health-control
Health control system for Kodachi that includes network connectivity checks and system health monitoring
Version: 9.0.1 | Size: 13.7MB | Author: Warith Al Maawali
License: Proprietary | Website: https://www.digi77.com
File Information
| Property | Value |
|---|---|
| Binary Name | health-control |
| Version | 9.0.1 |
| Build Date | 2026-03-23T08:25:51.206091356Z |
| Rust Version | 1.82.0 |
| File Size | 13.7MB |
| JSON Data | View Raw JSON |
SHA256 Checksum
Features
| Feature | Description |
|---|---|
| Feature | Network connectivity monitoring |
| Feature | Internet traffic control |
| Feature | Security hardening |
| Feature | System integrity checking |
| Feature | Offline system management |
Security Features
| Feature | Description |
|---|---|
| Authentication | Secure authentication with certificate pinning |
| Encryption | TLS 1.3 for all network communications |
| Inputvalidation | All inputs are validated and sanitized |
| Ratelimiting | Built-in rate limiting for network operations |
System Requirements
| Requirement | Value |
|---|---|
| OS | Linux (Debian-based) |
| Privileges | root/sudo for system operations |
| Dependencies | OpenSSL, libcurl |
Global Options
| Flag | Description |
|---|---|
-h, --help |
Print help information |
-v, --version |
Print version information |
-n, --info |
Display detailed information |
-e, --examples |
Show usage examples |
--json |
Output in JSON format |
--json-pretty |
Pretty-print JSON output with indentation |
--json-human |
Enhanced JSON output with improved formatting (like jq) |
--verbose |
Enable verbose output |
--quiet |
Suppress non-essential output |
--no-color |
Disable colored output |
--config <FILE> |
Use custom configuration file |
--timeout <SECS> |
Set timeout (default: 30) |
--retry <COUNT> |
Retry attempts (default: 3) |
Commands
Data Destruction
wipe-file
Securely wipe a file with multiple passes
Usage:
Examples:
wipe-directory
Securely wipe an entire directory and its contents
Usage:
Examples:
wipe-user-dir
Securely wipe a common user directory (downloads, desktop, documents)
Usage:
Examples:
wipe-logs
Securely wipe system logs (journal, syslog, auth.log, kern.log), user history (bash, zsh, python), and application cache logs
Usage:
Examples:
wipe-batch
Batch wipe multiple files
Usage:
Examples:
wipe-browser-data
Wipe browser data and history
Usage:
Examples:
wipe-free-space
Securely wipe free space on a mounted filesystem (use mount points like '/', '/home' or device paths)
Usage:
Examples:
wipe-pattern
Wipe files matching pattern (use --pattern flag or positional argument)
Usage:
Examples:
wipe-schedule
Schedule automatic data wiping
Usage:
Examples:
wipe-verify
Verify that a file was wiped properly
Usage:
Examples:
Display & Power
conky-enable
Start Conky widget
Usage:
Examples:
conky-disable
Stop Conky widget
Usage:
Examples:
conky-status
Check Conky running/installed/boot state
Usage:
Examples:
conky-boot-enable
Enable Conky on boot (autostart/systemd)
Usage:
Examples:
conky-boot-disable
Disable Conky on boot
Usage:
Examples:
screensaver-disable
Disable XFCE screensaver
Usage:
Examples:
screensaver-enable
Enable XFCE screensaver
Usage:
Examples:
screensaver-status
Check screensaver status
Usage:
Examples:
dpms-disable
Disable display power management
Usage:
Examples:
dpms-enable
Enable display power management
Usage:
Examples:
dpms-status
Check DPMS and timeout settings
Usage:
Examples:
lock-screen
Lock the screen
Usage:
Examples:
session-logout
End XFCE session
Usage:
Examples:
suspend
Suspend to RAM
Usage:
Examples:
conky-mask-enable
Mask sensitive info in Conky panels
Usage:
Examples:
conky-mask-disable
Unmask Conky panels
Usage:
Examples:
conky-mask-status
Check if Conky privacy masking is active
Usage:
Examples:
Emergency Operations
kill-switch-arm
Arm the emergency kill switch - sets system to high-alert state for manual activation. NOTE: This prepares the system for rapid response but does NOT actively monitor for threats. It's a preparedness state that allows quick manual activation via kill-switch-activate command.
Usage:
Examples:
kill-switch-disarm
Disarm the emergency kill switch
Usage:
Examples:
kill-switch-status
Check if kill switch monitoring is armed/disarmed. Shows armed time, trigger count, and monitoring state. Does NOT activate anything - just displays current status.
Usage:
Examples:
kill-switch-activate
IMMEDIATELY activate emergency procedures. Unlike 'arm' which monitors, this executes panic mode NOW. Choose level: soft (network+lock), medium (default: +kill processes), hard (+RAM wipe+shutdown)
Usage:
Examples:
panic-soft
IMMEDIATE soft panic mode. Actions: Kill all network connections, clear clipboard, lock screen. NO CONFIRMATION. Reversible by restarting network. Use for quick privacy protection.
Usage:
Examples:
panic-hard
IMMEDIATE hard panic mode with CONFIRMATION. CRITICAL: Kill network, clear clipboard, terminate ALL processes, clear memory, unmount devices, wipe RAM, IMMEDIATE SHUTDOWN. IRREVERSIBLE - system will shutdown!
Usage:
Examples:
panic-medium
IMMEDIATE medium panic mode with CONFIRMATION. Actions: Kill network, clear clipboard, terminate non-essential processes, clear memory, unmount devices, lock screen. Requires manual system restart to fully restore.
Usage:
Examples:
panic-profile
Configure automated emergency response profile that defines system actions during panic mode activation
Usage:
Examples:
panic-recover
Activate panic recovery mode
Usage:
Examples:
create-recovery-point
Create system recovery checkpoint
Usage:
Examples:
nuke-execute
Execute emergency data destruction sequence (DANGEROUS - use --dry-run for testing)
Usage:
Options:
- --method, -m <METHOD>: Wipe method: fast, secure (default), paranoid
- --dry-run: Test mode - shows actions without executing
- --force, -f: Skip confirmation prompt (DANGEROUS)
Examples:
nuke-progress
Get current nuke mode execution progress
Usage:
Examples:
nuke-storage-detect
Detect storage type (SSD/HDD/NVMe) for a device
Usage:
Options:
- --device, -d <DEVICE>: Device path to check
Examples:
Emergency Shortcuts
emergency-trigger
Execute an emergency plan (dashboard, luks, both). Requires local session token from kodachi-session-helper daemon. Use --dry-run for testing.
Usage:
health-control emergency-trigger --plan <dashboard|luks|both> [--device <dev>] [--silent] [--force] [--dry-run]
Options:
- --plan <PLAN>: Emergency plan: dashboard, luks, both
- --device <DEVICE>: LUKS device path (required for luks/both plans)
- --dry-run: Log planned actions without executing
- --silent: Suppress stdout output
- --force: Skip readiness checks
Examples:
emergency-lockdown
Start a delayed countdown that triggers an emergency plan when the timer expires. Persists state for crash recovery. Requires local session token.
Usage:
health-control emergency-lockdown --delay <seconds> [--plan <dashboard|luks|both>] [--device <dev>] [--dry-run]
Options:
- --delay <SECONDS>: Countdown delay in seconds
- --plan <PLAN>: Emergency plan: dashboard (default), luks, both
- --device <DEVICE>: LUKS device path (required for luks/both plans)
- --dry-run: Log planned actions without starting timer
Examples:
emergency-lockdown-status
Show current emergency lockdown state: active/inactive, remaining seconds, plan. No authentication required (read-only).
Usage:
Examples:
emergency-lockdown-cancel
Cancel an active emergency lockdown countdown. Requires local session token.
