🛡️ Enterprise-Grade System Protection and Process Isolation
The protection tools in Kodachi OS provide comprehensive system hardening through real-time permission monitoring, process isolation, and security policy enforcement. These production-ready binaries ensure system integrity by preventing unauthorized changes and maintaining strict access controls.
Core Architecture Principles - Verified
Real-Time Monitoring: Continuous surveillance of file permissions and system changes
Process Isolation: Advanced namespace separation for secure process execution
Policy Enforcement: Automatic remediation of unauthorized modifications
Defense in Depth: Multiple layers of protection from file-level to process-level
🛡️ Binary Categories and Requirements
| Binary |
Primary Function |
Commands |
Requires Auth |
Requires Sudo |
Auto-Start |
| permission-guard |
Real-time permission monitoring and enforcement |
4 (+8 config) |
No |
Yes (fixes) |
Called by online-auth |
| oniux |
Third-party open source Tor isolation tool |
Variable |
No |
Yes (namespaces) |
No |
🛡️ Inter-Binary Dependencies Matrix
Binary Communication Flow
| Service |
Calls These Binaries |
Called By These Binaries |
| permission-guard |
logs-hook |
online-auth |
| oniux |
logs-hook |
tor-switch (for Tor isolation) |
Critical Service Dependencies
| Dependency Type |
Description |
Affected Services |
| Authentication Integration |
Started and managed by online-auth |
permission-guard |
| Logging Infrastructure |
All services use logs-hook |
Both protection binaries |
| Process Isolation |
tor-switch uses oniux for Tor instance isolation |
tor-switch |
| System Monitoring |
Continuous file system surveillance |
permission-guard daemon |
🛡️ System Requirements and Permissions
Privilege Escalation Requirements
| Operation Type |
Required Permissions |
Affected Binaries |
| Permission Fixes |
sudo/root |
permission-guard (auto-fix mode) |
| Namespace Creation |
sudo/root |
oniux (process isolation) |
| File Monitoring |
Read access |
permission-guard (scan mode) |
| Policy Updates |
sudo/root |
permission-guard config |
System Integration
| Component |
Integration Method |
Services |
| inotify |
Kernel file monitoring |
permission-guard |
| Namespaces |
Linux namespaces API |
oniux |
| Capabilities |
Linux capabilities system |
Both services |
| SELinux/AppArmor |
MAC integration |
Optional enhancement |
🛡️ Key Capabilities Overview
Permission Monitoring (permission-guard - 4 primary + 8 config commands)
| Category |
Command/Feature |
Description |
| Monitoring Modes |
watch |
Continuous daemon monitoring with auto-fix |
| Monitoring Modes |
scan |
One-time comprehensive permission scan |
| Monitoring Modes |
status |
Current monitoring status and statistics |
| Monitoring Modes |
config |
Configuration management interface |
| Configuration Commands |
add-path |
Add directories to monitor |
| Configuration Commands |
remove-path |
Remove from monitoring |
| Configuration Commands |
list-paths |
Show monitored directories |
| Configuration Commands |
set-interval |
Adjust check frequency |
| Configuration Commands |
set-fix-mode |
Enable/disable auto-fix |
| Configuration Commands |
add-exclusion |
Exclude patterns |
| Configuration Commands |
remove-exclusion |
Remove exclusions |
| Configuration Commands |
show-config |
Display full configuration |
| Security Features |
Real-time monitoring |
inotify-based file system monitoring |
| Security Features |
Automatic correction |
Permission fixes applied automatically |
| Security Features |
Pattern exclusions |
Rule-based exclusion system |
| Security Features |
Audit logging |
Comprehensive security audit trail |
| Security Features |
Field filtering |
Advanced filtering and pagination |
Third-Party Integration
Oniux is an open source tool developed by the Tor Project (https://gitlab.torproject.org/tpo/core/oniux) that has been integrated into Kodachi OS specifically for its powerful Tor process isolation capabilities. It is primarily used in conjunction with tor-switch to provide advanced namespace separation and security features for Tor instances.
