health-control
Health control system for Kodachi that includes network connectivity checks and system health monitoring
Version: 9.8.4 (build 319) | Size: 14.8MB | Author: Warith Al Maawali
License: Proprietary | Website: https://www.digi77.com
File Information
| Property | Value |
|---|---|
| Binary Name | health-control |
| Version | 9.8.4 (build 319) |
| Build Date | REDACTED-BUILD-TIME |
| Rust Version | 1.82.0 |
| File Size | 14.8MB |
| Author | Warith Al Maawali |
| License | Proprietary |
| Category | Kodachi Binary |
| Description | Health control system for Kodachi that includes network connectivity checks and system health monitoring |
| Git Commit | unknown |
| Metadata Generated | 2026-06-28T11:16:38Z |
| Binary Timestamp | Unknown |
| JSON Data | View Raw JSON |
SHA256 Checksum
4d4853a0e15b2533b78c9165aee303676f7e5bb75cf91fc5a5890cb94a787aec
Features
| # | Feature |
|---|---|
| 1 | Network connectivity monitoring |
| 2 | Internet traffic control |
| 3 | Security hardening |
| 4 | System integrity checking |
| 5 | Offline system management |
Security Features
| Feature | Description |
|---|---|
| Authentication | Not provided by cli-core (see online-auth) |
| Encryption | Not provided by cli-core |
| Input Validation | Argument parsing via clap; per-command validation is the consumer's responsibility |
| Rate Limiting | Not provided by cli-core |
System Requirements
| Requirement | Value |
|---|---|
| OS | Linux (Debian-based) |
| Privileges | root/sudo for system operations |
| Dependencies | OpenSSL, libcurl |
Global Options
| Flag | Description |
|---|---|
-h, --help |
Print help information |
-v, --version |
Print version information |
-n, --info |
Display detailed information |
-e, --examples |
Show usage examples |
--json |
Output in JSON format |
-o, --output-format <FORMAT> |
Force output format (text|json) |
--json-pretty |
Pretty-print JSON output with indentation |
--json-human |
Enhanced JSON output with improved formatting (like jq) |
--fields <FIELD_LIST> |
Select specific fields to include in output (comma-separated) |
--limit <NUMBER> |
Limit number of results returned |
--offset <NUMBER> |
Skip first N results (for pagination) |
-d, --work-dir <PATH> |
Working directory (defaults to auto-detected base directory) |
--port <PORT> |
Set custom port number (1024-65535) |
--log-level <LEVEL> |
Set log level (error|warn|info|debug) |
--verbose |
Enable verbose output |
--quiet |
Suppress non-essential output |
--no-color |
Disable colored output |
--config <FILE> |
Use custom configuration file |
--timeout <SECS> |
Set operation timeout in seconds (optional; no default applied) |
--retry <COUNT> |
Retry attempts (optional; no default applied) |
Commands
Data Destruction
wipe-file
Securely wipe a file with multiple passes
Usage:
health-control wipe-file [OPTIONS]
Examples:
sudo health-control wipe-file --file /path/to/file.txt
sudo health-control wipe-file --file /path/to/file.txt --passes 7 --json
wipe-directory
Securely wipe an entire directory and its contents
Usage:
health-control wipe-directory [OPTIONS]
Examples:
sudo health-control wipe-directory --path /tmp/sensitive_dir
sudo health-control wipe-directory --path /path/to/directory --passes 7 --json
wipe-user-dir
Securely wipe a common user directory (downloads, desktop, documents)
Usage:
health-control wipe-user-dir [OPTIONS]
Examples:
sudo health-control wipe-user-dir --target downloads
sudo health-control wipe-user-dir --target desktop
sudo health-control wipe-user-dir --target documents --json
wipe-logs
Securely wipe system logs (journal, syslog, auth.log, kern.log), user history (bash, zsh, python), and application cache logs
Usage:
health-control wipe-logs [OPTIONS]
Examples:
sudo health-control wipe-logs # Wipe all logs (system + user)
sudo health-control wipe-logs --type system # Wipe only system logs (/var/log/*, journal)
sudo health-control wipe-logs --type user # Wipe only user logs (history, cache)
sudo health-control wipe-logs --type all --json # Show detailed JSON output
wipe-batch
Batch wipe multiple files
Usage:
health-control wipe-batch [OPTIONS]
Examples:
sudo # Multiple file paths as arguments:
sudo health-control wipe-batch file1.png file2.png --passes 7
sudo health-control wipe-batch /tmp/sensitive.doc /home/user/data.txt
sudo
sudo # Alternative comma-separated format:
sudo health-control wipe-batch --paths "file1.png,file2.png" --passes 7
sudo health-control wipe-batch --paths "/tmp/file1,/tmp/file2" --json
sudo
sudo ⚠ Security Note: Using actual paths may expose system directory structure
wipe-browser-data
Wipe browser data and history
Usage:
health-control wipe-browser-data [OPTIONS]
Examples:
sudo health-control wipe-browser-data # Wipe all browsers
sudo health-control wipe-browser-data --browser firefox # Firefox only