Usage:
Examples:
Hardware Security
hardware-rng-verify
Verify hardware random number generator status
Usage:
Examples:
entropy-status
Check system entropy pool status and quality
Usage:
Examples:
coldboot-defense-enable
Enable cold boot defense mechanisms
Usage:
Examples:
coldboot-defense-disable
Disable cold boot defense mechanisms
Usage:
Examples:
coldboot-defense-status
Check cold boot defense mechanisms status
Usage:
Examples:
boot-integrity-check
Check boot chain integrity and security status
Usage:
Examples:
Hostname Management
set-default-hostname
Set the default hostname
Usage:
Examples:
set-random-hostname
Set a random hostname
Usage:
Examples:
set-custom-hostname
Set a custom hostname
Usage:
Examples:
Internet Traffic Control
block-internet
Block all internet traffic
Usage:
Examples:
unblock-internet
Unblock internet traffic
Usage:
Examples:
internet-status
Check internet blocking status
Usage:
Examples:
recover-internet
Recover internet connectivity
Usage:
Examples:
fast-recover-internet
Fast internet recovery - bounce interface, restart NetworkManager, renew DHCP
Usage:
Examples:
kill-network
Emergency network kill switch
Usage:
Examples:
kill-network-interface
Kill specific network interface
Usage:
Examples:
kill-process
Kill specific process by name or PID
Usage:
Examples:
enable
Enable a watch-guard to monitor system changes and block internet on triggers
Usage:
Options:
- --type: Type of watch-guard to enable
- --watch: What to watch for changes (ip, timezone, interfaces, process)
- --target: Process name to watch (required for process watch)
- --method: Blocking method to use when triggered
- --daemon: Run monitoring as a persistent daemon process
- --interval: Custom check interval in seconds (1-300)
- --actions: Comma-separated actions to execute when triggered
Examples:
sudo health-control enable --type watch-guard --watch mac --method nftables --actions log_event,randomize_hostname
sudo health-control enable --type watch-guard --watch vpn --method nftables --actions log_event,show_alert,block_network
disable
Disable an active watch-guard and optionally unblock internet
Usage:
Options:
- --type: Type of command to disable
- --no-unblock: Do not unblock internet after disabling watch-guard
Examples:
watch-guard
Show status of active watch-guards
Usage:
Examples:
daemon
Run watch-guard monitoring as a persistent daemon process
Usage:
Options:
- --config-id: Configuration ID to monitor
Examples:
MAC Address Management
mac-change-all
Change all MAC addresses
Usage:
Examples:
mac-force-change
Force change all MAC addresses (disable interfaces first)
Usage:
Examples:
mac-change-specific
Change specific interface MAC address
Usage:
Examples:
mac-show-interfaces
Show available network interfaces
Usage:
Examples:
mac-show-macs
Show current MAC addresses
Usage:
Examples:
mac-reset-all
Reset all MAC addresses to default
Usage:
Examples:
mac-active-interface
Show active network interface
Usage:
Examples:
Memory Management
memory-clean
Clean memory caches and buffers
Usage:
Examples:
memory-force-clean
Force clean memory by killing top process
Usage:
Examples:
memory-wipe
Secure RAM wipe (sdmem)
Usage:
Examples:
memory-wipe-process
Wipe memory of specific process
Usage:
Examples:
memory-limits
Manage process memory limits
Usage:
Examples:
memory-stats
Display memory statistics and history
Usage:
Examples:
swap-configure
Configure swap settings
Usage:
Examples:
disable-swap
Disable swap memory
Usage:
Examples:
enable-swap
Enable swap memory
Usage:
Examples:
Network Connectivity
net-check
Check network connectivity (IP and DNS only)
Usage:
health-control net-check [--timeout <SECONDS>] [--http] [--ip-only] [--domain-only] [--dns-server <ADDRESS:PORT>]
Options:
- --timeout <SECONDS>: Timeout in seconds for each connectivity check
- --http: Include HTTP connectivity check
- --ip-only: Check IP connectivity only, skip DNS checks
- --domain-only: Check domain connectivity only, skip IP ping
- --dns-server <ADDRESS:PORT>: Custom DNS server address (e.g., 127.0.0.1:5353 for Tor DNS)
Examples:
net-check-http
Check network connectivity including HTTP
Usage:
Examples:
list-ips
List IPs used for connectivity testing
Usage:
Examples:
list-domains
List domains used for connectivity testing
Usage:
Examples:
Offline Actions
offline-postgresql
Manage PostgreSQL database service
Usage:
Examples:
Password Generation
genpass
Generate secure passwords using multiple methods (pass, pwgen, xkcdpass)
Usage:
Examples:
Security
security-status
Show comprehensive security status
Usage:
Examples:
Security Assessment
security-score
Calculate security score and get recommendations
Usage:
Examples:
security-report
Generate comprehensive security report
Usage:
Examples:
security-profile
Set security profile and thresholds
Usage:
Examples:
security-history
View security configuration history
Usage:
Examples:
security-remediate
Auto-remediate security issues
Usage:
Examples:
security-schedule
Schedule security scans (hourly, daily, weekly, monthly, disable)
Usage:
Examples:
rootkit-scan-enhanced
Enhanced rootkit scanning with multiple tools
Usage:
Examples:
lynis-audit
Run Lynis security audit
Usage:
Examples:
lynis-status
Check Lynis installation status
Usage:
Examples:
clamav-scan
Scan system with ClamAV antivirus
Usage:
Examples:
system-audit
Perform comprehensive system security audit
Usage:
Examples:
Security Hardening
security-harden
Apply comprehensive security hardening
Usage:
Examples:
security-verify
Verify if security hardening is properly applied (checks all 7 modules and reports their status)
Usage:
Examples:
security-recover
Temporarily revert security hardening (keeps framework enabled for quick re-hardening)
Usage:
Examples:
security-reset
Completely disable all security modules and framework (permanent removal)
Usage:
Examples:
monitoring-enable
Enable system monitoring features
Usage:
Examples:
monitoring-disable
Disable system monitoring features
Usage:
Examples:
monitoring-status
Check system security monitoring status
Usage:
Examples:
ipv6-disable
Disable IPv6 system-wide
Usage:
Examples:
ipv6-enable
Enable IPv6 system-wide
Usage:
Examples:
tirdad-enable
Enable Tirdad TCP ISN randomization
Usage:
Examples:
tirdad-disable
Disable Tirdad TCP ISN randomization
Usage:
Examples:
tirdad-status
Check Tirdad TCP ISN randomization status
Usage:
Examples:
ipv6-status
Check IPv6 status
Usage:
Examples:
ram-wipe
Enable secure RAM wiping on shutdown
Usage:
Examples:
wipe-ram-install
Install RAM wipe system (hooks + configuration) - Run this first if not already installed
Usage:
Options:
- --force: Force installation even if Kicksecure/Whonix RAM wipe detected. WARNING: May conflict with existing systems
- --policy <MODE>: Initial wipe policy: kodachi-wiper (fast, recommended)|sdmem (secure DoD-standard)|both (hybrid)|auto (intelligent auto-selection)
- --time <SECS>: Time budget for shutdown RAM wiping (default: 60s). Recommended: 60-90s desktops, 120-300s servers
- --passes <NUM>: Number of sdmem overwrite passes 1-9 (default: 3). More passes = more secure but slower. Recommended: 3 balanced, 7+ high-security
Examples:
ram-wipe-status
Show RAM wipe system status - Check this first before installing or configuring
Usage:
Examples:
wipe-ram-config
Update RAM wipe configuration - Use this to modify settings after installation
Usage:
Options:
- --policy <MODE>: Set policy: kodachi-wiper (fast native wiper)|sdmem (secure multi-pass)|both (balanced hybrid)|auto (intelligent auto-detection: prefers kodachi-wiper, falls back to sdmem if unavailable)
- --time <SECS>: Set time budget for shutdown RAM wiping. Recommended: 60-90s desktops, 120-300s servers
- --passes <NUM>: Set number of sdmem passes (1-9). More = secure but slower. Recommended: 3 balanced, 7+ high-security
- --split <PCT>: Set time split for 'both' mode (10-90). Example: 70 = 70% kodachi-wiper, 30% sdmem. Higher = faster but less secure
Examples:
ram-wipe-enable
Enable automatic RAM wiping on shutdown
Usage:
Examples:
ram-wipe-disable
Disable automatic RAM wiping
Usage:
Examples:
wipe-ram-test
Test RAM wipe operation (dry-run with short time budget) - Run this to verify installation before relying on automatic wipes
Usage:
Options:
- --policy <MODE>: Test specific wipe policy: kodachi-wiper (fast)|sdmem (secure DoD-standard)|both (hybrid)|auto (intelligent auto-selection)
- --time <SECS>: Test time budget in seconds (default: 10). Quick test only - actual shutdown wipe uses configured time budget from wipe-ram-config
Examples:
wipe-ram
Execute RAM wipe operation (primarily used by systemd/init shutdown hooks, but can be run manually for testing)
Usage:
Options:
- --shutdown-mode: INTERNAL USE - Shutdown-optimized mode for systemd/init hooks. Users should use 'wipe-ram' without this flag
- --no-console: Disable console output for silent operation (useful in scripts and background tasks)
- --policy <MODE>: Override wipe policy: kodachi-wiper (fast native wiper for quick shutdowns)|sdmem (secure DoD-standard multi-pass for maximum security)|both (hybrid approach: fast+secure)|auto (intelligent auto-selection based on system capabilities)
- --time <SECS>: Override time budget in seconds (how long to spend wiping RAM). Higher values = more memory wiped but longer shutdown time
Examples:
ram-wipe-detect-kicksecure
Detect Kicksecure/Whonix RAM wipe installation
Usage:
Examples:
ram-wipe-update
Update RAM wipe configuration (alias for wipe-ram-config)
Usage:
Options:
- --policy <MODE>: Set policy: kodachi-wiper (fast native wiper)|sdmem (secure multi-pass)|both (balanced hybrid)|auto (intelligent auto-detection: prefers kodachi-wiper, falls back to sdmem if unavailable)
- --time <SECS>: Set time budget in seconds
- --passes <NUM>: Set sdmem passes (1-9)
- --split <PCT>: Set custom/sdmem split for 'both' mode (10-90)
Examples:
disk-encryption-status
Check disk encryption status and security
Usage:
Examples:
swap-enable
Enable swap partition/file
Usage:
Examples:
swap-disable
Disable swap partition/file
Usage:
Examples:
swap-encrypt
Encrypt swap partition/file
Usage:
Examples:
swap-status
Check swap status and configuration
Usage:
Examples:
swap-decrypt
Decrypt encrypted swap partition/file
Usage:
Examples:
swap-encrypt-status
Check swap encryption status
Usage:
Examples:
usb-list
List all USB devices
Usage:
Examples:
luks-nuke
Manage LUKS nuke passwords
Usage:
Examples:
sudo health-control luks-nuke --action restore-backup --device /dev/sda1 --backup-file header-sda1-20260304-014630.img.gpg
sudo health-control luks-nuke --action delete-backup --backup-file header-sda1-20260304-014630.img.gpg
luks-detect
Detect valid LUKS devices on the system
Usage:
Examples:
luks-manage
Manage LUKS encrypted devices
Usage:
Examples:
luks-nuke-advanced
Advanced LUKS nuke configuration (emergency wipe)
Usage:
Examples:
luks-remove
Remove LUKS encryption from device
Usage:
Examples:
luks-manage-advanced
Advanced LUKS device management
Usage:
Examples:
sudo health-control luks-manage-advanced --action backup-header --device /dev/sdb1 --backup-file /tmp/header.backup
sudo health-control luks-manage-advanced --action restore-header --device /dev/sdb1 --backup-file /tmp/header.backup
create-persistence
Create Debian live-boot persistence media
Usage:
Examples:
create-persistence-other-os
Create persistence for other Linux distributions (Kali, Parrot, Tails)
Usage:
Examples:
sudo health-control create-persistence-other-os --device /dev/sdc2 --os-type tails --encrypted --password 'MyPass123'
sudo health-control create-persistence-other-os --device /dev/sdc2 --os-type kali --encrypted --json
encryption-status
Check storage encryption status
Usage:
Examples:
container-create
Create encrypted container
Usage:
Examples:
container-mount
Mount encrypted container
