Health Control
File Information
| Property | Value |
|---|---|
| Binary Name | health-control |
| Version | 9.0.1 |
| File Size | 10.2MB |
| Author | Warith Al Maawali |
| License | Proprietary |
| Category | Security & Authentication |
| Description | Health control system for Kodachi that includes network connectivity checks and system health monito... |
| JSON Data | View Raw JSON |
SHA256 Checksum
Key Features
Emergency Response System
| Feature | Description |
|---|---|
| Panic Modes | Three levels of emergency response (soft, medium, hard) |
| Kill Switch | Instant network termination with armed/disarmed states |
| Data Destruction | Military-grade secure wiping of files and logs |
| Identity Management | MAC address and hostname randomization |
Why Health Control is Critical
| Benefit | Description |
|---|---|
| Immediate Threat Response | React instantly to security breaches |
| Network Isolation | Cut all connections when compromised |
| Evidence Elimination | Secure data wiping prevents recovery |
| Hardware Anonymization | Change device fingerprints on demand |
| Recovery Options | Restore normal operations after threats pass |
TL;DR - Essential Commands
Important: Most commands require sudo as they modify system-level settings.
Network Control & Diagnostics
# Network connectivity testing
health-control net-check # Test IP & DNS connectivity
health-control net-check-http # Include HTTP connectivity test
health-control net-check --ip-only # Test IP connectivity only (skip DNS)
health-control net-check # Test DNS and IP connectivity
health-control net-check --timeout 15 # Custom timeout (seconds)
health-control list-ips # Show test IP addresses
health-control list-domains # Show test domain names
# Block internet traffic (multiple methods available)
sudo health-control block-internet # Auto-detect best method
sudo health-control block-internet --method nftables # Modern firewall (preferred)
sudo health-control block-internet --method iptables # Legacy firewall
sudo health-control block-internet --method firewall # UFW (Uncomplicated Firewall)
sudo health-control block-internet --method interfaces # Disable network interfaces
sudo health-control block-internet --method all # Apply ALL methods
sudo health-control block-internet --allow-local # Block internet but allow LAN
# Restore internet access
sudo health-control unblock-internet # Auto-detect
sudo health-control unblock-internet --method all # Clear ALL blocks
# Check blocking status
health-control internet-status # Current blocking status
# Emergency operations
sudo health-control kill-network # Kill all network interfaces
sudo health-control kill-network-interface --interface wlan0 # Kill specific interface
sudo health-control recover-internet # Auto-diagnose & fix connectivity
sudo health-control recover-internet --check-dns # Include DNS fixes
Identity Management
# Change all MAC addresses (original MACs are NOT restored on reboot)
sudo health-control mac-change-all
# MAC address advanced operations
sudo health-control mac-force-change # Force change all MACs (disable interfaces first)
sudo health-control mac-change-specific --interface eth0 # Change specific interface MAC
health-control mac-show-interfaces # Show available network interfaces
health-control mac-show-macs # Show current MAC addresses
sudo health-control mac-reset-all # Reset all MACs to default
health-control mac-active-interface # Show active network interface
# Set random hostname (original hostname is NOT restored on reboot)
sudo health-control set-random-hostname
# Get current hostname
health-control get-hostname
# Change hostname (prompts for new hostname)
health-control change-hostname
health-control change-hostname new-hostname
# Set custom hostname
health-control set-custom-hostname --name MyHost
# Set default hostname
health-control set-default-hostname
# List available hostnames by category
health-control list-hostnames
health-control list-hostnames --category windows
health-control list-hostnames --category linux
# Set random hostname from specific category
sudo health-control set-random-hostname-category --category windows
# Get logged-in user (handles sudo correctly)
health-control get-logged-user
# <i class="fas fa-exclamation-triangle" style="color: #ff9800;"></i> RESTORE WARNING: Document original MAC addresses and hostname before changing!
# Use 'ip link show' to view current MACs and 'hostname' for current hostname
Timezone Management
# Show current system timezone
health-control show-timezone
# Sync timezone based on IP geolocation
health-control sync-timezone
# Show timezone based on current IP location
health-control show-remote-timezone
# Set system timezone
health-control set-timezone --timezone America/New_York
health-control set-timezone --timezone Europe/London
# List available timezones by category
health-control list-timezones
health-control list-timezones --category americas
health-control list-timezones --category europe
health-control list-timezones --category asia
# Set random timezone from specific category
sudo health-control set-random-timezone
sudo health-control set-random-timezone --category americas
Secure Data Wiping
DANGER: All wipe operations permanently destroy data. Files cannot be recovered!
# Wipe specific file (PERMANENTLY DESTROYED - UNRECOVERABLE)
sudo health-control wipe-file --file /path/to/sensitive.txt
sudo health-control wipe-file --file /path/to/file --passes 7 # Custom passes
# Wipe entire directory
sudo health-control wipe-directory --path /tmp/sensitive_dir
# Batch wipe multiple files
sudo health-control wipe-batch --paths /tmp/file1,/tmp/file2,/tmp/file3
# Wipe logs
sudo health-control wipe-logs # All logs
sudo health-control wipe-logs --type system # System logs only
sudo health-control wipe-logs --type all # Everything
# Wipe browser data
sudo health-control wipe-browser-data # All browsers
sudo health-control wipe-browser-data --browser firefox
sudo health-control wipe-browser-data --browser all
# Advanced wipe operations
sudo health-control wipe-free-space --device / # Wipe free space on filesystem
sudo health-control wipe-pattern '*.tmp' # Wipe files matching pattern
sudo health-control wipe-pattern '*.log' --directory /var/log
health-control wipe-schedule temp --frequency daily # Schedule automatic wiping
health-control wipe-schedule logs --frequency weekly
# Verify wipe was successful
sudo health-control wipe-verify --path /path/to/wiped/file
# RAM wipe operations
sudo health-control wipe-ram-install # Install RAM wipe system
sudo health-control wipe-ram-config --policy auto # Update RAM wipe configuration
sudo health-control wipe-ram-test # Test RAM wipe operation
sudo health-control wipe-ram # Execute RAM wipe
Password Generation
Generate secure passwords using multiple methods with customizable options:
# Generate single password (all methods)
health-control genpass
# Generate using specific method
health-control genpass --method pwgen # Random password
health-control genpass --method xkcdpass # Memorable passphrase
health-control genpass --method pass # GPG-style password
# Batch generate multiple passwords
health-control genpass --count 10
health-control genpass --method pwgen --count 50
# Customize password generation
health-control genpass --length 32 --symbols "@-_!#$"
health-control genpass --uppercase --lowercase --digits
# JSON output
health-control genpass --json
health-control genpass --method xkcdpass --count 20 --json
Password Generation Methods:
| Method | Description | Example Output |
|---|---|---|
| pass | GPG-based random characters | Jk9@mP-xQ2_aB5nRt8@Zy3 |
| pwgen | Pronounceable random passwords | pL7-xM@kW_bN5cD9rF |
| xkcdpass | Memorable word-based passphrases | correct-horse-battery-staple |
Key Features:
| Feature | Description |
|---|---|
| Batch Generation | Generate up to 1000 passwords at once |
| Customization | Control length (default: 25), character sets, symbols |
| Multiple Methods | Generate from all methods simultaneously |
| Native Fallback | Works even without packages installed |
| Package Detection | Shows install instructions for missing packages |
Examples:
# Default: generates from all methods
health-control genpass
# Output: Passwords from pass, pwgen, and xkcdpass
# Specific method with batch generation
health-control genpass --method pwgen --count 50
# Output: 50 random passwords
# Memorable passphrases
health-control genpass --method xkcdpass --count 10
# Output: 10 word-based passphrases
# Custom length and symbols
health-control genpass --length 32 --symbols "@-_!#$%^&*"
# JSON output for automation
health-control genpass --method pwgen --count 5 --json
Package Requirements:
| Package | Installation | Purpose |
|---|---|---|
| pass | sudo apt install pass |
GPG-based generation |
| pwgen | sudo apt install pwgen |
Random passwords |
| xkcdpass | sudo apt install xkcdpass |
Memorable passphrases |
Note: All methods work with native Rust fallback if packages aren't installed. Use --force-native to skip package detection.