sudo health-control wipe-browser-data --browser brave # Brave only
sudo health-control wipe-browser-data --browser tor # Tor Browser only
sudo health-control wipe-browser-data --browser all --json
wipe-free-space
Securely wipe free space on a mounted filesystem (use mount points like '/', '/home' or device paths)
Usage:
health-control wipe-free-space [OPTIONS]
Examples:
sudo health-control wipe-free-space --device /
sudo health-control wipe-free-space --device /home
sudo health-control wipe-free-space --device /dev/sda1 --json
sudo health-control wipe-free-space --device /tmp
wipe-pattern
Wipe files matching pattern (use --pattern flag or positional argument)
Usage:
health-control wipe-pattern [OPTIONS]
Examples:
sudo health-control wipe-pattern --pattern '*.tmp'
sudo health-control wipe-pattern '*.tmp'
sudo health-control wipe-pattern --pattern '*.log' --directory /var/log
sudo health-control wipe-pattern '*.log' --directory /var/log
sudo health-control wipe-pattern --pattern 'backup*' --json
sudo health-control wipe-pattern 'backup*' --json
sudo health-control wipe-pattern --pattern '*.cache' --directory ~/.cache
sudo health-control wipe-pattern '*.cache' --directory ~/.cache
wipe-schedule
Schedule automatic data wiping
Usage:
health-control wipe-schedule [OPTIONS]
Examples:
sudo health-control wipe-schedule temp --frequency daily
sudo health-control wipe-schedule logs --frequency weekly
sudo health-control wipe-schedule browser --json
wipe-verify
Verify that a file was wiped properly
Usage:
health-control wipe-verify [OPTIONS]
Examples:
sudo health-control wipe-verify --path /tmp/sensitive.txt
sudo health-control wipe-verify --path /home/user/data.bin --json
Display & Power
conky-enable
Start Conky widget
Usage:
health-control conky-enable [OPTIONS]
Examples:
health-control conky-enable
health-control conky-enable --json
conky-disable
Stop Conky widget
Usage:
health-control conky-disable [OPTIONS]
Examples:
health-control conky-disable
health-control conky-disable --json
conky-status
Check Conky running/installed/boot state
Usage:
health-control conky-status [OPTIONS]
Examples:
health-control conky-status
health-control conky-status --json
conky-boot-enable
Enable Conky on boot (autostart/systemd)
Usage:
health-control conky-boot-enable [OPTIONS]
Examples:
health-control conky-boot-enable
health-control conky-boot-enable --json
conky-boot-disable
Disable Conky on boot
Usage:
health-control conky-boot-disable [OPTIONS]
Examples:
health-control conky-boot-disable
health-control conky-boot-disable --json
screensaver-disable
Disable XFCE screensaver
Usage:
health-control screensaver-disable [OPTIONS]
Examples:
health-control screensaver-disable
health-control screensaver-disable --json
screensaver-enable
Enable XFCE screensaver
Usage:
health-control screensaver-enable [OPTIONS]
Examples:
health-control screensaver-enable
health-control screensaver-enable --json
screensaver-status
Check screensaver status
Usage:
health-control screensaver-status [OPTIONS]
Examples:
health-control screensaver-status
health-control screensaver-status --json
dpms-disable
Disable display power management
Usage:
health-control dpms-disable [OPTIONS]
Examples:
health-control dpms-disable
health-control dpms-disable --json
dpms-enable
Enable display power management
Usage:
health-control dpms-enable [OPTIONS]
Examples:
health-control dpms-enable
health-control dpms-enable --json
dpms-status
Check DPMS and timeout settings
Usage:
health-control dpms-status [OPTIONS]
Examples:
health-control dpms-status
health-control dpms-status --json
lock-screen
Lock the screen
Usage:
health-control lock-screen [OPTIONS]
Examples:
health-control lock-screen
health-control lock-screen --json
session-logout
End XFCE session
Usage:
health-control session-logout [OPTIONS]
Examples:
health-control session-logout
health-control session-logout --json
suspend
Suspend to RAM
Usage:
health-control suspend [OPTIONS]
Examples:
health-control suspend
health-control suspend --json
conky-mask-enable
Mask sensitive info in Conky panels
Usage:
health-control conky-mask-enable [OPTIONS]
Examples:
health-control conky-mask-enable
health-control conky-mask-enable --json
conky-mask-disable
Unmask Conky panels
Usage:
health-control conky-mask-disable [OPTIONS]
Examples:
health-control conky-mask-disable
health-control conky-mask-disable --json
conky-mask-status
Check if Conky privacy masking is active
Usage:
health-control conky-mask-status [OPTIONS]
Examples:
health-control conky-mask-status
health-control conky-mask-status --json
Emergency Operations
kill-switch-arm
Arm the emergency kill switch - sets system to high-alert state for manual activation. NOTE: This prepares the system for rapid response but does NOT actively monitor for threats. It's a preparedness state that allows quick manual activation via kill-switch-activate command.