Usage:
Examples:
container-unmount
Unmount encrypted container
Usage:
Examples:
Security Tools
rootkit-scan
Quick rootkit scan (fast, essential checks)
Usage:
Examples:
kloak-status
Check Kloak keyboard anonymization status
Usage:
Examples:
kloak-enable
Enable Kloak keyboard anonymization
Usage:
Examples:
kloak-disable
Disable Kloak keyboard anonymization
Usage:
Examples:
kloak-configure
Configure Kloak keystroke anonymization settings
Usage:
Examples:
kloak-event-mode
Set Kloak event processing mode
Usage:
Examples:
kloak-stats
Show Kloak keystroke anonymization statistics
Usage:
Examples:
aide-update
Update AIDE database after legitimate changes
Usage:
Examples:
aide-check
Check file integrity with AIDE
Usage:
Examples:
aide-init
Initialize AIDE database for file integrity monitoring
Usage:
Examples:
aide-reinit
Reinitialize AIDE database (reset baseline)
Usage:
Examples:
aide-scan-dir
Scan specific directory with AIDE
Usage:
Examples:
Storage & USB Security
list-storage-devices
List all storage devices with safety information for persistence operations
Usage:
Examples:
usb-safety-check
Check if a device is safe for persistence/formatting operations
Usage:
Examples:
Storage Security
storage-wipe
Securely wipe storage devices and free space
Usage:
Examples:
storage-encrypt
Encrypt a storage device
Usage:
Examples:
encryption-tune
Optimize encryption performance and security settings
Usage:
Examples:
System Control
get-hostname
Get the current hostname
Usage:
Examples:
change-hostname
Change hostname (prompts for new hostname)
Usage:
Examples:
list-hostnames
List available hostnames by category
Usage:
Examples:
set-random-hostname-category
Set a random hostname from a specific category
Usage:
Examples:
get-logged-user
Get the actual logged-in user (handles sudo correctly)
Usage:
Examples:
show-timezone
Show current system timezone
Usage:
Examples:
sync-timezone
Sync timezone based on IP geolocation
Usage:
Examples:
show-remote-timezone
Show timezone based on current IP location
Usage:
Examples:
set-timezone
Set system timezone
Usage:
Examples:
list-timezones
List available timezones by category
Usage:
Examples:
set-random-timezone
Set a random timezone from a specific category
Usage:
Examples:
play-sound
Play notification sound
Usage:
Examples:
notify
Send desktop notification
Usage:
Examples:
System Information
offline-info-system
Display comprehensive system information
Usage:
Examples:
offline-info-hardware
Display hardware information
Usage:
Examples:
offline-info-process
Display process information
Usage:
Examples:
offline-info-security
Display security and encryption status
Usage:
Examples:
offline-info-network
Display network information
Usage:
Examples:
offline-info-user
Display user information
Usage:
Examples:
offline-info-storage
Display storage information
Usage:
Examples:
offline-info-services
Display system services information
Usage:
Examples:
offline-info-all
Display all system information
Usage:
Examples:
ping
Ping a random privacy-respecting target and return latency
Usage:
Examples:
process-age
Get process uptime for VPN or Tor
Usage:
Examples:
System Information & Offline Actions
offline-bluetooth
Enable/disable/check Bluetooth service
Usage:
Examples:
offline-wifi
Manage WiFi connectivity
Usage:
Examples:
offline-usb-storage
Manage USB storage devices
Usage:
Examples:
offline-webcam
Manage webcam device
Usage:
Examples:
offline-microphone
Manage microphone device
Usage:
Examples:
offline-systemlogs
Manage system logging
Usage:
Examples:
offline-cups
Manage CUPS printing service
Usage:
Examples:
offline-networkmanager
Manage NetworkManager service
Usage:
Examples:
offline-numlock
Manage NumLock configuration
Usage:
Examples:
offline-cmdhistory
Manage command history
Usage:
Examples:
offline-autologin
Enable/disable/check auto-login functionality
Usage:
Examples:
offline-screen-lock
Manage screen locking
Usage:
Examples:
offline-fdlimit
Enable/disable/check file descriptor limits
Usage:
Examples:
offline-netoptimize
Enable/disable/check network optimization
Usage:
Examples:
offline-bbr
Enable/disable/check BBR congestion control
Usage:
Examples:
offline-ifspeed
Enable/disable/check interface speed optimization
Usage:
Examples:
offline-avahi
Manage Avahi daemon service
Usage:
Examples:
offline-modem-manager
Manage ModemManager service
Usage:
Examples:
offline-ssh
Manage SSH daemon service
Usage:
Examples:
offline-apache
Manage Apache web server service
Usage:
Examples:
offline-nginx
Manage Nginx web server service
Usage:
Examples:
offline-docker
Manage Docker container service
Usage:
Examples:
offline-mysql
Manage MySQL database service
Usage:
Examples:
System Maintenance
auto-updates-enable
Enable automatic security updates
Usage:
Examples:
auto-updates-disable
Disable automatic security updates
Usage:
Examples:
auto-updates-status
Check automatic updates status
Usage:
Examples:
system-maintenance-enable
Enable system maintenance settings
Usage:
Examples:
system-maintenance-disable
Disable system maintenance settings
Usage:
Examples:
system-maintenance-status
Check system maintenance status
Usage:
Examples:
password-policy-enable
Enable password policy enforcement
Usage:
Examples:
password-policy-disable
Disable password policy enforcement
Usage:
Examples:
password-policy-status
Check password policy status
Usage:
Examples:
user-security-enable
Enable user security hardening
Usage:
Examples:
user-security-disable
Disable user security hardening
Usage:
Examples:
user-security-status
Check user security status
Usage:
Examples:
2fa-enable
Enable two-factor authentication
Usage:
Examples:
2fa-disable
Disable two-factor authentication
Usage:
Examples:
2fa-status
Check two-factor authentication status
Usage:
Examples:
check-and-install
Check and install required packages
Usage:
Examples:
check-and-install-do
Execute installation after checking dependencies
Usage:
Examples:
package-cleanup
Clean up unnecessary packages
Usage:
Examples:
clear-cache
Clear system memory caches
Usage:
Examples:
System Recovery
fix-sudo
Fix broken sudo permissions (uses pkexec/su, no sudo required)
Usage:
Examples:
check-sudo
Check sudo installation status and permissions
Usage:
Examples:
USB Security
usb-status
Check USB Guard protection status
Usage:
Examples:
usb-guard-enable
Enable USB Guard protection
Usage:
Examples:
usb-guard-disable
Disable USB Guard protection
Usage:
Examples:
usb-policy
Manage USB device policies
Usage:
Examples:
usb-monitor
Monitor USB device connections in real-time
Usage:
Examples:
usb-history
View USB device connection history
Usage:
Examples:
usb-whitelist
Manage USB device whitelist
Usage:
Examples:
Operational Scenarios
Scenario-oriented workflows generated from the binary's built-in -e --json examples.
Scenario 1: Network Connectivity
Test network connectivity and configuration
Step 1: Test both IP and domain connectivity (DNS only)
Expected Output: Network connectivity statusStep 2: Test IP and domain connectivity including HTTP
Expected Output: HTTP connectivity test resultsStep 3: Network check with JSON output for automation
Expected Output: JSON formatted network statusStep 4: HTTP network check with JSON output
Expected Output: JSON formatted HTTP connectivity resultsStep 5: Check IP connectivity only, skip DNS checks
Expected Output: IP connectivity test resultsStep 6: Check domain connectivity only, skip IP ping
Expected Output: Domain connectivity test resultsStep 7: Use custom timeout for network checks
Expected Output: Network check with 15 second timeoutStep 8: IP-only connectivity check with JSON output
Expected Output: JSON formatted IP connectivity resultsStep 9: Domain-only connectivity check with custom timeout
Expected Output: Domain connectivity test with 20 second timeoutStep 10: Show IPs used for connectivity testing
Expected Output: List of test IP addressesStep 11: Show domains used for connectivity testing
Expected Output: List of test domain namesScenario 2: Internet Traffic Control
Block and unblock internet traffic
Step 1: Block internet using auto-detected method (tries nftables, then iptables, then UFW, then interfaces)
Expected Output: Internet blocked successfullyNote
Without --method specified, health-control automatically selects the best available method
Step 2: Block using iptables firewall rules
Expected Output: Iptables rules applied successfullyStep 3: Block using nftables firewall rules (preferred modern firewall)
Expected Output: Nftables rules applied successfullyStep 4: Block using UFW (Uncomplicated Firewall)
Expected Output: UFW rules applied successfullyStep 5: Block by disabling network interfaces
Expected Output: Network interfaces disabled successfullyStep 6: Block using ALL methods (UFW, nftables, iptables, and interfaces)
Expected Output: All blocking methods applied successfullyNote
Applies all available blocking methods for maximum security
Step 7: Block internet but allow local network traffic
Expected Output: Internet blocked, local traffic allowedStep 8: Block internet with JSON output
Expected Output: JSON formatted blocking statusStep 9: Block internet with iptables, allow local, JSON output
Expected Output: JSON formatted blocking status with detailsStep 10: Block using ALL methods but allow local network traffic
Expected Output: All blocking methods applied, local traffic allowedStep 11: Unblock internet traffic
Expected Output: Internet unblocked successfullyStep 12: Unblock using nftables specifically
Expected Output: Internet unblocked using nftablesStep 13: Unblock using iptables specifically
Expected Output: Internet unblocked using iptablesStep 14: Unblock using UFW specifically
Expected Output: Internet unblocked using UFWStep 15: Unblock ALL methods (clears UFW, nftables, iptables, and re-enables interfaces)
Expected Output: All blocking methods cleared successfullyNote
Ensures complete restoration by clearing all possible blocks
Step 16: Unblock internet with JSON output
Expected Output: JSON formatted unblocking statusStep 17: Check current internet blocking status
Expected Output: Internet traffic statusStep 18: Check if internet traffic is blocked with JSON output
Expected Output: JSON formatted block statusStep 19: ARM the emergency kill switch - sets system to high-alert monitoring mode
Expected Output: Kill switch ARMED - Monitoring mode activeNote
MONITORING MODE: Sets up automated threat detection using multiple monitoring methods:
• NETWORK MONITORING: Uses netstat, ss, and iptables logs to detect unauthorized connections • FILE SYSTEM WATCHING: Monitors critical system files via inotify for unauthorized modifications • PROCESS MONITORING: Tracks running processes using ps/proc for suspicious behavior patterns • AUTH MONITORING: Watches /var/log/auth.log for failed login attempts (threshold: 5 failures) • SYSTEM INTEGRITY: Checks system file hashes and permissions for tampering Does NOT take action until triggered - only prepares for rapid response. Auto-activates MEDIUM panic level when threats detected.
Step 20: DISARM kill switch monitoring
Expected Output: Kill switch DISARMEDNote
Stops monitoring mode. Use after threat has passed or false alarm.
Step 21: Check if monitoring is armed/disarmed
Expected Output: Shows armed status, trigger count, armed timeNote
READ-ONLY: Just displays current state, takes no action
Step 22: IMMEDIATELY activate kill switch (default: medium panic)
Expected Output: KILL SWITCH ACTIVATED - emergency procedures executedNote
IMMEDIATE ACTION: Unlike 'arm', this executes panic NOW. Prompts for confirmation. Use --level soft/medium/hard
Step 23: IMMEDIATE soft panic (NO confirmation)
Expected Output: Soft panic activatedNote
Actions: Kill network, clear clipboard (adaptive: wl-copy/xclip/xsel for Wayland/X11), lock screen. Reversible.