Security Assessment
# Check overall security status
sudo health-control security-status
# Get security score (0-100)
sudo health-control security-score # Shows score, level, and fixes
sudo health-control security-score --json # Detailed JSON with category breakdowns
# Generate comprehensive report
sudo health-control security-report
sudo health-control security-history --days 30 # View historical data
# Security profiles and settings
health-control security-profile --value minimal # Set security profile (minimal/balanced/paranoid)
health-control security-remediate # Auto-remediate security issues
health-control security-schedule --value daily # Schedule security scans (hourly/daily/weekly/monthly/disable)
# Security reset and recovery
sudo health-control security-reset # Completely disable all security modules (permanent removal)
sudo health-control security-recover # Temporarily revert security hardening (keeps framework ready)
Memory & Swap Security
# Memory cleaning
sudo health-control memory-clean # Clean memory caches
sudo health-control memory-force-clean # Force aggressive cleaning
sudo health-control memory-wipe # Secure memory wipe
# Memory advanced operations
health-control memory-wipe-process --value firefox # Wipe memory of specific process
sudo health-control memory-limits --value firefox --limit 1024 # Manage process memory limits
health-control memory-stats # Display memory statistics
health-control memory-stats --history # Memory statistics with history
# RAM wipe on shutdown
sudo health-control ram-wipe-enable # Enable RAM wipe
sudo health-control ram-wipe-disable # Disable RAM wipe
sudo health-control ram-wipe-status # Check status
sudo health-control ram-wipe # Execute RAM wipe operation
sudo health-control ram-wipe-detect-kicksecure # Detect Kicksecure/Whonix RAM wipe installation
sudo health-control ram-wipe-update --policy auto # Update RAM wipe configuration
# Swap encryption and management
sudo health-control swap-encrypt # Encrypt swap partition
sudo health-control swap-disable # Disable swap completely
sudo health-control swap-status # Check swap status
health-control swap-configure --swappiness 10 --cache-pressure 50 # Configure swap settings
sudo health-control disable-swap # Disable swap memory
sudo health-control enable-swap --size 2048 # Enable swap memory
sudo health-control swap-enable # Enable swap partition/file
sudo health-control swap-decrypt --device /dev/sda3 # Decrypt encrypted swap
health-control swap-encrypt-status # Check swap encryption status
Hardware & Advanced Security
# Hardware security verification
health-control hardware-rng-verify # Verify hardware random number generator
health-control entropy-status # Check system entropy pool status
# Cold boot defense
sudo health-control coldboot-defense-enable # Enable cold boot defense mechanisms
sudo health-control coldboot-defense-disable # Disable cold boot defense mechanisms
health-control coldboot-defense-status # Check cold boot defense status
# Boot integrity
health-control boot-integrity-check # Check boot chain integrity and security
# Tirdad TCP ISN randomization
sudo health-control tirdad-enable # Enable Tirdad TCP ISN randomization
sudo health-control tirdad-disable # Disable Tirdad TCP ISN randomization
health-control tirdad-status # Check Tirdad status
# IPv6 control
sudo health-control ipv6-disable # Disable IPv6 system-wide
sudo health-control ipv6-enable # Enable IPv6 system-wide
health-control ipv6-status # Check IPv6 status
# System monitoring
health-control monitoring-enable --modules auditd,lkrg,file-integrity # Enable monitoring features
health-control monitoring-disable --modules auditd,lkrg # Disable monitoring features
health-control monitoring-status # Check monitoring status
Security Tools
# Rootkit scanning
health-control rootkit-scan # Quick rootkit scan (fast, essential checks)
health-control rootkit-scan-enhanced # Enhanced rootkit scanning with multiple tools
# AIDE file integrity monitoring
health-control aide-init # Initialize AIDE database
health-control aide-check # Check file integrity with AIDE
health-control aide-update # Update AIDE database after legitimate changes
health-control aide-reinit # Reinitialize AIDE database (reset baseline)
health-control aide-scan-dir /usr/bin # Scan specific directory with AIDE
# Kloak keystroke anonymization
health-control kloak-status # Check Kloak status
sudo health-control kloak-enable # Enable Kloak keyboard anonymization
sudo health-control kloak-disable # Disable Kloak keyboard anonymization
health-control kloak-configure --delay 100 # Configure Kloak settings
health-control kloak-event-mode --mode raw # Set Kloak event processing mode
health-control kloak-stats # Show Kloak statistics
# System auditing
health-control lynis-audit # Run Lynis security audit
health-control lynis-status # Check Lynis installation status
health-control clamav-scan # Scan system with ClamAV antivirus
health-control system-audit --level comprehensive # Comprehensive system security audit
Offline System Information
# System information commands (work without network)
health-control offline-info-all # Display all system information
health-control offline-info-system # Display comprehensive system information
health-control offline-info-hardware # Display hardware information
health-control offline-info-process # Display process information
health-control offline-info-security # Display security and encryption status
health-control offline-info-network # Display network information
health-control offline-info-user # Display user information
health-control offline-info-storage # Display storage information
health-control offline-info-services # Display system services information
Offline Actions (Service Management)
# Hardware interfaces
health-control offline-bluetooth --action disable # Disable Bluetooth
health-control offline-wifi --action disable # Disable WiFi
health-control offline-usb-storage --action disable # Disable USB storage
health-control offline-webcam --action disable # Disable webcam
health-control offline-microphone --action disable # Disable microphone
# System services
health-control offline-cups --action disable # Disable CUPS printing service
health-control offline-ssh --action disable # Disable SSH daemon
