes": "Use BEFORE creating persistence to identify safe devices. Protects against accidental system drive formatting." }, { "command": "sudo health-control list-storage-devices --all", "description": "List all storage devices including loop and ram devices", "expectedOutput": "Complete device inventory with safety categorization including virtual devices" }, { "command": "sudo health-control usb-safety-check --device /dev/sdc2", "description": "Check if specific device is safe for persistence operations", "expectedOutput": "Returns safety level: SAFE, CAUTION, or DANGER with detailed warnings", "notes": "Validates device before destructive operations. Prevents accidental system drive formatting." }, { "command": "sudo health-control storage-encrypt --device /dev/sdb1", "description": "Encrypt storage device", "expectedOutput": "Storage device encrypted successfully", "notes": "Backup data before encryption" }, { "command": "sudo health-control storage-wipe --device /dev/sdb1 --passes 3", "description": "Securely wipe storage device", "expectedOutput": "Storage device wiped securely", "notes": "Data will be permanently destroyed" }, { "command": "sudo health-control container-create /secure/data.img --size 500", "description": "Create encrypted container (500MB)", "expectedOutput": "Encrypted container created successfully", "notes": "Creates LUKS2-encrypted container file. You'll be prompted for password interactively.\nContainer file path is positional argument (not --output)." }, { "command": "sudo health-control container-create /tmp/secure.img --size 100", "description": "Create small encrypted container (100MB)", "expectedOutput": "Container created: /tmp/secure.img, Size: 100 MB", "notes": "Smaller size for testing. Password will be prompted." }, { "command": "sudo health-control container-mount /secure/data.img --mount-point /mnt/secure", "description": "Mount encrypted container", "expectedOutput": "Container mounted successfully", "notes": "You'll be prompted for the container password.\nMount point will be created automatically if it doesn't exist." }, { "command": "sudo health-control container-unmount /mnt/secure", "description": "Unmount encrypted container", "expectedOutput": "Container unmounted: /mnt/secure", "notes": "Automatically closes the LUKS mapper device." } ], "id": "17_storage_encryption", "title": "Storage Encryption & Secure Containers" }, { "description": "Security scoring and reporting", "examples": [ { "command": "sudo health-control security-score", "description": "Calculate overall security score", "expectedOutput": "Shows score (0-100), security level (Critical/Poor/Fair/Good/Excellent), and actionable fixes" }, { "command": "sudo health-control security-score --json", "description": "Get security score in JSON format", "expectedOutput": "Full JSON with category breakdowns (Core/Network/Hardening/Device/Advanced), individual check scores, and specific remediation commands" }, { "command": "sudo health-control security-report", "description": "Generate comprehensive security report", "expectedOutput": "Detailed security assessment report" }, { "command": "sudo health-control security-report --json", "description": "Generate security report in JSON format", "expectedOutput": "JSON formatted security report" }, { "command": "sudo health-control security-history --days 30", "description": "View security score history for last 30 days", "expectedOutput": "Security score trends and historical data", "notes": "Shows security improvements over time" }, { "command": "sudo health-control security-history --days 7 --json", "description": "View last 7 days security history in JSON", "expectedOutput": "JSON formatted security history" }, { "command": "sudo health-control security-remediate", "description": "Review security fixes before applying", "expectedOutput": "Security fix recommendations displayed", "notes": "Manual review mode for security fixes" } ], "id": "18_security_assessment", "title": "Security Assessment & Scoring" }, { "description": "Hardware-level security features", "examples": [ { "command": "sudo health-control hardware-rng-verify", "description": "Verify hardware random number generator", "expectedOutput": "Hardware RNG status and quality", "notes": "Checks if hardware RNG is available and functioning properly for cryptographic operations" }, { "command": "sudo health-control entropy-status", "description": "Check system entropy