| Feature Category |
Capability |
Description |
| Isolation Features |
Mount namespace separation |
Isolates filesystem mounts from host system |
| Isolation Features |
User namespace mapping |
Maps user/group IDs for privilege separation |
| Isolation Features |
Network namespace isolation |
Separates network stack and interfaces |
| Isolation Features |
PID namespace containment |
Process ID isolation and containment |
| Isolation Features |
IPC namespace separation |
Inter-process communication isolation |
| Security Capabilities |
Capability dropping |
Removes unnecessary Linux capabilities |
| Security Capabilities |
Seccomp filtering |
System call filtering and restriction |
| Security Capabilities |
Resource limits (cgroups) |
CPU, memory, and I/O resource constraints |
| Security Capabilities |
Filesystem restrictions |
Access control and path restrictions |
| Security Capabilities |
Network filtering |
Network traffic filtering and blocking |
| Use Cases |
Tor process isolation |
Secure Tor instance separation |
| Use Cases |
Untrusted application sandboxing |
Safe execution of untrusted code |
| Use Cases |
Service compartmentalization |
Service-level security boundaries |
| Use Cases |
Testing environments |
Isolated testing and development |
🛡️ Common Workflows
Initial System Protection Setup
# Perform initial permission scan
sudo ./permission-guard scan
# Configure monitoring paths
sudo ./permission-guard config add-path /etc
sudo ./permission-guard config add-path /usr/local/bin
sudo ./permission-guard config add-path /home/user/.ssh
# Set monitoring parameters
sudo ./permission-guard config set-interval 60
sudo ./permission-guard config set-fix-mode true
# Start monitoring daemon
sudo ./permission-guard watch
Continuous Protection Monitoring
# Check current status
./permission-guard status --json
# View recent changes
./permission-guard status --changes
# Generate compliance report
./permission-guard status --report > compliance.json
Process Isolation Operations
# Run process in isolated namespace
sudo ./oniux isolate --net --pid --mount /usr/bin/application
# Create Tor-specific isolation
sudo ./oniux tor-isolate --instance tor1
# Sandbox untrusted application
sudo ./oniux sandbox --strict /path/to/untrusted/app
Configuration Management
# Add exclusions for dynamic files
sudo ./permission-guard config add-exclusion "*.log"
sudo ./permission-guard config add-exclusion "*.tmp"
# View current configuration
./permission-guard config show-config
# Export configuration
./permission-guard config export > guard-config.json
# Import configuration
sudo ./permission-guard config import guard-config.json
| Metric |
Value |
Description |
| File Monitoring |
10,000+ files |
Concurrent monitoring capacity |
| Scan Speed |
50,000 files/sec |
Permission checking rate |
| Response Time |
< 10ms |
Change detection latency |
| Memory Usage |
< 30MB |
Combined services |
| CPU Usage |
< 2% |
During active monitoring |
🛡️ Protection Architecture
Multi-Layer Defense Model
Application Layer
↓
Permission Guard (File System)
↓
Oniux (Process Isolation)
↓
Kernel Security Modules
↓
Hardware Security
Permission Enforcement Flow
File Change Event → inotify → Permission Guard
↓
Policy Evaluation
↓
[Allowed] or [Fix Required]
↓
Auto-Remediation
↓
Audit Logging
Isolation Architecture
Process Request → Oniux → Namespace Creation
↓
Capability Restriction
↓
Resource Limitation
↓
Isolated Execution
🛡️ Security Policies
Default Protection Levels
| Level |
Description |
Action |
Examples |
| Critical |
System files |
Immediate fix + alert |
/etc/passwd, /etc/shadow |
| High |
Config files |
Fix + log |
/etc/ssh/*, service configs |
| Medium |
User files |
Alert only |
~/.ssh/, ~/.gnupg/ |
| Low |
Data files |
Log only |
/var/log/, /tmp/ |
Custom Policy Framework
# Define custom policies
cat > custom-policy.json << EOF
{
"paths": {
"/custom/secure": {
"level": "critical",
"permissions": "0600",
"owner": "root:root",
"action": "fix"
}
}
}
EOF
# Apply custom policy
sudo ./permission-guard config import-policy custom-policy.json
🛡️ Advanced Features
Forensic Capabilities
| Feature |