health-control offline-apache --action disable # Disable Apache web server
health-control offline-nginx --action disable # Disable Nginx web server
health-control offline-mysql --action disable # Disable MySQL database service
health-control offline-postgresql --action disable # Disable PostgreSQL database service
health-control offline-docker --action disable # Disable Docker container service
health-control offline-avahi --action disable # Disable Avahi daemon service
health-control offline-modem-manager --action disable # Disable ModemManager service
# System configuration
health-control offline-networkmanager --action disable # Disable NetworkManager
health-control offline-systemlogs --action disable # Disable system logging
health-control offline-cmdhistory --action disable # Disable command history
health-control offline-autologin --action disable # Disable auto-login
health-control offline-screen-lock --action enable # Enable screen locking
health-control offline-numlock --action enable # Enable NumLock
# Network optimization
health-control offline-netoptimize --action enable # Enable network optimization
health-control offline-bbr --action enable # Enable BBR congestion control
health-control offline-ifspeed --action enable --interface eth0 --speed 1000 # Set interface speed
health-control offline-fdlimit --action enable --soft-limit 1024 --hard-limit 4096 # Set file descriptor limits
System Maintenance & Updates
# Automatic updates
health-control auto-updates-enable # Enable automatic security updates
health-control auto-updates-disable # Disable automatic security updates
health-control auto-updates-status # Check automatic updates status
# System maintenance
health-control system-maintenance-enable # Enable system maintenance settings
health-control system-maintenance-disable # Disable system maintenance settings
health-control system-maintenance-status # Check system maintenance status
# Password policy
health-control password-policy-enable # Enable password policy enforcement
health-control password-policy-disable # Disable password policy enforcement
health-control password-policy-status # Check password policy status
# User security hardening
health-control user-security-enable # Enable user security hardening
health-control user-security-disable # Disable user security hardening
health-control user-security-status # Check user security status
# Two-factor authentication (WARNING: Known bugs with XFCE/LightDM)
health-control 2fa-enable # Enable 2FA (works for SSH/sudo, unreliable for XFCE login)
health-control 2fa-disable # Disable 2FA
health-control 2fa-status # Check 2FA status
# Package management
health-control check-and-install tor openvpn # Check and install required packages
health-control check-and-install-do # Execute installation after checking dependencies
health-control package-cleanup # Clean up unnecessary packages
sudo health-control clear-cache # Clear system memory caches
sudo health-control clear-cache --level 3 # Clear cache at specific level
# Sudo recovery
health-control check-sudo # Check sudo installation and permissions
health-control fix-sudo # Fix broken sudo permissions (no sudo required)
Notifications & System Control
# Desktop notifications
health-control notify --message "Security check complete"
health-control notify --message "Alert" --body "VPN connected"
health-control notify --message "Warning" --urgency critical --duration 30
# Sound notifications
health-control play-sound # Play notification sound
health-control play-sound --sound alert
health-control play-sound success
health-control play-sound warning
# Daemon control
health-control daemon --config-id timezone_iptables # Run watch-guard as daemon process
# System cache management
health-control disable --type watch-guard all # Disable all watch-guards
health-control disable --type watch-guard ip # Disable specific watch-guard
USB Security
# USB Guard protection
sudo health-control usb-guard-enable # Enable USB protection
sudo health-control usb-guard-disable # Disable USB protection
health-control usb-status # Check USB Guard protection status
# USB device management
sudo health-control usb-monitor # Monitor USB connections
sudo health-control usb-history --days 7 # View USB history
sudo health-control usb-list # List current USB devices
# USB policies and whitelist
sudo health-control usb-policy --action add --device-id 1234:5678 --allow
sudo health-control usb-policy --action list
sudo health-control usb-whitelist --action list # List current whitelist
sudo health-control usb-whitelist --action add --device-id 1234:5678 # Add device to whitelist
sudo health-control usb-whitelist --action remove --device-id 1234:5678 # Remove from whitelist
LUKS Emergency Operations
EXTREME DANGER: LUKS nuke operations PERMANENTLY DESTROY all encrypted data!
# Emergency encryption destruction (DESTROYS ALL ENCRYPTED DATA FOREVER)
sudo health-control luks-nuke # DESTROY encryption headers
sudo health-control luks-nuke-advanced # Advanced nuke options
# LUKS device management
health-control luks-manage --action list # List LUKS devices
health-control luks-manage --action unlock --device /dev/sdb1 # Unlock LUKS device
health-control luks-manage-advanced --action backup-header --device /dev/sdb1 --backup-file /tmp/header.backup # Backup LUKS header
health-control luks-manage-advanced --action restore-header --device /dev/sdb1 --backup-file /tmp/header.backup # Restore LUKS header
health-control luks-remove /dev/sdb1 # Remove LUKS encryption from device
# Nuke password management (EXTREME DANGER - data destruction feature)
sudo health-control enable-luks-nuke /dev/sda5 # Step 1: Backup LUKS header (CRITICAL safety step)
sudo health-control configure-nuke-password /dev/sda5 # Step 2: Configure nuke password (DESTROYS data when entered)
sudo health-control remove-nuke-password /dev/sda5 # Remove nuke password from device
# Check encryption status
health-control disk-encryption-status
health-control encryption-status
Nuke Password Warning
configure-nuke-password creates a password that will PERMANENTLY DESTROY all data on the device when entered. Always run enable-luks-nuke first to backup the LUKS header. Keep the encrypted header backup safe - it is your only recovery option.