status", "expectedOutput": "Entropy pool status and quality", "notes": "Monitors available entropy for secure random number generation, critical for encryption" }, { "command": "sudo health-control boot-integrity-check", "description": "Check boot integrity", "expectedOutput": "Boot integrity verification results", "notes": "Verifies boot process integrity to detect tampering or unauthorized modifications to bootloader/kernel" } ], "id": "19_hardware_security", "title": "Hardware Security" }, { "description": "System information, diagnostics, and hardware/service management", "examples": [ { "command": "sudo health-control offline-info-system", "description": "Display comprehensive system information", "expectedOutput": "Complete system details and configuration" }, { "command": "sudo health-control offline-info-hardware", "description": "Display hardware information", "expectedOutput": "Hardware components and specifications" }, { "command": "sudo health-control offline-info-hardware --json", "description": "Display hardware information in JSON", "expectedOutput": "JSON formatted hardware details" }, { "command": "sudo health-control offline-info-process", "description": "Display process information", "expectedOutput": "Running processes and resource usage" }, { "command": "sudo health-control offline-info-security", "description": "Display security configuration", "expectedOutput": "Security settings and status" }, { "command": "sudo health-control offline-info-network", "description": "Display network configuration", "expectedOutput": "Network interfaces and settings" }, { "command": "sudo health-control offline-info-user", "description": "Display user information", "expectedOutput": "User accounts and permissions" }, { "command": "sudo health-control offline-info-storage", "description": "Display storage information", "expectedOutput": "Disk usage and filesystem details" }, { "command": "sudo health-control offline-info-services", "description": "Display services information", "expectedOutput": "System services status" }, { "command": "sudo health-control offline-info-all", "description": "Display all system information", "expectedOutput": "Complete system information report" }, { "command": "sudo health-control offline-bluetooth --action enable", "description": "Enable Bluetooth service", "expectedOutput": "Bluetooth enabled successfully" }, { "command": "sudo health-control offline-bluetooth --action disable", "description": "Disable Bluetooth service", "expectedOutput": "Bluetooth disabled successfully" }, { "command": "sudo health-control offline-wifi --action enable", "description": "Enable WiFi service", "expectedOutput": "WiFi enabled successfully" }, { "command": "sudo health-control offline-wifi --action disable", "description": "Disable WiFi with persistent blacklisting", "expectedOutput": "WiFi disabled and blacklisted" }, { "command": "sudo health-control offline-webcam --action enable", "description": "Enable webcam devices", "expectedOutput": "Webcam access enabled" }, { "command": "sudo health-control offline-webcam --action disable", "description": "Disable webcam devices", "expectedOutput": "Webcam access disabled" }, { "command": "sudo health-control offline-microphone --action enable", "description": "Enable microphone devices", "expectedOutput": "Microphone access enabled" }, { "command": "sudo health-control offline-microphone --action disable", "description": "Disable microphone devices", "expectedOutput": "Microphone access disabled" }, { "command": "sudo health-control offline-screen-lock --action enable", "description": "Enable automatic screen lock", "expectedOutput": "Screen lock enabled" }, { "command": "sudo health-control offline-systemlogs --action disable", "description": "Disable system logging", "expectedOutput": "System logging disabled" }, { "command": "sudo health-control offline-cups --action disable", "description": "Disable CUPS printing service", "expectedOutput": "CUPS printing disabled" }, { "command": "sudo health-control offline-networkmanager --action disable", "description": "Disable NetworkManager", "expectedOutput": "NetworkManager disabled" }, { "command": "sudo health-control offline-numlock --action enable", "description": "Enable NumLock on boot", "expectedOutput": "NumLock enabled on boot" }, { "command": "sudo health-control offline-cmdhistory --action disable", "description": "Disable command history logging", "expectedOutput": "Command history