Step 24: IMMEDIATE medium panic (WITH confirmation)
Expected Output: Medium panic activatedNote
Actions: Kill network, terminate processes, clear memory, unmount devices. Requires manual restart.
Step 25: IMMEDIATE hard panic with SHUTDOWN (WITH confirmation)
Expected Output: Hard panic activated - system will shutdownNote
CRITICAL: Wipes RAM, unmounts all, IMMEDIATE SHUTDOWN. IRREVERSIBLE!
Step 26: Recover from panic mode
Expected Output: System recovered from panic modeNote
Re-enables network, remounts volumes, restores services
Scenario 3: Watch-Guard Management
Monitor system changes and block internet on triggers
Step 1: Enable watch-guard to block internet if IP changes (VPN protection)
Expected Output: Watch-guard enabled message with initial IPNote
Blocks internet using nftables if external IP changes
Step 2: Enable watch-guard for timezone changes
Expected Output: Watch-guard enabled with current timezoneNote
Detects system time manipulation attempts
Step 3: Monitor network interfaces for changes
Expected Output: Watch-guard monitoring interface listNote
Blocks if new interfaces appear or existing ones change
Step 4: Monitor Tor process and block if it dies
Expected Output: Watch-guard watching Tor process countNote
Ensures no clearnet traffic if Tor crashes
Step 5: Monitor Firefox and use all block methods if it stops
Expected Output: Watch-guard active for Firefox processNote
Maximum blocking using all available methods
Step 6: Show all active watch-guards and their trigger counts
Expected Output: List of active watch-guards with detailsStep 7: Disable IP watch-guard and unblock internet
Expected Output: Watch-guard disabled confirmationNote
Automatically unblocks internet unless --no-unblock used
Step 8: Disable all watch-guards but keep internet blocked
Expected Output: All watch-guards disabled messageNote
Use when you want manual control over unblocking
Scenario 4: Network Recovery
Diagnose and fix connectivity issues
Step 1: Automatically diagnose and fix connectivity issues
Expected Output: Recovery steps performed and statusStep 2: Include DNS resolution testing and fixes
Expected Output: Recovery with DNS diagnosticsStep 3: Force recovery even if connectivity appears working
Expected Output: Forced recovery completion statusStep 4: Run full internet recovery without desktop/terminal notifications
Expected Output: Recovery runs silently (no notifications)Note
Also supports --skipnotification, --skip-notification, and typo-compatible --skipnotifcation
Step 5: Fast recovery: bounce interface + restart NetworkManager + DHCP renew
Expected Output: FAST_RECOVER: SUCCESSNote
Lightweight alternative to recover-internet — tries quick fix before full 9-method recovery
Step 6: Run fast recovery without desktop/terminal notifications
Expected Output: FAST_RECOVER runs silently (no notifications)Note
Also supports --skipnotification, --skip-notification, and typo-compatible --skipnotifcation
Step 7: Fast recovery with JSON output
Expected Output: JSON envelope with success status and method detailsScenario 5: Timezone Management
Manage system timezone settings
Step 1: Sync timezone based on IP geolocation
Expected Output: Timezone synchronized to detected locationStep 2: Show current system timezone
Expected Output: Current timezone informationStep 3: Set specific timezone
Expected Output: Timezone set to America/New_YorkStep 4: Show timezone based on current IP location
Expected Output: Remote location timezone informationStep 5: List all timezone categories
Expected Output: List of timezone categories with countsStep 6: List all available timezones
Expected Output: Complete list of timezonesStep 7: List African timezones
Expected Output: List of African timezonesStep 8: List American timezones
Expected Output: List of North and South American timezonesStep 9: List Asian timezones
Expected Output: List of Asian timezonesStep 10: List European timezones
Expected Output: List of European timezonesStep 11: List Australian timezones
Expected Output: List of Australian timezonesStep 12: List Pacific timezones
Expected Output: List of Pacific timezonesStep 13: List UTC timezones
Expected Output: List of UTC timezonesStep 14: List timezone categories in JSON format
Expected Output: JSON output of timezone categoriesStep 15: Set a random timezone from all available
Expected Output: Timezone set to random valueNote
Requires sudo privileges
Step 16: Set random American timezone
Expected Output: Timezone set to random American timezoneNote
Requires sudo privileges
Step 17: Set random European timezone
Expected Output: Timezone set to random European timezoneNote
Requires sudo privileges
Step 18: Set random Asian timezone
Expected Output: Timezone set to random Asian timezoneNote
Requires sudo privileges
Step 19: Set random African timezone
Expected Output: Timezone set to random African timezoneNote
Requires sudo privileges
Step 20: Set random Pacific timezone with JSON output
Expected Output: JSON output of timezone changeNote
Requires sudo privileges
Scenario 6: MAC Address Management
Change and manage MAC addresses
Step 1: Change MAC addresses for all interfaces
Expected Output: All MAC addresses changedStep 2: Force change MAC addresses
Expected Output: MAC addresses force-changedNote
Use when regular change fails
Step 3: Change MAC for specific interface
Expected Output: MAC address changed for eth0Step 4: Show all network interfaces
Expected Output: List of network interfacesStep 5: Show current MAC addresses
Expected Output: List of interfaces and MAC addressesStep 6: Reset all MACs to original values
Expected Output: MAC addresses reset to originalStep 7: Show active network interface
Expected Output: Currently active network interfaceScenario 7: Hostname Management
Get and set system hostname
Step 1: Get current system hostname
Expected Output: Current hostnameStep 2: Get hostname in JSON format
Expected Output: JSON formatted hostnameStep 3: Get the actual logged-in user (handles sudo correctly)
Expected Output: Username of logged-in userNote
Returns actual user even when run with sudo
Step 4: Get logged user with additional info in JSON format
Expected Output: JSON with username, home directory, and detection methodStep 5: Set default system hostname
Expected Output: Default hostname setStep 6: Set random hostname for privacy
Expected Output: Random hostname setStep 7: Set random hostname with JSON output
Expected Output: JSON formatted hostname change resultStep 8: Set custom hostname
Expected Output: Hostname set to MyHostStep 9: Set descriptive custom hostname
Expected Output: Hostname set to privacy-machineStep 10: Set custom hostname with JSON output
Expected Output: JSON formatted hostname change resultStep 11: List all hostname categories
Expected Output: List of available hostname categories with countsStep 12: List all available hostnames
Expected Output: Complete list of all predefined hostnamesStep 13: List Windows hostnames
Expected Output: List of Windows-style hostnamesStep 14: List Linux hostnames
Expected Output: List of Linux distribution hostnamesStep 15: List Apple/Mac hostnames
Expected Output: List of macOS and Apple device hostnamesStep 16: List hostname categories in JSON format
Expected Output: JSON formatted category list with countsStep 17: Set random hostname from all categories
Expected Output: Random hostname selected and setStep 18: Set random Windows hostname
Expected Output: Random Windows-style hostname setStep 19: Set random Linux hostname
Expected Output: Random Linux distribution hostname setStep 20: Set random fictional hostname with JSON output
Expected Output: Random fictional hostname set with JSON resultScenario 8: IPv6 Management
Control and monitor IPv6 protocol settings
Step 1: Check current IPv6 configuration status
Expected Output: IPv6 Status: ENABLED/DISABLED with interface detailsNote
Shows runtime status, boot config, and active interfaces
Step 2: Disable IPv6 system-wide (sysctl and GRUB)
Expected Output: IPv6 disabled with details of changes appliedNote
Reboot recommended for full effect
Step 3: Enable IPv6 system-wide
Expected Output: IPv6 enabled with details of changes appliedNote
Reboot recommended for full effect
Step 4: Get detailed IPv6 status in JSON format
Expected Output: Complete IPv6 configuration including runtime, boot config, and interfacesScenario 9: Security Hardening
Apply and verify comprehensive security settings (7 modules: kernel, process, filesystem, network, memory, monitoring, sandboxing)
Step 1: Apply standard security hardening (network-safe): kernel hardening, process isolation, filesystem security, memory protection, monitoring, sandboxing - PRESERVES internet connectivity
Expected Output: Security hardening completed (network connectivity preserved)Note
Standard profile maintains system usability and network connectivity
Step 2: Apply PARANOID profile - WARNING: WILL BREAK INTERNET CONNECTIVITY: All hardening PLUS network isolation, DNS blocking, disabled IP forwarding
Expected Output: Paranoid security applied (network isolated)Note
⚠️ INTERNET CONNECTIVITY DISABLED - To recover: sudo health-control recover-internet
Step 3: Apply paranoid profile plus break-monitoring mode: forces /sys/class/net to root-only and breaks non-root monitoring tools (btop/conky/dashboard)
Expected Output: Paranoid hardening applied with monitoring intentionally restrictedNote
⚠️ ALSO BREAKS NON-ROOT MONITORING - Use only when this behavior is explicitly required
Step 4: Check if all 7 security modules are enabled and properly configured
Expected Output: Shows each module: ENABLED/DISABLED and configuration statusNote
Use after security-harden to verify settings are applied
Step 5: Apply only specific modules (kernel sysctl and network firewall)
Expected Output: Applied 2 modules: kernel and network hardeningNote
Modules: kernel, process, filesystem, network, memory, monitoring, sandboxing
Step 6: Temporarily revert security hardening (keeps framework ready for quick re-hardening)
Expected Output: Security recovery completed - modules show 'ENABLED (needs configuration)'Note
Use for troubleshooting. Framework remains enabled for easy re-hardening with security-harden.
Step 7: Recover only specific security modules
Expected Output: Selected modules recoveredNote
Available modules: kernel, filesystem, network, memory, monitoring, smt
Step 8: Completely disable all security modules and framework (permanent removal)
Expected Output: All modules show 'DISABLED' - framework completely removedNote
WARNING: Unlike security-recover, this permanently disables the framework. Requires rebuilding to re-enable.