Persistent Storage & Encrypted Containers
Create Persistence File
# Create unencrypted 4GB persistence (casper-rw)
sudo health-control create-persistence
# Create encrypted persistence (RECOMMENDED - interactive password)
sudo health-control create-persistence --encrypted
# Custom size (8GB encrypted persistence)
sudo health-control create-persistence --encrypted --size 8192
# ⚠️ INSECURE: Password visible in shell history
sudo health-control create-persistence --encrypted --password 'MyPassword123'
# For other distributions (Kali/Parrot/Tails)
sudo health-control create-persistence-other-os --device /dev/sdX2
Auto-Detection Features:
- Automatically detects live USB mode (
/proc/cmdlinecheck) - Finds USB mount point (e.g.,
/media/username/USB-LABEL) - Validates available space (warns if insufficient)
- Prevents accidental system drive formatting
Storage Safety Checks
ALWAYS verify device safety before operations:
# List storage devices with safety indicators
sudo health-control list-storage-devices
# Output format: /dev/sdX - SAFE/CAUTION/DANGER (Description)
# - SAFE: USB drives, external storage
# - CAUTION: Large external drives
# - DANGER: System partitions, boot devices
# Include loop and RAM devices
sudo health-control list-storage-devices --all
# Check specific device safety
sudo health-control usb-safety-check --device /dev/sdb1
# Returns: SAFE, CAUTION, or DANGER with explanation
Safety First:
ALWAYS use list-storage-devices and usb-safety-check before:
- Creating persistence files
- Encrypting devices
- Wiping storage
- Any destructive operations
Encrypted Containers
Create portable LUKS2-encrypted storage containers:
# Create 500MB encrypted container
sudo health-control container-create /secure/data.img --size 500
# Create smaller container (100MB minimum for testing)
sudo health-control container-create /tmp/secure.img --size 100
# Mount encrypted container (prompts for password)
sudo health-control container-mount /secure/data.img --mount-point /mnt/secure
# Work with encrypted files
cd /mnt/secure
# ... secure file operations ...
# Safely unmount container
sudo health-control container-unmount /mnt/secure
Use Cases:
| Use Case | Command Example |
|---|---|
| Portable encrypted storage | container-create /usb/secure.img --size 1024 |
| Secure backup | container-create /backup/encrypted.img --size 5000 |
| Encrypted data transfer | Mount on source → Copy data → Unmount → Transfer file → Mount on destination |
| Temporary secure workspace | container-create /tmp/work.img --size 100 (auto-deleted on reboot) |
Storage Encryption
Encrypt entire partitions or devices with LUKS2:
# Encrypt storage device
sudo health-control storage-encrypt --device /dev/sdb1
# Securely wipe device before encryption (recommended)
sudo health-control storage-wipe --device /dev/sdb1 --passes 3
# Pass options: 1 (fast), 3 (balanced), 7 (paranoid)
# Optimize encryption settings
sudo health-control encryption-tune --device /dev/sdb1
# Optimizes: cipher algorithm, key size, hashing method
Data Destruction Warning:
storage-encrypt and storage-wipe permanently destroy ALL data on the target device.
- Verify device path with
list-storage-devicesfirst - Check safety level with
usb-safety-check - There is NO undo - all data will be lost
- Backup important data before proceeding
Encryption Status
Check system-wide encryption status:
# Comprehensive encryption report
sudo health-control encryption-status
# Shows:
# - LUKS encrypted devices (with cipher details)
# - eCryptfs encrypted directories
# - Swap encryption status
# - Mounted encrypted containers
# - Overall security assessment
# Disk-specific encryption details
sudo health-control disk-encryption-status
# Shows per-device:
# - LUKS version (LUKS1 vs LUKS2)
# - Cipher algorithm (e.g., aes-xts-plain64)
# - Key size (256-bit, 512-bit)
# - Key slots in use (0-7)
# - Encryption algorithm details
LUKS Device Management
# Detect all LUKS devices
sudo health-control luks-detect
# Scans: /dev/sd*, /dev/nvme*, /dev/mmcblk*
# Include loop and virtual devices
sudo health-control luks-detect --all-devices
# Also scans: /dev/loop*, /dev/dm-*, /dev/mapper/*
# JSON output for scripting
sudo health-control luks-detect --json
# Returns: device path, LUKS version, status, uuid
Important Notes:
| Note | Description |
|---|---|
| Device Safety | Always use list-storage-devices and usb-safety-check before operations |
| Encryption Type | All operations use LUKS2 (modern, more secure than LUKS1) |
| Password Security | Never use --password flag in production (visible in shell history) |
| Container Size | Minimum 100MB, maximum limited by available disk space |
| LUKS Detection | Use luks-detect to identify encrypted devices before nuke operations |
| Encrypted Boot | Encrypted persistence requires password on every boot |
| Performance | Encryption adds ~5-10% CPU overhead, negligible on modern systems |
Emergency Operations
# PANIC MODES - Increasing severity
sudo health-control panic-soft # Kill network + lock screen
sudo health-control panic-medium # + Kill processes + clear memory
sudo health-control panic-hard # + RAM wipe + immediate shutdown
# PANIC PROFILES - Automated emergency response configurations
health-control panic-profile --profile stealth # Light security response (public wifi)
health-control panic-profile --profile paranoid # Maximum security lockdown (high-risk)
health-control panic-profile --profile recovery # Restore system to safe state
# KILL SWITCH - Two-step safety
sudo health-control kill-switch-arm # Arm the kill switch
sudo health-control kill-switch-activate # Activate (requires armed state)
sudo health-control kill-switch-disarm # Disarm the kill switch
# PROCESS KILLING
health-control kill-process --process firefox # Kill specific process by name or PID
# EMERGENCY DATA DESTRUCTION (NUKE)
health-control nuke-execute --dry-run # Test mode - shows actions without executing
health-control nuke-execute --method fast --dry-run # Fast wipe (dry-run for testing)
health-control nuke-progress # Get nuke execution progress
health-control nuke-storage-detect --device /dev/sda # Detect storage type (SSD/HDD/NVMe)
# RECOVERY OPERATIONS
health-control create-recovery-point --name pre-update # Create system recovery checkpoint
health-control panic-recover # Activate panic recovery mode
Understanding Key Security Features
Security Scoring System
Health Control evaluates your system security across 7 critical categories:
| Category | Weight | Check Item | Status |
|---|---|---|---|
| System Security | 30% | Disk encryption | Verified |
| System Security | 30% | Firewall status | Active |
| System Security | 30% | System updates | Current |
| System Security | 30% | Kernel hardening | Enabled |
| Privacy & Anonymity | 25% | VPN/Proxy status | Connected |
| Privacy & Anonymity | 25% | Tor configuration | Optimized |
| Privacy & Anonymity | 25% | DNS encryption | Active |
| Privacy & Anonymity | 25% | IP masking | Enabled |