disabled" }, { "command": "sudo health-control offline-autologin --action disable", "description": "Disable automatic login", "expectedOutput": "Automatic login disabled" }, { "command": "sudo health-control offline-fdlimit --action enable --soft-limit 1024 --hard-limit 4096", "description": "Set file descriptor limits", "expectedOutput": "File descriptor limit set" }, { "command": "sudo health-control offline-netoptimize --action enable", "description": "Enable network optimizations", "expectedOutput": "Network optimizations enabled" }, { "command": "sudo health-control offline-bbr --action enable", "description": "Enable BBR congestion control", "expectedOutput": "BBR congestion control enabled" }, { "command": "sudo health-control offline-ifspeed --action enable --interface eth0 --speed 1000", "description": "Configure interface speed", "expectedOutput": "Interface speed configured" }, { "command": "sudo health-control offline-avahi --action disable", "description": "Disable Avahi service discovery", "expectedOutput": "Avahi service disabled", "notes": "Supported services: avahi, modem-manager, ssh, apache, nginx, docker, mysql, postgresql" }, { "command": "sudo health-control offline-modem-manager --action disable", "description": "Disable ModemManager service", "expectedOutput": "ModemManager disabled" }, { "command": "sudo health-control offline-ssh --action enable", "description": "Enable SSH service", "expectedOutput": "SSH service enabled" }, { "command": "sudo health-control offline-apache --action disable", "description": "Disable Apache web server", "expectedOutput": "Apache web server disabled" }, { "command": "sudo health-control offline-nginx --action disable", "description": "Disable Nginx web server", "expectedOutput": "Nginx web server disabled" }, { "command": "sudo health-control offline-docker --action disable", "description": "Disable Docker service", "expectedOutput": "Docker service disabled" }, { "command": "sudo health-control offline-mysql --action disable", "description": "Disable MySQL database service", "expectedOutput": "MySQL service disabled" }, { "command": "sudo health-control offline-postgresql --action disable", "description": "Disable PostgreSQL database service", "expectedOutput": "PostgreSQL service disabled" }, { "command": "sudo health-control offline-usb-storage --action enable", "description": "Enable USB storage devices", "expectedOutput": "USB storage access enabled" }, { "command": "sudo health-control offline-usb-storage --action disable", "description": "Disable USB storage devices", "expectedOutput": "USB storage access blocked" } ], "id": "20_system_info_offline", "title": "System Information & Offline Actions" }, { "description": "Generate secure passwords using multiple methods with batch support (auto-detects installed packages)", "examples": [ { "command": "sudo health-control genpass", "description": "Generate one password using all three methods", "expectedOutput": "Three passwords (pass, pwgen, xkcdpass)", "notes": "Automatically uses system packages if available, falls back to native implementations" }, { "command": "sudo health-control genpass --method pwgen --count 10", "description": "Generate 10 random passwords using pwgen method", "expectedOutput": "10 random passwords", "notes": "Use --count for batch generation; max 1000 per method" }, { "command": "sudo health-control genpass --method xkcdpass --count 50", "description": "Generate 50 memorable XKCD-style passphrases", "expectedOutput": "50 word-based passphrases", "notes": "XKCD method creates memorable multi-word passwords" }, { "command": "sudo health-control genpass --count 90", "description": "Generate 90 passwords from each method (270 total)", "expectedOutput": "270 passwords (90 from each of the 3 methods)", "notes": "When using --count without --method, generates specified count from ALL methods" }, { "command": "sudo health-control genpass --method pwgen --count 20 --length 32 --symbols \"@-_!