Step 9: Reset security framework without confirmation prompt
Expected Output: Security framework completely disabledNote
Use --force to skip the confirmation prompt in automation scripts
Step 10: Enable system security monitoring (auditd, LKRG, file integrity, auth events)
Expected Output: Security monitoring enabledNote
Enables auditd for system call auditing, LKRG for kernel integrity, file integrity monitoring (AIDE/Tripwire), and auth event logging
Step 11: Disable system security monitoring services
Expected Output: Security monitoring disabledNote
Stops all security monitoring services - reduces system overhead but decreases security visibility
Step 12: Check current system security monitoring status
Expected Output: Security monitoring status detailsNote
Shows status of auditd, LKRG, AIDE, and auth logging - helps verify which monitoring services are active
Step 13: Enable Tirdad kernel module for TCP ISN randomization (prevents OS fingerprinting)
Expected Output: Tirdad enabled successfullyNote
Randomizes TCP Initial Sequence Numbers to prevent remote OS fingerprinting attacks and TCP sequence prediction
Step 14: Disable Tirdad TCP ISN randomization module
Expected Output: Tirdad disabled successfullyNote
Restores default TCP ISN generation - may make system identifiable via network fingerprinting
Step 15: Check Tirdad TCP ISN randomization module status
Expected Output: Tirdad status: ENABLED/DISABLEDNote
Shows if kernel module is loaded and TCP ISN randomization is active
Step 16: Check disk encryption status
Expected Output: Disk encryption configurationNote
Displays LUKS encryption status for all disks, cipher algorithms, and key slot usage
Step 17: List all USB devices
Expected Output: Connected USB devicesNote
Shows all connected USB devices with vendor/product IDs for security auditing
Step 18: Create unencrypted live-boot persistence media
Expected Output: Debian live-boot persistence media created successfullyNote
Creates a 4GB unencrypted ext4 persistence image named 'persistence' with a root persistence.conf of '/ union' so /opt, /etc, and other system paths survive reboots on Kodachi live USBs. Use --encrypted for LUKS encryption or --size to change size.
Step 19: Create encrypted persistence (interactive)
Expected Output: Encrypted persistence media createdNote
Creates LUKS2-encrypted Debian live-boot persistence media named 'persistence' and writes '/ union' to persistence.conf. Secure method - password not visible in history.
Step 20: Create encrypted persistence (CLI password)
Expected Output: Encrypted persistence media createdNote
⚠️ INSECURE: Password visible in shell history! Shows security warnings. Use interactive mode instead.
Step 21: Show overall encryption status
Expected Output: System encryption status reportNote
Comprehensive report of all encryption: disks, swap, home directories, and key management
Scenario 10: System Health & Security Tools
Monitor system health and run security audits
Step 1: Perform comprehensive system security audit
Expected Output: System audit status reportStep 2: Scan system for rootkits
Expected Output: Rootkit scan resultsStep 3: Check system security status
Expected Output: JSON formatted security status infoStep 4: Run comprehensive Lynis security audit
Expected Output: Complete Lynis audit reportNote
Comprehensive security assessment
Step 5: Check Lynis installation and status
Expected Output: Lynis service statusStep 6: Initialize AIDE database
Expected Output: AIDE database created successfullyNote
First time setup required
Step 7: Check file integrity with AIDE
Expected Output: File integrity check resultsStep 8: Check kloak keystroke anonymization status
Expected Output: Kloak service status and configurationStep 9: Enable kloak keystroke anonymization
Expected Output: Kloak enabled successfullyStep 10: Disable kloak keystroke anonymization
Expected Output: Kloak disabled successfullyScenario 11: LUKS Nuke & Data Destruction
LUKS nuke passwords for emergency data destruction
Step 1: List all LUKS devices and nuke password status
Expected Output: LUKS device status and configurationNote
Shows which devices have nuke passwords configured
Step 2: ⚠️ STEP 1: Check current nuke status for target device
Expected Output: Current LUKS nuke configuration status for /dev/sda5Note
⚠️ ALWAYS backup header BEFORE configuring nuke password. This status check helps confirm current device state before changes.
Step 3: ⚠️ STEP 2: Configure nuke password (DATA DESTRUCTION FEATURE)
sudo health-control luks-nuke --action configure --device /dev/sda5 --password 'StrongNukePassword123!'
Note
⚠️ CRITICAL WARNING: This creates a password that will PERMANENTLY DESTROY all data on /dev/sda5 when entered! Use only if you understand the consequences. Requires header backup from STEP 1. Password must be strong (12+ chars, mixed case, numbers, symbols). Avoid obvious words like 'nuke', 'destroy', 'emergency'.
Step 4: Remove nuke password from device
Expected Output: Nuke password removed from keyslot 7Note
Removes the data destruction feature from the device. You will be prompted to confirm which keyslot to remove (usually keyslot 7). Requires current LUKS password.
Step 5: ⚠️ EMERGENCY: Restore LUKS header after nuke password was used
Expected Output: LUKS header restored from backupNote
⚠️ USE ONLY IF nuke password was accidentally used! This restores the LUKS header from your encrypted backup. You MUST have created a header backup BEFORE the nuke password was triggered. After restoration, you can unlock the device with your original LUKS password. Without a backup, data is PERMANENTLY LOST.
Scenario 12: Emergency Nuke Operations
Full system data destruction for emergency situations. IRREVERSIBLE - use with extreme caution.
Step 1: ⚠️ TEST MODE: Preview what would be destroyed without actually wiping
Expected Output: [DRY_RUN] messages showing all files/directories that would be wipedNote
ALWAYS test with --dry-run first! Shows exactly what will be destroyed including: SSH keys, GPG keys, crypto wallets, browser data, messaging apps, email, documents, and system logs.
Step 2: Fast wipe mode (1-pass) - quickest destruction (~27 seconds)
Expected Output: Fast wipe simulation with single-pass overwriteNote
Best for SSDs where multi-pass is ineffective. Uses blkdiscard for SSDs, single shred pass for HDDs.
Step 3: Secure wipe mode (3-pass DoD) - balanced security (~45 seconds)
Expected Output: Secure wipe simulation with 3-pass DoD standardNote
DEFAULT mode. 3-pass overwrite following DoD 5220.22-M standard. Good balance of speed and security for HDDs.
Step 4: Paranoid wipe mode (7-pass) - maximum security (~60 seconds)
Expected Output: Paranoid wipe simulation with 7-pass Gutmann-styleNote
Maximum security. 7-pass overwrite. Also wipes boot sector, GRUB, kernel, initrd, and MBR. System will be unbootable.
Step 5: ⚠️ DANGER: Execute REAL fast wipe - DESTROYS ALL DATA
Expected Output: Data destruction in progress... System will reboot when complete.Note
⚠️ IRREVERSIBLE! This PERMANENTLY DESTROYS: ~/.ssh, ~/.gnupg, crypto wallets (Bitcoin/Monero/Electrum), all browsers, Signal/Telegram/Discord, Thunderbird, Documents/Downloads/Desktop, AWS/Docker/Kube credentials, bash history, system logs. System forces reboot after completion.
Step 6: Check current nuke operation progress
Expected Output: Phase: 5 - browser_data, Complete: false, Active: trueNote
Monitor ongoing destruction progress. Shows current phase, completion status, and any errors.
Step 7: Detect storage type for optimal wipe method
Expected Output: Device: /dev/sda, Storage Type: SSDNote
Detects if device is SSD, HDD, or NVMe. SSDs use blkdiscard (instant secure erase), HDDs use shred (multi-pass overwrite), NVMe uses nvme format command.
Scenario 13: USB & Device Security
Complete USB security management - device listing, USBGuard policies, storage control, and monitoring
Step 1: List all connected USB devices
Expected Output: USB device list with security statusStep 2: Check USB storage module status (all 4 layers)
Expected Output: Modules loaded: yes/no, Blacklist exists: yes/no, USBGuard active: yes/no, Authorized devices: NNote
Shows complete status of all USB storage control layers
Step 3: Enable USB storage completely (recommended)
Expected Output: USB storage enabled successfully - All layers configuredNote
Handles ALL 4 layers: Removes blacklist, loads modules, authorizes devices, integrates with USBGuard.
Your USB drives should appear immediately in 'lsblk' after this command.
Step 4: Enable USB storage with detailed layer-by-layer output
Expected Output: Shows: modules loaded → devices authorized → USBGuard integration → udev triggeredNote
Use verbose mode to see exactly what happens at each layer
Step 5: Disable USB storage completely (security lockdown)
Expected Output: USB storage disabled successfully - All layers configuredNote
Blocks USB storage at all 4 layers: deauthorizes devices, blocks in USBGuard, unloads modules, creates blacklist
Step 6: Enable USB Guard protection service
Expected Output: USB Guard enabled successfullyNote
⚠️ This only enables USBGuard service - does NOT enable USB storage modules!
If USB storage modules are blocked, your drives won't appear even with USBGuard enabled. Use 'offline-usb-storage --action enable' for complete access.
Step 7: Disable USB Guard protection service
Expected Output: USB Guard disabled successfullyNote
Disables USBGuard service but does NOT affect USB storage modules.
Storage modules may still be blocked separately.
Step 8: Add USB device to USBGuard allow policy
Expected Output: USB device policy addedNote
Use lsusb to find device IDs. This manages USBGuard policy only.
Device must also be authorized at kernel level (handled by offline-usb-storage).