| Network Security | 20% | Kill switch | Armed |
| Network Security | 20% | DNS leak protection | Active |
| Network Security | 20% | IPv6 privacy | Configured |
| Network Security | 20% | Network isolation | Enabled |
| Authentication | 10% | Kodachi auth status | Authenticated |
| Authentication | 10% | 2FA configuration | Enabled |
| Authentication | 10% | Password policies | Enforced |
| Authentication | 10% | Session security | Protected |
| Device Security | 5% | USB protection | Active |
| Device Security | 5% | Hardware RNG | Verified |
| Device Security | 5% | Secure boot | Enabled |
| Device Security | 5% | Physical ports | Secured |
| Advanced Privacy | 5% | Tirdad kernel module | Loaded |
| Advanced Privacy | 5% | RAM wipe config | Configured |
| Advanced Privacy | 5% | Cold boot defense | Active |
| Advanced Privacy | 5% | Anti-forensics | Enabled |
| Data Protection | 5% | Secure deletion | Configured |
| Data Protection | 5% | Browser privacy | Hardened |
| Data Protection | 5% | Clipboard security | Protected |
| Data Protection | 5% | Temp file handling | Secure |
Score Interpretation
| Score | Level | Description | Action Required |
|---|---|---|---|
| 90-100 | Excellent | Maximum protection active | Maintain current configuration |
| 70-89 | Good | Solid security, minor gaps | Review and fix recommendations |
| 50-69 | Fair | Basic protection only | Implement critical fixes |
| 30-49 | Poor | Significant vulnerabilities | Urgent remediation needed |
| 0-29 | Critical | System exposed | Immediate action required |
Check your score: sudo health-control security-score --json
Panic Mode Escalation
Three-tier emergency response system with increasing severity:
Level 1: Soft Panic
Use for: Public spaces, shoulder surfing, temporary privacy
| Action | Result | Recovery |
|---|---|---|
| Network termination | All connections cut | Automatic on reboot |
| Screen lock | Immediate lock screen | Password unlock |
| Clipboard wipe | Sensitive data cleared | No recovery needed |
| Browser pause | Tabs suspended | Resume on unlock |
Level 2: Medium Panic
Use for: Suspected compromise, active surveillance
| Action | Result | Recovery |
|---|---|---|
| Soft panic actions | All Level 1 protections | — |
| Process termination | Kill browsers, terminals, file managers | Manual restart |
| Memory clearing | RAM caches wiped | Reboot recommended |
| Volume unmounting | Encrypted disks locked | Re-mount required |
| Swap disable | Swap partition cleared | Manual re-enable |
Level 3: Hard Panic
Use for: Imminent seizure, critical breach
| Action | Result | Recovery |
|---|---|---|
| Medium panic actions | All Level 1+2 protections | — |
| RAM overwrite | Memory wiped 3x passes | Data unrecoverable |
| Key destruction | Encryption keys zeroed | Permanent loss |
| Forced shutdown | Immediate power off | Full system restart |
| LUKS header wipe | Optional disk encryption destroy | Drive unusable |
WARNING
Hard panic causes permanent data loss in RAM and potentially on disk.
Recovery Guidance
Post-Emergency Recovery Steps:
-
After Network Kill:
-
After MAC Changes:
-
After Hostname Changes:
-
After Memory Wipe:
| Action | Description |
|---|---|
| System Reboot | Reboot system to restore normal memory operation |
| Session Recovery | Reload applications and restore working sessions |
- After LUKS Nuke:
| Status | Action Required |
|---|---|
| Data Status | Data is permanently lost and unrecoverable |
| Recovery Option 1 | Restore from backups if available |
| Recovery Option 2 | Reinstall system if no backups exist |
Internet Blocking Methods
Multi-layer blocking system with fallback mechanisms:
Method Hierarchy
| Priority | Method | Technology | Speed | Security | Recovery |
|---|---|---|---|---|---|
| 1 | nftables |
Kernel netfilter (modern) | Instant | Highest | unblock-internet |
| 2 | iptables |
Kernel netfilter (legacy) | Instant | High | unblock-internet |
| 3 | firewall |
UFW frontend | Fast | Medium | ufw --force reset |
| 4 | interfaces |
Physical disconnect | Slow | Absolute | Interface restart |
Blocking Strategies
| Strategy | Command | Use Case | LAN Access |
|---|---|---|---|
| Auto-detect | block-internet |
General use | Blocked |
| All methods | block-internet --method all |
Maximum security | Blocked |
| Allow local | block-internet --allow-local |
Home/office use | Allowed |
| Specific | block-internet --method nftables |
Known environment | Configurable |
How Blocking Works
User Command → Method Detection → Rule Application → Verification
↓ ↓ ↓ ↓
block-internet Check available Apply firewall Test connectivity
methods rules/disable Log results
interfaces
Network Recovery Process
| Step | Command | Description |
|---|---|---|
| 1 | sudo health-control unblock-internet |
Remove all blocking rules |
| 2 | sudo health-control recover-internet |
Auto-diagnose and fix connectivity |
| 3 | sudo health-control recover-internet --check-dns |
Include DNS resolution fixes |
| 4 | sudo health-control recover-internet --force |
Force complete network reset |
Advanced Commands
For advanced users who need access to all available commands and options, please refer to the auto-generated command reference which includes:
| Feature | Description |
|---|---|
| Memory Management | Advanced memory management commands |
| Process Control | Process termination controls |
| Wipe Algorithms | Advanced secure wipe algorithms |
| Network Management | Network interface management |
| System Checks | System integrity verification |
| Panic Profiles | Custom panic mode profiles |
| CLI Reference | All command-line flags and parameters |
Related Tools
Health Control integrates with other Kodachi tools for complete security:
| Tool | Integration |
|---|---|
| IP Fetch | Use after network recovery to verify connectivity |
| DNS Leak | Test for DNS leaks after network changes |
| Tor Switch | Manage Tor connections affected by network blocking |
| Online Auth | Authentication may be affected by emergency operations |
Security Notes
Important Security Practices:
| Practice | Description |
|---|---|
| Test First | Test panic modes in safe environment first |
| Kill Switch Safety | Keep kill switch disarmed during normal use |
| Backup Strategy | Backup data before using wipe commands |
| Document Changes | Document MAC addresses before changing |
| Appropriate Response | Use appropriate panic level for threat |
| Recovery Points | Create recovery points before major changes |
Performance
| Metric | Value |
|---|---|
| Panic Response | < 1 second activation |
| Network Block | Instant (< 100ms) |
| MAC Change | 2-3 seconds per interface |
| File Wipe | Varies by size and pattern |
| Memory Usage | ~30MB active |
Support
| Resource | Link |
|---|---|
| Website | digi77.com |
| Anonymity Verifier | kodachi.cloud |
| Discord Support | discord.gg/KEFErEx |
| GitHub | github.com/WMAL |
Scenario 1: First Boot Security Hardening
Complete security setup for a new Kodachi installation to achieve maximum protection.