#$\"", "description": "Generate 20 custom passwords with specific length and symbols", "expectedOutput": "20 passwords with 32 characters including specified symbols", "notes": "Customize password generation with --length and --symbols options" }, { "command": "sudo health-control genpass --uppercase --digits --count 15", "description": "Generate 15 passwords with only uppercase letters and digits", "expectedOutput": "15 alphanumeric passwords (uppercase + digits only)" }, { "command": "sudo health-control genpass --count 100 --json", "description": "Generate 100 passwords from each method in JSON format", "expectedOutput": "JSON array with 300 passwords", "notes": "JSON output ideal for scripting and automation" }, { "command": "sudo health-control genpass --force-native --count 25", "description": "Force use of native Rust implementations (skip package detection)", "expectedOutput": "25 passwords from each method using native fallbacks", "notes": "Useful for testing or when system packages are unreliable" } ], "id": "21_password_generation", "title": "Password Generation" }, { "description": "Automatic RAM wiping on shutdown with multiple policies (custom, sdmem, both, auto), installation, configuration, testing, and cold boot attack defenses", "examples": [ { "command": "# WORKFLOW: Setting up RAM wipe on shutdown", "description": "Complete workflow for first-time RAM wipe setup", "expectedOutput": "Step-by-step guide", "notes": "STEP 1: Install hooks (REQUIRED FIRST): sudo health-control wipe-ram-install\nSTEP 2: Configure policy (OPTIONAL): sudo health-control wipe-ram-config --policy sdmem\nSTEP 3: Enable if disabled: sudo health-control ram-wipe-enable\nSTEP 4: Verify status: sudo health-control ram-wipe-status\n\nKEY DIFFERENCES:\n• wipe-ram-install = FIRST-TIME SETUP (installs systemd shutdown hooks)\n• ram-wipe-enable = ENABLE/DISABLE (turns functionality on/off, hooks must exist)\n• wipe-ram-config = UPDATE SETTINGS (change policy, passes, time budget)\n• wipe-ram = MANUAL EXECUTION (test or emergency wipe NOW, not on shutdown)" }, { "command": "sudo health-control wipe-ram-install", "description": "Install RAM wipe system with default settings (kodachi-wiper policy, 60s timeout)", "expectedOutput": "RAM wipe system installed successfully", "notes": "FIRST-TIME SETUP - Installs systemd hooks, configures policies, detects Kicksecure compatibility. Creates /etc/kodachi-ram-wipe.conf with defaults" }, { "command": "sudo health-control wipe-ram-install --policy kodachi-wiper --time 60", "description": "Install RAM wipe with kodachi-wiper policy and 60 second time budget", "expectedOutput": "Installed with kodachi-wiper policy", "notes": "Fastest installation - Single-pass wipe, suitable for systems with <8GB RAM or frequent reboots" }, { "command": "sudo health-control wipe-ram-install --policy sdmem --passes 3", "description": "Install RAM wipe with sdmem policy using 3 overwrite passes", "expectedOutput": "Installed with sdmem 3-pass policy", "notes": "SECURE INSTALLATION - 3 passes (random, zeros, random). Good balance of security and speed. Recommended for 8-16GB RAM systems" }, { "command": "sudo health-control wipe-ram-install --policy both --split 60", "description": "Install with both policies: 60% time for kodachi-wiper, 40% for sdmem", "expectedOutput": "Installed with dual-policy split", "notes": "HYBRID APPROACH - Time-split between kodachi-wiper (fast) and sdmem (thorough). Example: 120s budget = 72s kodachi-wiper + 48s sdmem. Maximum security coverage" }, { "command": "sudo health-control wipe-ram-install --force", "description": "Force installation even if Kicksecure/Whonix RAM wipe detected", "expectedOutput": "Force installed, Kicksecure overridden", "notes": "OVERRIDE MODE - Bypasses Kicksecure detection. Use when you want Kodachi's RAM wipe instead of Kicksecure's built-in wipe. May cause conflicts" }, { "command": "sudo health-control ram-wipe-status", "description": "Check RAM wipe configuration and current status", "expectedOutput": "RAM wipe status with memory info and auto-wipe settings", "notes": "Shows: enabled/disabled state, current policy (kodachi-wiper/sdmem/both/auto), time budget, sdmem passes, total RAM size, Kicksecure detection" }, { "command": "sudo health-control ram-wipe-status --json", "description": "RAM wipe status in JSON format for automation", "expectedOutput": "JSON formatted status with all configuration details", "notes": "JSON OUTPUT DEMO - Shows all config fields in machine-readable format for scripts and monitoring systems" }, { "command": "sudo health-control wipe-ram-config --policy auto", "description": "Update existing RAM wipe policy to auto-detection", "expectedOutput": "Policy updated to auto" }, { "command": "sudo health-control wipe-ram-config --passes 5 --split 70", "description": "Update sdmem passes to 5 and time split to 70/30", "expectedOutput": "Multiple parameters updated", "notes": "PASS COUNT - More passes = more thorough but slower. 