Step 9: List all USB policies in USBGuard
Expected Output: Current USB device policiesStep 10: Check USB security policies
Expected Output: USB security policy assessmentStep 11: Start USB device monitoring
Expected Output: USB monitoring startedStep 12: View USB device history for last 7 days
Expected Output: USB device connection historyScenario 14: Data Destruction & Secure Wiping
Secure data wiping procedures
Step 1: Securely wipe file with 7 passes
Expected Output: File securely wiped and unrecoverableNote
Multiple passes increase security
Step 2: Securely wipe entire directory
Expected Output: Directory and contents wiped securelyNote
All files in directory will be destroyed
Step 3: Wipe free space on device
Expected Output: Free space wiped securelyNote
Prevents recovery of deleted files
Step 4: Wipe system and application logs
Expected Output: Logs wiped successfullyNote
Removes log file traces
Step 5: Wipe browser history and data
Expected Output: Browser data wipedNote
Removes browsing history and cache
Step 6: Schedule automatic temporary file wiping daily
Expected Output: File wipe scheduled successfullyNote
Automatically wipes temp files based on frequency
Step 7: Wipe all temporary files matching pattern
Expected Output: Files matching pattern wipedNote
Uses glob patterns to match files for wiping
Step 8: Verify file has been securely wiped
Expected Output: File wipe verification resultsStep 9: Batch wipe multiple files with 7 passes
Expected Output: Batch file wiping completedNote
Space-separated file paths
Scenario 15: System Maintenance & Updates
Automated updates, password policies, and system maintenance
Step 1: Enable automatic security updates
Expected Output: Automatic security updates enabledStep 2: Disable automatic updates
Expected Output: Automatic updates disabledStep 3: Check automatic updates status
Expected Output: Auto-updates configuration statusStep 4: Enable strong password policy
Expected Output: Strong password policy enforcedStep 5: Disable strong password policy
Expected Output: Password policy disabledStep 6: Enable user security checks
Expected Output: User security policies enabledStep 7: Enable 2FA for specific user
Expected Output: Two-factor authentication enabledStep 8: Disable 2FA for user
Expected Output: Two-factor authentication disabledStep 9: Enable automatic system maintenance
Expected Output: System maintenance automation enabledStep 10: Clean up unnecessary packages
Expected Output: System packages cleaned and optimizedStep 11: Check password policy status
Expected Output: Current password policy configurationStep 12: Disable user security checks
Expected Output: User security policies disabledStep 13: Check user security status
Expected Output: User security configuration statusStep 14: Check 2FA status for users
Expected Output: Two-factor authentication statusStep 15: Disable automatic system maintenance
Expected Output: System maintenance automation disabledStep 16: Check system maintenance status
Expected Output: System maintenance configuration statusScenario 16: System Control & Notifications
System configuration and control operations
Step 1: Play system alert sound
Expected Output: Sound played successfullyStep 2: Play success notification sound
Expected Output: Success sound playedStep 3: Play warning sound in MP3 format
Expected Output: Warning sound played in MP3Step 4: Play alert sound with debug output
Expected Output: Alert sound played with debug infoStep 5: Send system notification
Expected Output: Notification sent successfullyStep 6: Send basic notification message
Expected Output: Notification sent successfullyStep 7: Send notification with message body
Expected Output: Detailed notification sentStep 8: Send critical notification with 30 second duration
Expected Output: Critical notification sentStep 9: Send notification with custom icon
Expected Output: Notification with icon sentScenario 17: Emergency Operations - Kill Switch & Panic Modes
Emergency security measures with two modes: MONITORING (arm/disarm) prepares for threats, IMMEDIATE (panic/activate) executes emergency procedures
Step 1: ARM kill switch monitoring (preparation mode)
Expected Output: Kill switch ARMED - Monitoring mode activeNote
MONITORING MODE: Sets up automated threat detection using multiple monitoring methods:
• NETWORK MONITORING: Uses netstat, ss, and iptables logs to detect unauthorized connections • FILE SYSTEM WATCHING: Monitors critical system files via inotify for unauthorized modifications • PROCESS MONITORING: Tracks running processes using ps/proc for suspicious behavior patterns • AUTH MONITORING: Watches /var/log/auth.log for failed login attempts (threshold: 5 failures) • SYSTEM INTEGRITY: Checks system file hashes and permissions for tampering Does NOT take action until triggered - only prepares for rapid response. Auto-activates MEDIUM panic level when threats detected.
Step 2: DISARM kill switch monitoring
Expected Output: Kill switch DISARMEDNote
Stops monitoring mode. Use after threat has passed or false alarm.
Step 3: Check if monitoring is armed/disarmed
Expected Output: Shows armed status, trigger count, armed timeNote
READ-ONLY: Just displays current state, takes no action
Step 4: IMMEDIATELY activate kill switch (default: medium panic)
Expected Output: KILL SWITCH ACTIVATED - emergency procedures executedNote
IMMEDIATE ACTION: Unlike 'arm', this executes panic NOW. Prompts for confirmation. Use --level soft/medium/hard
Step 5: IMMEDIATE soft panic (NO confirmation)
Expected Output: Network killed, clipboard cleared (adaptive: Wayland/X11), screen lockedNote
INSTANT: Kill network + clear clipboard (wl-copy/xclip/xsel) + lock screen. Reversible. Good for quick privacy.
Step 6: IMMEDIATE medium panic (requires confirmation)
Expected Output: Panic mode activated after confirmationNote
WITH CONFIRMATION: Kill network + clear clipboard (adaptive: wl-copy/xclip/xsel) + terminate processes + clear memory + unmount devices + lock screen (6 actions). Requires manual restart to restore.
Step 7: IMMEDIATE hard panic (double confirmation)
Expected Output: System shutdown initiatedNote
CRITICAL - DOUBLE CONFIRM: All medium actions + RAM wipe + IMMEDIATE shutdown (7 actions total). IRREVERSIBLE! System shuts down NOW!
Step 8: Create recovery checkpoint BEFORE panic
Expected Output: Recovery point createdNote
Create BEFORE activating panic modes. Allows restoration of configs after emergency.
Step 9: Restore system after panic activation
Expected Output: System recovered from panic modeNote
Use AFTER panic to restore normal operation. Restarts services, fixes permissions.
Step 10: Configure panic response to paranoid security level
Expected Output: Panic profile set: paranoid Actions configured: 12Note
PROFILE MODES:
• STEALTH: Light response (network blocking only, preserve user data) • PARANOID: Maximum security (network kill, data wipe, process termination, interface shutdown) • RECOVERY: System restoration (restart services, fix permissions, restore connectivity)
Profile determines automatic actions when panic mode triggers. Use 'kill-switch-activate' to manually trigger the configured profile.
Step 11: Kill specific network interface
Expected Output: Network interface eth0 terminatedNote
Selective network isolation
Step 12: Terminate specific process immediately
Expected Output: Process firefox terminatedNote
Emergency process termination
Scenario 18: Storage Encryption & Secure Containers
Storage device encryption, secure wiping, LUKS encrypted containers, and volume management
Step 1: List all storage devices with safety indicators (SAFE/CAUTION/DANGER)
Expected Output: Shows devices categorized by safety level for persistence operationsNote
Use BEFORE creating persistence to identify safe devices. Protects against accidental system drive formatting.
Step 2: List all storage devices including loop and ram devices
Expected Output: Complete device inventory with safety categorization including virtual devicesStep 3: Check if specific device is safe for persistence operations
Expected Output: Returns safety level: SAFE, CAUTION, or DANGER with detailed warningsNote
Validates device before destructive operations. Prevents accidental system drive formatting.
Step 4: Encrypt storage device
Expected Output: Storage device encrypted successfullyNote
Backup data before encryption
Step 5: Securely wipe storage device
Expected Output: Storage device wiped securelyNote
Data will be permanently destroyed
Step 6: Create encrypted container (500MB)
Expected Output: Encrypted container created successfullyNote
Creates LUKS2-encrypted container file. You'll be prompted for password interactively.
Container file path is positional argument (not --output).
Step 7: Create small encrypted container (100MB)
Expected Output: Container created: /tmp/secure.img, Size: 100 MBNote
Smaller size for testing. Password will be prompted.
Step 8: Mount encrypted container
Expected Output: Container mounted successfullyNote
You'll be prompted for the container password.
Mount point will be created automatically if it doesn't exist.
Step 9: Unmount encrypted container
Expected Output: Container unmounted: /mnt/secureNote
Automatically closes the LUKS mapper device.
Scenario 19: Security Assessment & Scoring
Security scoring and reporting
Step 1: Calculate overall security score
Expected Output: Shows score (0-100), security level (Critical/Poor/Fair/Good/Excellent), and actionable fixesStep 2: Get security score in JSON format
Expected Output: Full JSON with category breakdowns (Core/Network/Hardening/Device/Advanced), individual check scores, and specific remediation commandsStep 3: Generate comprehensive security report
Expected Output: Detailed security assessment reportStep 4: Generate security report in JSON format
Expected Output: JSON formatted security reportStep 5: View security score history for last 30 days
Expected Output: Security score trends and historical dataNote
Shows security improvements over time
Step 6: View last 7 days security history in JSON
Expected Output: JSON formatted security historyStep 7: Review security fixes before applying
Expected Output: Security fix recommendations displayedNote
Manual review mode for security fixes
Scenario 20: Hardware Security
Hardware-level security features
Step 1: Verify hardware random number generator
Expected Output: Hardware RNG status and qualityNote
Checks if hardware RNG is available and functioning properly for cryptographic operations
Step 2: Check system entropy status
Expected Output: Entropy pool status and qualityNote
Monitors available entropy for secure random number generation, critical for encryption
Step 3: Check boot integrity
Expected Output: Boot integrity verification resultsNote
Verifies boot process integrity to detect tampering or unauthorized modifications to bootloader/kernel
Scenario 21: System Information & Offline Actions
System information, diagnostics, and hardware/service management
Step 1: Display comprehensive system information
Expected Output: Complete system details and configurationStep 2: Display hardware information
Expected Output: Hardware components and specificationsStep 3: Display hardware information in JSON
Expected Output: JSON formatted hardware detailsStep 4: Display process information
Expected Output: Running processes and resource usageStep 5: Display security configuration
Expected Output: Security settings and statusStep 6: Display network configuration
Expected Output: Network interfaces and settingsStep 7: Display user information
Expected Output: User accounts and permissionsStep 8: Display storage information
Expected Output: Disk usage and filesystem detailsStep 9: Display services information