# Step 1: Verify current security status
sudo health-control security-verify
# Step 2: Apply comprehensive security hardening
sudo health-control security-harden
# Expected: All 7 security modules configured (kernel, process, filesystem, network, memory, monitoring, sandboxing)
# Step 3: Check security score
sudo health-control security-score
# Expected: Score should be >70 after initial hardening
# Step 4: Verify system integrity
sudo integrity-check check-all
# Expected: All signatures valid
# Step 5: Set proper file permissions
sudo permission-guard scan /home
# Expected: Report shows secure file permissions
# Step 6: Create recovery point
sudo health-control create-recovery-point --name first-boot-hardened
# Step 7: Verify hardening was applied
sudo health-control security-verify
# Expected: All modules show ENABLED and CONFIGURED
Cross-binary workflow: health-control + integrity-check + permission-guard
When to run: After fresh installation or system restore. Or Automate this with workflow-manager.
Scenario 2: Daily Security Health Check
Quick daily verification to ensure system protection remains intact.
# Step 1: Check network connectivity
health-control net-check
# Expected: Both IP and DNS connectivity working
# Step 2: Test for DNS leaks
dns-leak test
# Expected: No DNS leaks detected
# Step 3: Verify current IP and Tor status
ip-fetch
# Expected: Shows current IP, geolocation, Tor status
# Step 4: Check security score
sudo health-control security-score --json
# Expected: Score >70 for good security
# Step 5: Verify Tor is running
tor-switch status
# Expected: Tor service active and circuits established
# Step 6: Check system integrity
sudo health-control security-status
# Expected: All security features operational
Cross-binary workflow: health-control + dns-leak + ip-fetch + tor-switch
When to run: Daily before sensitive work, or schedule with workflow-manager cron job.
Scenario 3: Legal Pressure & Emergency Data Destruction
Immediate data destruction when facing legal pressure or device seizure.
# Step 1: Activate medium panic mode (kills network, processes)
sudo health-control panic-medium
# Expected: Network terminated, processes killed, memory cleared
# Step 2: Wipe all logs
sudo health-control wipe-logs --type all
# Expected: System logs, user history, and cache wiped
# Step 3: Wipe browser data
sudo health-control wipe-browser-data --browser all
# Expected: All browser history and cache destroyed
# Step 4: Wipe free space to eliminate deleted file remnants
sudo health-control wipe-free-space --device /
# Expected: Free space overwritten, recovery impossible
# Step 5: Verify wipe completion
sudo health-control wipe-verify --path /var/log
# Expected: Logs successfully wiped
# Step 6: Create incident log
sudo logs-hook log --script 'emergency' --level fatal 'Emergency data destruction completed'
Cross-binary workflow: health-control + logs-hook
When to run: Only in genuine emergency situations with imminent threat of device seizure.
Scenario 4: Border Crossing - Kill Switch Activation
Prepare system for high-risk border crossing with instant network kill capability.
# Step 1: Create recovery point before crossing
sudo health-control create-recovery-point --name pre-border-crossing
# Step 2: Arm the kill switch
sudo health-control kill-switch-arm
# Expected: Kill switch armed and ready for activation
# Step 3: Enable watch-guard to auto-block if Tor drops
sudo health-control enable --type watch-guard --watch vpn --method nftables
# Step 4: Verify kill switch status
health-control kill-switch-status
# Expected: Shows armed status with timestamp
# Step 5: If threat detected, activate immediately
# sudo health-control kill-switch-activate --level medium
# Step 6: After crossing, check routing status
routing-switch status
# Expected: Current routing mode and active connections
Cross-binary workflow: health-control + routing-switch
When to run: Before entering high-risk zones like border checkpoints or security screenings.
Scenario 5: Forensic Counter-Measures (Cold Boot Defense)
Protect against cold boot attacks and RAM forensics.
# Step 1: Enable cold boot defense mechanisms
sudo health-control coldboot-defense-enable
# Expected: Cold boot protections active
# Step 2: Enable RAM wipe on shutdown
sudo health-control ram-wipe-enable
# Expected: RAM will be wiped on next shutdown
# Step 3: Configure memory security
sudo health-control memory-wipe
# Expected: Current RAM cleared of sensitive data
# Step 4: Verify cold boot protection status
health-control coldboot-defense-status
# Expected: Shows active protection mechanisms
# Step 5: Check RAM wipe configuration
health-control ram-wipe-status
# Expected: RAM wipe enabled for shutdown
# Step 6: Verify integrity of boot chain
sudo health-control boot-integrity-check
# Expected: Boot chain secure, no tampering detected
Cross-binary workflow: health-control + integrity-check
When to run: Before handling highly sensitive data or when physical security is compromised.
Scenario 6: Active Network Threat Detection & Isolation
Respond to detected network intrusion or surveillance.
# Step 1: Check current network status
health-control net-check-http
# Expected: Network connectivity status shown
# Step 2: Block all internet traffic immediately
sudo health-control block-internet --method all
# Expected: All network blocked (nftables, iptables, firewall, interfaces)
# Step 3: Switch to secure DNS
sudo dns-switch dnscrypt-set --resolver cloudflare
# Step 4: Change routing to Tor-only
sudo routing-switch connect tor
# Expected: All traffic routed through Tor
# Step 5: Verify internet blocking status
health-control internet-status
# Expected: Shows blocked status and methods used
# Step 6: After threat passes, recover network
sudo health-control recover-internet --check-dns --force
Cross-binary workflow: health-control + routing-switch + dns-switch
When to run: When network intrusion detected or during active surveillance.
Scenario 7: Privacy Identity Rotation (MAC, Hostname, Timezone, Kloak)
Complete identity refresh to avoid tracking and correlation attacks.
# Step 1: Check current IP and identity
ip-fetch
# Expected: Shows current IP, location, hostname
# Step 2: Change all MAC addresses
sudo health-control mac-change-all
# Expected: All network interface MACs randomized
# Step 3: Set random hostname
sudo health-control set-random-hostname
# Expected: Hostname changed to random value
# Step 4: Randomize system timezone
sudo health-control set-random-timezone
# Expected: Timezone set to random value
# Step 5: Get new Tor circuit
sudo tor-switch new-tor-circuit
# Expected: New Tor exit node assigned
# Step 6: Verify IP changed
ip-fetch
# Expected: New IP, new geolocation, new identity
Cross-binary workflow: health-control + tor-switch + ip-fetch
When to run: Periodically during sensitive operations or when identity correlation is suspected.
Scenario 8: USB Threat Isolation & Device Policy
Protect against malicious USB devices and BadUSB attacks.