1-3=fast, 4-6=balanced, 7-9=maximum. SPLIT - Higher kodachi-wiper%=speed, higher sdmem%=security" }, { "command": "sudo health-control ram-wipe-enable", "description": "Enable RAM wipe configuration (hooks must be installed first)", "expectedOutput": "RAM wipe configuration enabled + WARNING if hooks not installed", "notes": "IMPORTANT: This only enables the CONFIG. You must run 'wipe-ram-install' FIRST to install systemd hooks. Will show clear warning if hooks are missing." }, { "command": "sudo health-control ram-wipe-disable", "description": "Disable automatic RAM wiping", "expectedOutput": "RAM wipe disabled successfully", "notes": "WARNING - Disabling RAM wipe leaves sensitive data in RAM accessible to physical attacks" }, { "command": "sudo health-control wipe-ram-test", "description": "Test RAM wipe system with dry-run (no actual wiping)", "expectedOutput": "RAM wipe test completed successfully", "notes": "SAFE TESTING - Simulates wipe operation without actually overwriting memory. Tests configuration, timing, and policy execution. Use before first real wipe" }, { "command": "sudo health-control wipe-ram-test --policy kodachi-wiper --time 10", "description": "Test kodachi-wiper policy with 10 second time budget", "expectedOutput": "Kodachi-wiper policy test completed in 10s", "notes": "Quick test - Validates kodachi-wiper policy works correctly. 10s budget ensures fast test completion" }, { "command": "sudo health-control wipe-ram-test --json", "description": "Test RAM wipe with detailed JSON diagnostic metrics", "expectedOutput": "JSON test results with performance data", "notes": "DIAGNOSTIC OUTPUT - Returns timing, memory stats, policy execution details, and potential issues. Essential for troubleshooting" }, { "command": "sudo health-control wipe-ram", "description": "Execute RAM wipe operation manually with configured policy", "expectedOutput": "RAM wiped successfully", "notes": "ADVANCED - Manually trigger RAM wipe using system configuration. Automatically called by shutdown hooks. Use for testing or emergency wipe" }, { "command": "sudo health-control wipe-ram --shutdown-mode", "description": "Execute RAM wipe optimized for shutdown context", "expectedOutput": "RAM wiped in shutdown mode", "notes": "INTERNAL USE - Shutdown-optimized mode disables unnecessary checks and output. Used by systemd shutdown hooks" }, { "command": "sudo health-control wipe-ram --policy kodachi-wiper", "description": "Execute RAM wipe using kodachi-wiper overwrite policy", "expectedOutput": "RAM wiped with kodachi-wiper policy", "notes": "POLICY: Kodachi-wiper fast overwrite algorithm - Single pass with random data. Fastest but least thorough (60-120 seconds for 8GB)" }, { "command": "sudo health-control wipe-ram --policy sdmem", "description": "Execute RAM wipe using sdmem utility (multiple passes)", "expectedOutput": "RAM wiped with sdmem", "notes": "POLICY: sdmem (secure-delete memory) - Multiple passes with patterns. Slower but more thorough (3-7 passes configurable). Government-grade erasure" }, { "command": "sudo health-control wipe-ram --policy both", "description": "Execute RAM wipe using both kodachi-wiper AND sdmem sequentially", "expectedOutput": "RAM wiped with combined policy", "notes": "POLICY: Maximum security - Kodachi-wiper FIRST (fast pass), then sdmem (thorough passes). Best security but longest time. Recommended for high-security environments" }, { "command": "sudo health-control wipe-ram --policy auto", "description": "Execute RAM wipe with automatic policy selection based on available RAM", "expectedOutput": "RAM wiped with auto-detected policy", "notes": "POLICY: Auto-detection - Chooses policy based on RAM size and available time: <4GB=kodachi-wiper, 4-16GB=both, >16GB=sdmem. Balances speed and security" }, { "command": "sudo health-control wipe-ram --time 120", "description": "Execute RAM wipe with 120 second time budget", "expectedOutput": "RAM wiped within time limit", "notes": "TIME BUDGET - Maximum seconds allowed for wipe operation. System will shutdown/reboot when time expires even if wipe incomplete. Critical for automated shutdowns" }, { "command": "sudo health-control ram-wipe-detect-kicksecure", "description": "Detect if Kicksecure/Whonix RAM wipe is installed", "expectedOutput": "Kicksecure detection results", "notes": "COMPATIBILITY CHECK - Detects Kicksecure's ram-wipe-on-boot package. Prevents conflicts