Expected Output: System services statusStep 10: Display all system information
Expected Output: Complete system information reportStep 11: Check Bluetooth status
Expected Output: Bluetooth status: enabled/disabledStep 12: Enable Bluetooth service
Expected Output: Bluetooth enabled successfullyStep 13: Disable Bluetooth service
Expected Output: Bluetooth disabled successfullyStep 14: Check WiFi status
Expected Output: WiFi status: enabled/disabledStep 15: Enable WiFi service
Expected Output: WiFi enabled successfullyStep 16: Disable WiFi with persistent blacklisting
Expected Output: WiFi disabled and blacklistedStep 17: Check webcam status
Expected Output: Webcam status: enabled/disabledStep 18: Enable webcam devices
Expected Output: Webcam access enabledStep 19: Disable webcam devices
Expected Output: Webcam access disabledStep 20: Check microphone status
Expected Output: Microphone status: enabled/disabledStep 21: Enable microphone devices
Expected Output: Microphone access enabledStep 22: Disable microphone devices
Expected Output: Microphone access disabledStep 23: Enable automatic screen lock
Expected Output: Screen lock enabledStep 24: Disable system logging
Expected Output: System logging disabledStep 25: Disable CUPS printing service
Expected Output: CUPS printing disabledStep 26: Disable NetworkManager
Expected Output: NetworkManager disabledStep 27: Enable NumLock on boot
Expected Output: NumLock enabled on bootStep 28: Disable command history logging
Expected Output: Command history disabledStep 29: Disable automatic login
Expected Output: Automatic login disabledStep 30: Set file descriptor limits
Expected Output: File descriptor limit setStep 31: Enable network optimizations
Expected Output: Network optimizations enabledStep 32: Enable BBR congestion control
Expected Output: BBR congestion control enabledStep 33: Configure interface speed
Expected Output: Interface speed configuredStep 34: Disable Avahi service discovery
Expected Output: Avahi service disabledNote
Supported services: avahi, modem-manager, ssh, apache, nginx, docker, mysql, postgresql
Step 35: Disable ModemManager service
Expected Output: ModemManager disabledStep 36: Enable SSH service
Expected Output: SSH service enabledStep 37: Disable Apache web server
Expected Output: Apache web server disabledStep 38: Disable Nginx web server
Expected Output: Nginx web server disabledStep 39: Disable Docker service
Expected Output: Docker service disabledStep 40: Disable MySQL database service
Expected Output: MySQL service disabledStep 41: Disable PostgreSQL database service
Expected Output: PostgreSQL service disabledStep 42: Enable USB storage devices
Expected Output: USB storage access enabledStep 43: Disable USB storage devices
Expected Output: USB storage access blockedScenario 22: Password Generation
Generate secure passwords using multiple methods with batch support (auto-detects installed packages)
Step 1: Generate one password using all three methods
Expected Output: Three passwords (pass, pwgen, xkcdpass)Note
Automatically uses system packages if available, falls back to native implementations
Step 2: Generate 10 random passwords using pwgen method
Expected Output: 10 random passwordsNote
Use --count for batch generation; max 1000 per method
Step 3: Generate 50 memorable XKCD-style passphrases
Expected Output: 50 word-based passphrasesNote
XKCD method creates memorable multi-word passwords
Step 4: Generate 90 passwords from each method (270 total)
Expected Output: 270 passwords (90 from each of the 3 methods)Note
When using --count without --method, generates specified count from ALL methods
Step 5: Generate 20 custom passwords with specific length and symbols
Expected Output: 20 passwords with 32 characters including specified symbolsNote
Customize password generation with --length and --symbols options
Step 6: Generate 15 passwords with only uppercase letters and digits
Expected Output: 15 alphanumeric passwords (uppercase + digits only)Step 7: Generate 100 passwords from each method in JSON format
Expected Output: JSON array with 300 passwordsNote
JSON output ideal for scripting and automation
Step 8: Force use of native Rust implementations (skip package detection)
Expected Output: 25 passwords from each method using native fallbacksNote
Useful for testing or when system packages are unreliable
Scenario 23: RAM Wipe & Cold Boot Protection
Automatic RAM wiping on shutdown with multiple policies (custom, sdmem, both, auto), installation, configuration, testing, and cold boot attack defenses
Step 1: Complete workflow for first-time RAM wipe setup
Expected Output: Step-by-step guideNote
STEP 1: Install hooks (REQUIRED FIRST): sudo health-control wipe-ram-install
STEP 2: Configure policy (OPTIONAL): sudo health-control wipe-ram-config --policy sdmem STEP 3: Enable if disabled: sudo health-control ram-wipe-enable STEP 4: Verify status: sudo health-control ram-wipe-status
KEY DIFFERENCES: • wipe-ram-install = FIRST-TIME SETUP (installs systemd shutdown hooks) • ram-wipe-enable = ENABLE/DISABLE (turns functionality on/off, hooks must exist) • wipe-ram-config = UPDATE SETTINGS (change policy, passes, time budget) • wipe-ram = MANUAL EXECUTION (test or emergency wipe NOW, not on shutdown)
Step 2: Install RAM wipe system with default settings (kodachi-wiper policy, 60s timeout)
Expected Output: RAM wipe system installed successfullyNote
FIRST-TIME SETUP - Installs systemd hooks, configures policies, detects Kicksecure compatibility. Creates /etc/kodachi-ram-wipe.conf with defaults
Step 3: Install RAM wipe with kodachi-wiper policy and 60 second time budget
Expected Output: Installed with kodachi-wiper policyNote
Fastest installation - Single-pass wipe, suitable for systems with <8GB RAM or frequent reboots
Step 4: Install RAM wipe with sdmem policy using 3 overwrite passes
Expected Output: Installed with sdmem 3-pass policyNote
SECURE INSTALLATION - 3 passes (random, zeros, random). Good balance of security and speed. Recommended for 8-16GB RAM systems
Step 5: Install with both policies: 60% time for kodachi-wiper, 40% for sdmem
Expected Output: Installed with dual-policy splitNote
HYBRID APPROACH - Time-split between kodachi-wiper (fast) and sdmem (thorough). Example: 120s budget = 72s kodachi-wiper + 48s sdmem. Maximum security coverage
Step 6: Force installation even if Kicksecure/Whonix RAM wipe detected
Expected Output: Force installed, Kicksecure overriddenNote
OVERRIDE MODE - Bypasses Kicksecure detection. Use when you want Kodachi's RAM wipe instead of Kicksecure's built-in wipe. May cause conflicts
Step 7: Check RAM wipe configuration and current status
Expected Output: RAM wipe status with memory info and auto-wipe settingsNote
Shows: enabled/disabled state, current policy (kodachi-wiper/sdmem/both/auto), time budget, sdmem passes, total RAM size, Kicksecure detection
Step 8: RAM wipe status in JSON format for automation
Expected Output: JSON formatted status with all configuration detailsNote
JSON OUTPUT DEMO - Shows all config fields in machine-readable format for scripts and monitoring systems
Step 9: Update existing RAM wipe policy to auto-detection
Expected Output: Policy updated to autoStep 10: Update sdmem passes to 5 and time split to 70/30
Expected Output: Multiple parameters updatedNote
PASS COUNT - More passes = more thorough but slower. 1-3=fast, 4-6=balanced, 7-9=maximum. SPLIT - Higher kodachi-wiper%=speed, higher sdmem%=security
Step 11: Enable RAM wipe configuration (hooks must be installed first)
Expected Output: RAM wipe configuration enabled + WARNING if hooks not installedNote
IMPORTANT: This only enables the CONFIG. You must run 'wipe-ram-install' FIRST to install systemd hooks. Will show clear warning if hooks are missing.
Step 12: Disable automatic RAM wiping
Expected Output: RAM wipe disabled successfullyNote
WARNING - Disabling RAM wipe leaves sensitive data in RAM accessible to physical attacks
Step 13: Test RAM wipe system with dry-run (no actual wiping)
Expected Output: RAM wipe test completed successfullyNote
SAFE TESTING - Simulates wipe operation without actually overwriting memory. Tests configuration, timing, and policy execution. Use before first real wipe
Step 14: Test kodachi-wiper policy with 10 second time budget
Expected Output: Kodachi-wiper policy test completed in 10sNote
Quick test - Validates kodachi-wiper policy works correctly. 10s budget ensures fast test completion
Step 15: Test RAM wipe with detailed JSON diagnostic metrics
Expected Output: JSON test results with performance dataNote
DIAGNOSTIC OUTPUT - Returns timing, memory stats, policy execution details, and potential issues. Essential for troubleshooting
Step 16: Execute RAM wipe operation manually with configured policy
Expected Output: RAM wiped successfullyNote
ADVANCED - Manually trigger RAM wipe using system configuration. Automatically called by shutdown hooks. Use for testing or emergency wipe
Step 17: Execute RAM wipe optimized for shutdown context
Expected Output: RAM wiped in shutdown modeNote
INTERNAL USE - Shutdown-optimized mode disables unnecessary checks and output. Used by systemd shutdown hooks
Step 18: Execute RAM wipe using kodachi-wiper overwrite policy
Expected Output: RAM wiped with kodachi-wiper policyNote
POLICY: Kodachi-wiper fast overwrite algorithm - Single pass with random data. Fastest but least thorough (60-120 seconds for 8GB)
Step 19: Execute RAM wipe using sdmem utility (multiple passes)
Expected Output: RAM wiped with sdmemNote
POLICY: sdmem (secure-delete memory) - Multiple passes with patterns. Slower but more thorough (3-7 passes configurable). Government-grade erasure
Step 20: Execute RAM wipe using both kodachi-wiper AND sdmem sequentially
Expected Output: RAM wiped with combined policyNote
POLICY: Maximum security - Kodachi-wiper FIRST (fast pass), then sdmem (thorough passes). Best security but longest time. Recommended for high-security environments
Step 21: Execute RAM wipe with automatic policy selection based on available RAM
Expected Output: RAM wiped with auto-detected policyNote
POLICY: Auto-detection - Chooses policy based on RAM size and available time: <4GB=kodachi-wiper, 4-16GB=both, >16GB=sdmem. Balances speed and security
Step 22: Execute RAM wipe with 120 second time budget
Expected Output: RAM wiped within time limitNote
TIME BUDGET - Maximum seconds allowed for wipe operation. System will shutdown/reboot when time expires even if wipe incomplete. Critical for automated shutdowns
Step 23: Detect if Kicksecure/Whonix RAM wipe is installed
Expected Output: Kicksecure detection resultsNote
COMPATIBILITY CHECK - Detects Kicksecure's ram-wipe-on-boot package. Prevents conflicts between Kodachi and Kicksecure RAM wipe systems
Step 24: Update RAM wipe policy to auto with 150 second time budget
Expected Output: Policy and time budget updatedNote
SMART MODE - System automatically selects best policy based on: RAM size, shutdown urgency, battery status (laptops). Recommended for most users
Step 25: Enable cold boot attack defense mechanisms
Expected Output: Cold boot defense enabledNote
PHYSICAL SECURITY - Protects against cold boot attacks that recover encryption keys from RAM after power loss. Enables: RAM overwriting on shutdown, memory scrambling, DMA protection
Step 26: Disable cold boot attack defense
Expected Output: Cold boot defense disabledNote
WARNING - Disabling leaves encryption keys vulnerable to physical RAM extraction attacks. Only disable if you have alternative physical security
Scenario 24: Swap Management & Encryption
Swap space enable/disable, configuration, encryption with dm-crypt, and performance tuning with swappiness and cache pressure settings