Description |
| Change History |
Complete audit trail of all modifications |
| Timeline Analysis |
Chronological view of system changes |
| Attribution |
User and process identification |
| Rollback Points |
Restore previous permissions |
Integration with Security Stack
# Integration with health-control
sudo ./health-control security-audit
./permission-guard scan --deep
# Integration with integrity-check
./integrity-check check_all
./permission-guard status --verify
# Integration with logs-hook
./permission-guard watch --log-level debug
tail -f /dashboard/hooks/logs/permission-guard.log
Compliance Reporting
| Report Type |
Format |
Use Case |
| Daily Summary |
JSON/PDF |
Management review |
| Change Log |
CSV |
Audit trail |
| Violation Report |
HTML |
Incident response |
| Compliance Status |
JSON |
Automated monitoring |
🛡️ Use Cases
System Administrators
| Use Case |
Description |
| Configuration Management |
Prevent configuration drift |
| Security Enforcement |
Enforce security baselines |
| Access Monitoring |
Monitor privileged file access |
| Intrusion Detection |
Detect intrusion attempts |
Security Operations
| Use Case |
Description |
| Threat Detection |
Real-time threat detection |
| Compliance |
Compliance enforcement |
| Incident Response |
Incident investigation |
| Security Monitoring |
Security posture monitoring |
DevSecOps
| Use Case |
Description |
| Pipeline Security |
CI/CD pipeline security |
| Container Management |
Container permission management |
| Deployment |
Deployment verification |
| IaC Validation |
Infrastructure as Code validation |
Privacy Protection
| Use Case |
Description |
| Data Control |
Personal data access control |
| Key Protection |
Encryption key protection |
| Browser Isolation |
Browser profile isolation |
| App Sandboxing |
Communication app sandboxing |
🛡️ Integration Points
The protection tools integrate with:
| Integration Type |
Components |
| Security Services |
health-control, integrity-check, online-auth |
| Logging System |
Centralized logs-hook integration |
| Kernel Subsystems |
inotify, namespaces, capabilities |
| File Systems |
ext4, btrfs, xfs attributes |
| Container Runtimes |
Docker, Podman isolation |
🛡️ Troubleshooting
Common Issues
| Issue |
Solution |
Prevention |
| High CPU usage |
Reduce scan frequency |
Optimize path selection |
| Permission fix fails |
Check file system |
Verify root access |
| False positives |
Add exclusions |
Refine policies |
| Monitoring stops |
Check daemon status |
Enable auto-restart |
Diagnostic Commands
# Check service health
systemctl status permission-guard
# Test inotify limits
cat /proc/sys/fs/inotify/max_user_watches
# Verify namespace support
unshare --help
# Check audit logs
journalctl -u permission-guard -f
# Increase inotify watches
echo "fs.inotify.max_user_watches=524288" >> /etc/sysctl.conf
sysctl -p
# Optimize scan intervals
sudo ./permission-guard config set-interval 120
# Limit monitored paths
sudo ./permission-guard config remove-path /var/cache
🛡️ Security Considerations
Important Security Notice
Protection tools modify system permissions and isolate processes. Incorrect configuration can lock out users or break applications. Always test policies in non-production environments first.
Best Practices
| Practice |
Description |
| Baseline First |
Create initial permission baseline before monitoring |
| Test Policies |
Verify policies don't break legitimate operations |
| Regular Audits |
Review change logs weekly |
| Backup Configs |
Maintain configuration backups |
| Monitor Performance |
Watch for resource exhaustion |
Operational Security
| Security Measure |
Implementation |
| Immutable Files |
Use chattr +i for critical files |
| MAC Integration |
Enable SELinux/AppArmor policies |
| Audit Subsystem |
Configure auditd rules |
| File Integrity |
Combine with integrity-check |
| Access Logging |
Enable detailed access logs |
| Component |
Version |
Build Date |
License |
| permission-guard |
9.0.1 |
2025-09-18 |
Proprietary |
| oniux |
Third-party |
Open Source |
Open Source |
| Documentation |
9.0.1 |
2025-09-19 |
© 2025 Linux Kodachi |