between Kodachi and Kicksecure RAM wipe systems" }, { "command": "sudo health-control ram-wipe-update --policy auto --time 150", "description": "Update RAM wipe policy to auto with 150 second time budget", "expectedOutput": "Policy and time budget updated", "notes": "SMART MODE - System automatically selects best policy based on: RAM size, shutdown urgency, battery status (laptops). Recommended for most users" }, { "command": "sudo health-control coldboot-defense-enable", "description": "Enable cold boot attack defense mechanisms", "expectedOutput": "Cold boot defense enabled", "notes": "PHYSICAL SECURITY - Protects against cold boot attacks that recover encryption keys from RAM after power loss. Enables: RAM overwriting on shutdown, memory scrambling, DMA protection" }, { "command": "sudo health-control coldboot-defense-disable", "description": "Disable cold boot attack defense", "expectedOutput": "Cold boot defense disabled", "notes": "WARNING - Disabling leaves encryption keys vulnerable to physical RAM extraction attacks. Only disable if you have alternative physical security" } ], "id": "22_ram_wipe_cold_boot", "title": "RAM Wipe & Cold Boot Protection" }, { "description": "Swap space enable/disable, configuration, encryption with dm-crypt, and performance tuning with swappiness and cache pressure settings", "examples": [ { "command": "sudo health-control swap-enable", "description": "Enable and activate swap space for memory overflow", "expectedOutput": "Swap enabled successfully", "notes": "STABILITY FEATURE - Activates swap partitions/files for memory overflow. Improves system stability under memory pressure but may leak sensitive data to disk" }, { "command": "sudo health-control swap-disable", "description": "Disable and deactivate all swap space", "expectedOutput": "Swap disabled successfully", "notes": "SECURITY FEATURE - Deactivates all swap to prevent disk leakage of sensitive data. May cause out-of-memory errors if RAM insufficient" }, { "command": "sudo health-control swap-status", "description": "Check swap status, devices, size, and usage", "expectedOutput": "Swap devices list with usage statistics", "notes": "Shows: active swap devices, total/used/available size, swap usage percentage, encryption status, swappiness value" }, { "command": "sudo health-control swap-configure --swappiness 10 --cache-pressure 100", "description": "Configure swap parameters for optimal performance", "expectedOutput": "Swap parameters configured", "notes": "PERFORMANCE TUNING - Swappiness (0-100): 0=never swap, 10=minimal, 60=default, 100=aggressive. Cache pressure controls VFS cache retention (default 100)" }, { "command": "sudo health-control swap-encrypt", "description": "Encrypt swap with random key generated on each boot", "expectedOutput": "Swap space encrypted", "notes": "ENCRYPTION SECURITY - Uses dm-crypt with random key per boot. Protects swapped memory from offline disk forensics. Slight performance impact (~5-10%)" }, { "command": "sudo health-control swap-decrypt", "description": "Remove swap encryption and revert to plain swap", "expectedOutput": "Swap decrypted", "notes": "WARNING - Removes encryption protection. Swapped data will be readable from disk in clear text. Only use if encryption causes performance issues" }, { "command": "sudo health-control swap-encrypt-status", "description": "Check swap encryption status and configuration", "expectedOutput": "Encryption status with cipher details", "notes": "Shows: encryption enabled/disabled, cipher type (aes-xts-plain64), key size, whether using random keys, encrypted device mapper name" }, { "command": "sudo health-control enable-swap", "description": "Enable swap (alternative command alias)", "expectedOutput": "Swap enabled" }, { "command": "sudo health-control disable-swap", "description": "Disable swap (alternative command alias)", "expectedOutput": "Swap disabled" } ], "id": "23_swap_management", "title": "Swap Management & Encryption" }, { "description": "Memory usage statistics, cache cleaning, and memory optimization without data loss", "examples": [ { "command": "sudo health-control memory-stats", "description": "Show current memory usage statistics (total, available, used, cached)", "expectedOutput": "Memory usage breakdown with utilization percentages" }, { "command": "sudo health-control memory-stats --json-human", "description": "Memory statistics in human-readable JSON format", "expectedOutput": "Pretty-printed JSON