Step 1: Enable and activate swap space for memory overflow
Expected Output: Swap enabled successfullyNote
STABILITY FEATURE - Activates swap partitions/files for memory overflow. Improves system stability under memory pressure but may leak sensitive data to disk
Step 2: Disable and deactivate all swap space
Expected Output: Swap disabled successfullyNote
SECURITY FEATURE - Deactivates all swap to prevent disk leakage of sensitive data. May cause out-of-memory errors if RAM insufficient
Step 3: Check swap status, devices, size, and usage
Expected Output: Swap devices list with usage statisticsNote
Shows: active swap devices, total/used/available size, swap usage percentage, encryption status, swappiness value
Step 4: Configure swap parameters for optimal performance
Expected Output: Swap parameters configuredNote
PERFORMANCE TUNING - Swappiness (0-100): 0=never swap, 10=minimal, 60=default, 100=aggressive. Cache pressure controls VFS cache retention (default 100)
Step 5: Encrypt swap with random key generated on each boot
Expected Output: Swap space encryptedNote
ENCRYPTION SECURITY - Uses dm-crypt with random key per boot. Protects swapped memory from offline disk forensics. Slight performance impact (~5-10%)
Step 6: Remove swap encryption and revert to plain swap
Expected Output: Swap decryptedNote
WARNING - Removes encryption protection. Swapped data will be readable from disk in clear text. Only use if encryption causes performance issues
Step 7: Check swap encryption status and configuration
Expected Output: Encryption status with cipher detailsNote
Shows: encryption enabled/disabled, cipher type (aes-xts-plain64), key size, whether using random keys, encrypted device mapper name
Step 8: Enable swap (alternative command alias)
Expected Output: Swap enabledStep 9: Disable swap (alternative command alias)
Expected Output: Swap disabledScenario 25: Memory Statistics & Cleanup
Memory usage statistics, cache cleaning, and memory optimization without data loss
Step 1: Show current memory usage statistics (total, available, used, cached)
Expected Output: Memory usage breakdown with utilization percentagesStep 2: Memory statistics in human-readable JSON format
Expected Output: Pretty-printed JSON with human-readable sizes (MB/GB)Note
JSON OUTPUT DEMO - Use --json for compact machine-readable format, --json-human for readable format with color and formatting
Step 3: Clean memory caches and buffers (pagecache, dentries, inodes)
Expected Output: Memory cleaned successfullyNote
Safe operation - drops caches but does NOT kill processes. Improves available memory without data loss
Step 4: Force aggressive memory cleanup (sync + drop_caches=3)
Expected Output: Memory force cleanedNote
ADVANCED - Kills top memory-consuming process + aggressive cache drop. Use with caution in production
Scenario 26: Process Memory Security
Secure process memory wiping before termination and per-process memory limits using cgroups for browsers and applications
Step 1: Securely wipe memory contents (anti-forensics)
Expected Output: Memory wiped securelyNote
SECURITY FEATURE - Overwrites memory with random data to prevent forensic recovery. Used for sensitive operations
Step 2: Securely wipe Firefox process memory before termination
Expected Output: Firefox process memory wiped successfullyNote
PRIVACY PROTECTION - Clears sensitive data (passwords, session keys, browsing history) from process memory before kill
Step 3: Securely wipe Chrome browser memory
Expected Output: Chrome process memory wiped successfullyNote
Clears authentication tokens, cached passwords, and browsing data from Chrome's memory space
Step 4: Securely wipe Thunderbird email client memory
Expected Output: Thunderbird process memory wiped successfullyNote
Erases email content, credentials, and encryption keys from email client memory
Step 5: Securely wipe Tor Browser memory
Expected Output: Tor Browser process memory wiped successfullyNote
Clears Tor circuit keys, browsing session data, and cached .onion addresses from memory
Step 6: Set Firefox memory limit to 2048 MB using cgroups
Expected Output: Firefox memory limit set to 2048 MBNote
RESOURCE CONTROL - Uses Linux cgroups to enforce hard memory limits per process. Prevents single process from consuming excessive memory. Process killed if limit exceeded
Step 7: Set Chrome memory limit to 1024 MB
Expected Output: Chrome memory limit set to 1024 MBNote
Chrome often consumes excessive memory. Limiting prevents system slowdown. Note: Limit applies to total browser memory across all processes
Step 8: Set Tor Browser memory limit to 1536 MB
Expected Output: Tor Browser memory limit set to 1536 MBNote
Tor Browser requires more memory than standard browsers due to Tor circuit management and enhanced security features. 1536MB recommended minimum
Step 9: List all configured memory limits and their current usage
Expected Output: Table of processes with memory limits and usageNote
Shows: process name, configured limit, current memory usage, limit utilization percentage, cgroup path, status (active/inactive)
Scenario 27: Emergency Shortcuts - Keyboard-Triggered Actions
Hardware keyboard shortcuts for emergency operations via kodachi-session-helper daemon. All commands use LOCAL session tokens (no online auth required). Works fully offline. Session token is read automatically from $XDG_RUNTIME_DIR/kodachi-session-helper/session.token
Step 1: Dry-run dashboard nuke to test without executing destructive actions
Expected Output: DRY RUN: Would execute plan 'dashboard' - no changes madeNote
SAFE TESTING - Validates session token and plan without executing. Use for testing shortcut configuration and daemon integration. Session token read from $XDG_RUNTIME_DIR/kodachi-session-helper/session.token
Step 2: Trigger dashboard nuke via emergency shortcut (wipe dashboard data, logs, configs)
Expected Output: Emergency plan 'dashboard' executed successfullyNote
KEYBOARD: The session helper uses the shortcut currently configured in the dashboard. Hold the approved combo for roughly 2-3 seconds. The global trigger is silent and does not reopen the dashboard UI.
Step 3: Trigger LUKS nuke via emergency shortcut (destroy encrypted partition headers)
Expected Output: Emergency plan 'luks' executed successfullyNote
KEYBOARD: Uses the dashboard-configured approved combo. Hold it for roughly 2-3 seconds. IRREVERSIBLE - destroys LUKS headers making encrypted data unrecoverable. --device is required for luks and both plans.
Step 4: Trigger full nuke (dashboard + LUKS combined) via emergency shortcut
Expected Output: Emergency plan 'both' executed successfullyNote
KEYBOARD: Uses the dashboard-configured approved combo and should be held for roughly 2-3 seconds. Combines dashboard-nuke and luks-nuke for maximum data destruction. IRREVERSIBLE.
Step 5: Trigger emergency action with JSON output for automation
Expected Output: JSON result with plan, success status, execution time, and detailsNote
JSON output includes: plan name, success status, execution duration, affected components. Useful for logging and monitoring.
Step 6: Dry-run LUKS nuke with JSON output for pre-flight validation
Expected Output: JSON dry-run result showing planned actions without executingNote
Combines --dry-run and --json for safe testing with machine-readable output. Ideal for dashboard integration testing.
Step 7: Force-trigger full nuke silently (skip readiness checks, suppress output)
Expected Output: (no stdout output - silent mode)Note
DAEMON MODE - Used by kodachi-session-helper daemon. --force skips readiness checks, --silent suppresses stdout. For automated invocation only.
Step 8: Dry-run a 5-minute delayed lockdown for dashboard nuke
Expected Output: DRY RUN: Would start 300s countdown for plan 'dashboard'Note
SAFE TESTING - Preview lockdown without starting timer. Validates parameters and session token.
Step 9: Start a 5-minute delayed lockdown that triggers dashboard nuke
Expected Output: Lockdown started: plan 'dashboard' in 300 secondsNote
DELAYED LOCKDOWN - Schedules emergency action after countdown. User can cancel before timer expires with emergency-lockdown-cancel. Useful for dead-man-switch scenarios.
Step 10: Start a 1-minute delayed lockdown for LUKS nuke
Expected Output: Lockdown started: plan 'luks' (device: /dev/sda2) in 60 secondsNote
SHORT TIMER - 60 second countdown before LUKS header destruction. Cancel with emergency-lockdown-cancel if needed.
Step 11: Check if a delayed lockdown is currently active and its remaining time
Expected Output: Lockdown active: plan 'dashboard', 247 seconds remainingNote
READ-ONLY - No session token required. Shows: active status, scheduled plan, remaining seconds, start time. Returns 'No active lockdown' if none pending.
Step 12: Check lockdown status in JSON format for dashboard integration
Expected Output: JSON with active, plan, device, delay_seconds, remaining_seconds, started_at, expires_atNote
JSON output for dashboard polling and monitoring systems. No authentication required for status checks.
Step 13: Cancel an active delayed lockdown before it triggers
Expected Output: Lockdown cancelled successfullyNote
Cancels pending lockdown and kills the timer process. Requires valid session token. Returns error if no lockdown is active.
Step 14: Cancel lockdown with JSON confirmation output
Expected Output: JSON confirmation with cancelled plan details and timestampNote
Machine-readable cancellation confirmation for dashboard integration.
Scenario 28: Display & Power
Conky, screensaver, DPMS, and session power controls
Step 1: Start Conky widget
Expected Output: Conky enabled. Running: yesStep 2: Stop Conky widget
Expected Output: Conky disabled. Running: noStep 3: Conky status as JSON
Expected Output: JSON with installed, running, start_on_boot, service_available, autostart_enabled fieldsStep 4: Enable Conky autostart on boot
Expected Output: Conky boot enabled. Start on boot: trueStep 5: Disable Conky autostart
Expected Output: Conky boot disabled. Start on boot: falseStep 6: Disable XFCE screensaver
Expected Output: Screensaver disabled. Running: noStep 7: Re-enable screensaver
Expected Output: Screensaver enabled. Running: yesStep 8: Check screensaver state
Expected Output: JSON with screensaver_running, screensaver_autostart_enabled, screensaver_binary_availableStep 9: Keep display always on
Expected Output: DPMS disabled. Display will stay on.Step 10: Restore display power saving
Expected Output: DPMS enabled. Display power management active.Step 11: Check DPMS timeouts
Expected Output: JSON with dpms_enabled, standby_seconds, suspend_seconds, off_seconds, blanking fieldsStep 12: Lock screen immediately
Expected Output: Screen locked via loginctlNote
Multi-fallback: loginctl > xdg-screensaver > xflock4
Step 13: End XFCE session
Expected Output: Session logout initiated via xfce4-session-logoutNote
Fallback: loginctl terminate-user
Step 14: Suspend to RAM
Expected Output: Suspend initiated via xfce4-session-logoutNote
Fallback: systemctl suspend
Step 15: Mask sensitive info in Conky panels for safe screenshots
Expected Output: Privacy masking enabled. Conky panels will show masked data.Step 16: Unmask Conky panels to show real data
Expected Output: Privacy masking disabled. Conky panels will show real data.Step 17: Check if Conky privacy masking is active
Expected Output: Privacy masking: disabledEnvironment Variables
| Variable | Description | Default | Values |
|---|---|---|---|
RUST_LOG |
Set logging level | info | error |
NO_COLOR |
Disable all colored output when set | unset | 1 |
Exit Codes
| Code | Description |
|---|---|
| 0 | Success |
| 1 | General error |
| 2 | Invalid arguments |
| 3 | Permission denied |
| 4 | Network error |
| 5 | File not found |