# Step 1: List current USB devices
health-control usb-list
# Expected: Shows all connected USB devices
# Step 2: Enable USB Guard protection
sudo health-control usb-guard-enable
# Expected: USB Guard active, unauthorized devices blocked
# Step 3: Monitor USB connections in real-time
sudo health-control usb-monitor
# Expected: Shows USB connection events
# Step 4: View USB connection history
health-control usb-history --days 7
# Expected: Past week's USB activity log
# Step 5: Add trusted device policy
sudo health-control usb-policy --action add --device-id 1234:5678 --allow
# Step 6: Verify system integrity after USB insertion
sudo integrity-check check-all
# Expected: No system tampering detected
Cross-binary workflow: health-control + integrity-check
When to run: When using untrusted USB devices or in high-security environments.
Scenario 9: Emergency Encryption Key Destruction (LUKS Nuke)
Destroy encryption keys to make data permanently unrecoverable under extreme duress.
# Step 1: Detect all LUKS encrypted devices
sudo health-control luks-detect
# Expected: Lists all LUKS-encrypted partitions
# Step 2: Check current encryption status
health-control disk-encryption-status
# Expected: Shows encryption details for each device
# Step 3: Verify storage device safety before nuke
sudo health-control list-storage-devices
# Expected: Shows safety level (SAFE/CAUTION/DANGER)
# Step 4: CRITICAL - Execute LUKS nuke (DESTROYS ALL DATA)
# sudo health-control luks-nuke
# WARNING: This permanently destroys all encrypted data
# Step 5: Verify encryption headers destroyed
health-control encryption-status
# Expected: LUKS headers no longer accessible
# Step 6: Confirm data is unrecoverable
sudo integrity-check check-all
# Expected: Encrypted volumes inaccessible
Cross-binary workflow: health-control + integrity-check
When to run: ONLY in extreme emergencies when data destruction is the only option.
Scenario 10: Persistence Layer for Live USB
Create encrypted persistence on USB drive for portable secure storage.
# Step 1: List storage devices and verify USB safety
sudo health-control list-storage-devices
# Expected: Shows USB drives marked as SAFE
# Step 2: Verify specific USB device is safe
sudo health-control usb-safety-check --device /dev/sdb1
# Expected: Returns SAFE status
# Step 3: Create encrypted persistence file (8GB)
sudo health-control create-persistence --encrypted --size 8192
# Expected: Creates encrypted casper-rw file, prompts for password
# Step 4: Verify persistence file exists
ls -lh /media/*/casper-rw
# Expected: Shows 8GB persistence file
# Step 5: Check encryption status
sudo health-control encryption-status
# Expected: Shows casper-rw encryption details
# Step 6: Verify integrity of persistence setup
sudo integrity-check check-all
Cross-binary workflow: health-control + integrity-check
When to run: After creating bootable USB or when setting up portable workspace.
Scenario 11: System Hardening Before Sensitive Work (Lynis, AIDE, Kernel)
Comprehensive security audit and hardening before high-risk operations.
# Step 1: Run Lynis security audit
sudo health-control lynis-audit
# Expected: Detailed security audit report
# Step 2: Check Lynis audit status
health-control lynis-status
# Expected: Shows audit score and recommendations
# Step 3: Apply security hardening
sudo health-control security-harden --profile paranoid
# Expected: Maximum security hardening applied
# Step 4: Initialize AIDE file integrity monitoring
sudo health-control aide-init
# Expected: AIDE database created
# Step 5: Perform comprehensive system audit
sudo health-control system-audit --level comprehensive
# Expected: Full system security assessment
# Step 6: Verify all hardening applied correctly
sudo health-control security-verify
# Expected: All 7 security modules ENABLED and CONFIGURED
# Step 7: Check final security score
sudo health-control security-score --json
# Expected: Score >90 for paranoid configuration
Cross-binary workflow: health-control + integrity-check
When to run: Before handling classified data, whistleblowing, or journalism work.
Scenario 12: Incident Response - Malware Containment
Respond to suspected malware infection with isolation and forensics.
# Step 1: Kill network immediately
sudo health-control kill-network
# Expected: All network interfaces disabled
# Step 2: Run rootkit scan
sudo health-control rootkit-scan-enhanced
# Expected: Comprehensive rootkit detection
# Step 3: Scan system with ClamAV
sudo health-control clamav-scan
# Expected: Malware scan results
# Step 4: Check AIDE for file system changes
sudo health-control aide-check
# Expected: Shows modified/new/deleted files
# Step 5: Verify system integrity
sudo integrity-check check-all --timeout 300
# Expected: Signature verification results
# Step 6: Log incident details
sudo logs-hook log --script 'security' --level warn 'Malware containment protocol executed'
# Step 7: Create recovery point if clean
sudo health-control create-recovery-point --name post-malware-scan
Cross-binary workflow: health-control + logs-hook + integrity-check
When to run: When malware infection suspected or unusual system behavior detected.
Scenario 13: Password Generation & Batch Management
Generate secure passwords for multiple accounts using different methods.
# Step 1: Generate single password using all methods
health-control genpass
# Expected: Passwords from pass, pwgen, and xkcdpass
# Step 2: Batch generate 50 strong passwords
health-control genpass --method pwgen --count 50
# Expected: 50 random strong passwords
# Step 3: Generate memorable passphrases
health-control genpass --method xkcdpass --count 10
# Expected: 10 word-based passphrases
# Step 4: Generate custom length passwords with specific symbols
health-control genpass --length 32 --symbols "@-_!#$%^&*"
# Expected: 32-character password with specified symbols
# Step 5: Generate JSON output for automation
health-control genpass --method pwgen --count 20 --json > passwords.json
# Step 6: Automate password generation workflow
# workflow-manager create batch-password-gen
Cross-binary workflow: health-control + workflow-manager
When to run: During account creation, password rotation, or security audits.
Scenario 14: Off-Grid System Audit (All Offline Info Commands)
Complete system information gathering without network connectivity.
# Step 1: Get comprehensive system info
health-control offline-info-all
# Expected: Complete system overview (hardware, processes, services, security)
# Step 2: Check hardware details
health-control offline-info-hardware
# Expected: CPU, RAM, disk, network hardware details
# Step 3: Analyze running processes
health-control offline-info-process
# Expected: Process list with CPU/memory usage
# Step 4: Review security configuration
health-control offline-info-security
# Expected: Firewall, SELinux, AppArmor, encryption status
# Step 5: Check network configuration
health-control offline-info-network
# Expected: Interface configuration, routing tables
# Step 6: Review storage details
health-control offline-info-storage
# Expected: Disk partitions, mount points, usage
# Step 7: Log system audit
sudo logs-hook log --script 'system' --level info 'Complete offline system audit performed'
Cross-binary workflow: health-control + logs-hook
When to run: During offline operations, pre-deployment checks, or air-gapped system audits.
Scenario 15: Multi-Layer Emergency Response (Soft/Medium/Hard Panic)
Escalating emergency responses based on threat severity.