with human-readable sizes (MB/GB)", "notes": "JSON OUTPUT DEMO - Use --json for compact machine-readable format, --json-human for readable format with color and formatting" }, { "command": "sudo health-control memory-clean", "description": "Clean memory caches and buffers (pagecache, dentries, inodes)", "expectedOutput": "Memory cleaned successfully", "notes": "Safe operation - drops caches but does NOT kill processes. Improves available memory without data loss" }, { "command": "sudo health-control memory-force-clean", "description": "Force aggressive memory cleanup (sync + drop_caches=3)", "expectedOutput": "Memory force cleaned", "notes": "ADVANCED - Kills top memory-consuming process + aggressive cache drop. Use with caution in production" } ], "id": "24_memory_stats_cleanup", "title": "Memory Statistics & Cleanup" }, { "description": "Secure process memory wiping before termination and per-process memory limits using cgroups for browsers and applications", "examples": [ { "command": "sudo health-control memory-wipe", "description": "Securely wipe memory contents (anti-forensics)", "expectedOutput": "Memory wiped securely", "notes": "SECURITY FEATURE - Overwrites memory with random data to prevent forensic recovery. Used for sensitive operations" }, { "command": "sudo health-control memory-wipe-process --value firefox", "description": "Securely wipe Firefox process memory before termination", "expectedOutput": "Firefox process memory wiped successfully", "notes": "PRIVACY PROTECTION - Clears sensitive data (passwords, session keys, browsing history) from process memory before kill" }, { "command": "sudo health-control memory-wipe-process --value chrome", "description": "Securely wipe Chrome browser memory", "expectedOutput": "Chrome process memory wiped successfully", "notes": "Clears authentication tokens, cached passwords, and browsing data from Chrome's memory space" }, { "command": "sudo health-control memory-wipe-process --value thunderbird", "description": "Securely wipe Thunderbird email client memory", "expectedOutput": "Thunderbird process memory wiped successfully", "notes": "Erases email content, credentials, and encryption keys from email client memory" }, { "command": "sudo health-control memory-wipe-process --value tor-browser", "description": "Securely wipe Tor Browser memory", "expectedOutput": "Tor Browser process memory wiped successfully", "notes": "Clears Tor circuit keys, browsing session data, and cached .onion addresses from memory" }, { "command": "sudo health-control memory-limits --value firefox --limit 2048", "description": "Set Firefox memory limit to 2048 MB using cgroups", "expectedOutput": "Firefox memory limit set to 2048 MB", "notes": "RESOURCE CONTROL - Uses Linux cgroups to enforce hard memory limits per process. Prevents single process from consuming excessive memory. Process killed if limit exceeded" }, { "command": "sudo health-control memory-limits --value chrome --limit 1024", "description": "Set Chrome memory limit to 1024 MB", "expectedOutput": "Chrome memory limit set to 1024 MB", "notes": "Chrome often consumes excessive memory. Limiting prevents system slowdown. Note: Limit applies to total browser memory across all processes" }, { "command": "sudo health-control memory-limits --value tor-browser --limit 1536", "description": "Set Tor Browser memory limit to 1536 MB", "expectedOutput": "Tor Browser memory limit set to 1536 MB", "notes": "Tor Browser requires more memory than standard browsers due to Tor circuit management and enhanced security features. 1536MB recommended minimum" }, { "command": "sudo health-control memory-limits --list", "description": "List all configured memory limits and their current usage", "expectedOutput": "Table of processes with memory limits and usage", "notes": "Shows: process name, configured limit, current memory usage, limit utilization percentage, cgroup path, status (active/inactive)" } ], "id": "25_process_memory_security", "title": "Process Memory Security" } ], "description": "Usage examples for health-control", "name": "health-control", "quickReference": [ "sudo health-control --help", "sudo health-control --version", "sudo health-control --info --json", "sudo health-control --examples --json" ] }, "errors": [], "metadata": { "executionTime": 20, "hostname": "RHEL-8-Server", "user": "kodachi" }, "status": "success", "timestamp": "2026-03-07T18:01:34.090626910Z", "version": "9.0.1", "warnings": [] } } }