# SOFT PANIC - For public spaces, shoulder surfing
sudo health-control panic-soft
# Actions: Kill network, clear clipboard, lock screen
# Recovery: Unlock screen, restart network
# MEDIUM PANIC - For suspected compromise
# sudo health-control panic-medium
# Actions: Kill network, terminate processes, clear memory, lock screen
# Recovery: Requires system restart of services
# HARD PANIC - For imminent seizure
# sudo health-control panic-hard
# Actions: Kill network, wipe RAM, immediate shutdown
# WARNING: IRREVERSIBLE - system will shutdown immediately
# After soft/medium panic, recover network
sudo health-control recover-internet --force
# Verify routing after recovery
routing-switch status
# Check Tor status after recovery
tor-switch status
Cross-binary workflow: health-control + routing-switch + tor-switch
When to run: Choose panic level based on threat severity. Soft for minor threats, hard for critical emergencies.
Scenario 16: Service Lockdown for Sensitive Operations (30+ Offline Actions)
Disable all non-essential services before sensitive work.
# Step 1: Disable Bluetooth
sudo health-control offline-bluetooth --action disable
# Expected: Bluetooth completely disabled
# Step 2: Disable WiFi
sudo health-control offline-wifi --action disable
# Expected: WiFi interfaces disabled
# Step 3: Disable USB storage
sudo health-control offline-usb-storage --action disable
# Expected: USB storage mounting blocked
# Step 4: Disable webcam
sudo health-control offline-webcam --action disable
# Expected: Webcam access blocked
# Step 5: Disable microphone
sudo health-control offline-microphone --action disable
# Expected: Microphone access blocked
# Step 6: Disable system logging
sudo health-control offline-systemlogs --action disable
# Expected: Logging services stopped
# Step 7: Disable network services
sudo health-control offline-networkmanager --action disable
# Expected: NetworkManager disabled
# Step 8: Log lockdown status
sudo logs-hook log --script 'security' --level warn 'System lockdown for sensitive operations'
Cross-binary workflow: health-control + logs-hook
When to run: Before handling extremely sensitive data or classified information.
Scenario 17: Complete System Wiping Before Decommissioning
Securely wipe system before disposal or transfer.
# Step 1: List all storage devices
sudo health-control list-storage-devices
# Expected: Shows all storage with safety indicators
# Step 2: Wipe all logs
sudo health-control wipe-logs --type all
# Expected: All system and user logs destroyed
# Step 3: Wipe browser data
sudo health-control wipe-browser-data --browser all
# Expected: All browser data destroyed
# Step 4: Wipe temporary files
sudo health-control wipe-pattern '*.tmp' --directory /tmp
# Step 5: Wipe free space on all partitions
sudo health-control wipe-free-space --device /
# Expected: Free space overwritten
# Step 6: Verify wipe completion
sudo health-control wipe-verify --path /var/log
# Step 7: Final integrity check
sudo integrity-check check-all
Cross-binary workflow: health-control + integrity-check
When to run: Before selling, donating, or decommissioning hardware.
Scenario 18: Malware Defense with Watch-Guard Monitoring
Automated threat detection with watch-guard monitoring.
# Step 1: Enable watch-guard for VPN monitoring
sudo health-control enable --type watch-guard --watch vpn --method nftables --interval 3
# Expected: Internet blocked if VPN drops
# Step 2: Enable watch-guard for Tor process
sudo health-control enable --type watch-guard --watch process --target tor --method nftables
# Expected: Internet blocked if Tor stops
# Step 3: Enable watch-guard for IP changes
sudo health-control enable --type watch-guard --watch ip --method nftables
# Step 4: Enable watch-guard for DNS changes
sudo health-control enable --type watch-guard --watch dns --method firewall
# Step 5: Check all active watch-guards
health-control watch-guard status
# Expected: Lists all active monitoring configurations
# Step 6: Automate watch-guard with workflow-manager
# workflow-manager create security-monitoring
# Step 7: Log watch-guard configuration
sudo logs-hook log --script 'security' --level warn 'Watch-guard monitoring enabled'
Cross-binary workflow: health-control + workflow-manager + logs-hook
When to run: During high-risk operations requiring automated threat response.
Scenario 19: Hardware Security Verification (RNG, Entropy, Boot Integrity)
Verify hardware security features before sensitive cryptographic operations.
# Step 1: Verify hardware RNG availability
health-control hardware-rng-verify
# Expected: Hardware RNG present and functional
# Step 2: Check system entropy pool
health-control entropy-status
# Expected: Sufficient entropy available (>1000 bits)
# Step 3: Verify boot chain integrity
sudo health-control boot-integrity-check
# Expected: Boot chain secure, no tampering
# Step 4: Check cold boot defense status
health-control coldboot-defense-status
# Expected: Cold boot protections active
# Step 5: Enable Tirdad for TCP ISN randomization
sudo health-control tirdad-enable
# Expected: TCP sequence number randomization active
# Step 6: Check Tirdad status
health-control tirdad-status
# Expected: Tirdad module loaded and active
# Step 7: Verify overall security
sudo health-control security-score --json
# Expected: Hardware security contributing to high score
Cross-binary workflow: health-control + integrity-check
When to run: Before cryptographic key generation or encryption operations.
Scenario 20: System Recovery After Emergency Operations
Restore normal operations after panic mode or emergency shutdown.
# Step 1: Activate panic recovery mode
sudo health-control panic-recover
# Expected: Recovery procedures initiated
# Step 2: Unblock internet access
sudo health-control unblock-internet --method all
# Expected: All blocking rules removed
# Step 3: Restore network connectivity
sudo health-control recover-internet --check-dns --force
# Expected: Network connectivity restored
# Step 4: Verify network is working
health-control net-check-http
# Expected: IP, DNS, and HTTP connectivity working
# Step 5: Restart DNS service
sudo dns-switch status
# Expected: DNS service operational
# Step 6: Restore routing configuration
routing-switch status
# Expected: Normal routing restored
# Step 7: Verify system integrity
sudo health-control security-score
# Expected: Security score restored to normal levels
Cross-binary workflow: health-control + routing-switch + dns-switch
When to run: After emergency operations when returning to normal system operation.
Related Workflows
- IP Fetch — Verify IP changes after identity rotation
- DNS Leak — Test for DNS leaks after network changes
- Tor Switch — Manage Tor connections for anonymity
- Routing Switch — Control network routing (VPN/Tor/Direct)
- DNS Switch — Switch DNS servers and DNSCrypt
- Integrity Check — Verify system integrity and signatures
- Permission Guard — Monitor and manage file permissions
- Online Auth — Authentication may be affected by emergency operations
- Logs Hook — Centralized logging for all operations
- Full CLI Reference: health-control commands