Usage:
health-control kill-switch-arm [OPTIONS]
Examples:
sudo health-control kill-switch-arm
sudo health-control kill-switch-arm --json
kill-switch-disarm
Disarm the emergency kill switch
Usage:
health-control kill-switch-disarm [OPTIONS]
Examples:
sudo health-control kill-switch-disarm
sudo health-control kill-switch-disarm --json
kill-switch-status
Check if kill switch monitoring is armed/disarmed. Shows armed time, trigger count, and monitoring state. Does NOT activate anything - just displays current status.
Usage:
health-control kill-switch-status [OPTIONS]
Examples:
health-control kill-switch-status
health-control kill-switch-status --json
kill-switch-activate
IMMEDIATELY activate emergency procedures. Unlike 'arm' which monitors, this executes panic mode NOW. Choose level: soft (network+lock), medium (default: +kill processes), hard (+RAM wipe+shutdown)
Usage:
health-control kill-switch-activate [OPTIONS]
Examples:
sudo health-control kill-switch-activate
sudo health-control kill-switch-activate --level hard --force
sudo health-control kill-switch-activate --level soft --json
sudo health-control kill-switch-activate --dry-run --json
panic-soft
IMMEDIATE soft panic mode. Actions: Kill all network connections, clear clipboard, lock screen. NO CONFIRMATION. Reversible by restarting network. Use for quick privacy protection.
Usage:
health-control panic-soft [OPTIONS]
Examples:
sudo health-control panic-soft
sudo health-control panic-soft --json
sudo health-control panic-soft --dry-run
panic-hard
IMMEDIATE hard panic mode with CONFIRMATION. CRITICAL: Kill network, clear clipboard, terminate ALL processes, clear memory, unmount devices, wipe RAM, IMMEDIATE SHUTDOWN. IRREVERSIBLE - system will shutdown!
Usage:
health-control panic-hard [OPTIONS]
Examples:
sudo health-control panic-hard
sudo health-control panic-hard --json
sudo health-control panic-hard --dry-run
panic-medium
IMMEDIATE medium panic mode with CONFIRMATION. Actions: Kill network, clear clipboard, terminate non-essential processes, clear memory, unmount devices, lock screen. Requires manual system restart to fully restore.
Usage:
health-control panic-medium [OPTIONS]
Examples:
sudo health-control panic-medium
sudo health-control panic-medium --json
sudo health-control panic-medium --dry-run
panic-profile
Configure automated emergency response profile that defines system actions during panic mode activation
Usage:
health-control panic-profile [OPTIONS]
Examples:
sudo # Configure light security response (recommended for public wifi):
sudo health-control panic-profile --profile stealth
sudo
sudo # Configure maximum security lockdown (for high-risk situations):
sudo health-control panic-profile --profile paranoid
sudo
sudo # Configure recovery mode (to restore system to safe state):
sudo health-control panic-profile --profile recovery
sudo
sudo # Get JSON output with profile configuration details:
sudo health-control panic-profile --profile paranoid --json
panic-recover
Activate panic recovery mode
Usage:
health-control panic-recover [OPTIONS]
Examples:
sudo health-control panic-recover
sudo health-control panic-recover --json
create-recovery-point
Create system recovery checkpoint
Usage:
health-control create-recovery-point [OPTIONS]
Examples:
sudo health-control create-recovery-point
sudo health-control create-recovery-point --name pre-update
sudo health-control create-recovery-point --json
nuke-execute
Execute emergency data destruction sequence (DANGEROUS - use --dry-run for testing)
Usage:
health-control nuke-execute [--method fast|secure|paranoid] [--dry-run] [--force]
Options:
--method, -m <METHOD>: Wipe method: fast, secure (default), paranoid--dry-run: Test mode - shows actions without executing--force, -f: Skip confirmation prompt (DANGEROUS)
Examples:
health-control nuke-execute --dry-run
health-control nuke-execute --method fast --dry-run
health-control nuke-execute --method paranoid --dry-run --json
nuke-progress
Get current nuke mode execution progress
Usage:
health-control nuke-progress
Examples:
health-control nuke-progress
health-control nuke-progress --json
nuke-storage-detect
Detect storage type (SSD/HDD/NVMe) for a device
Usage:
health-control nuke-storage-detect --device /dev/sda
Options:
--device, -d <DEVICE>: Device path to check
Examples:
health-control nuke-storage-detect --device /dev/sda
health-control nuke-storage-detect -d /dev/nvme0n1 --json
Emergency Shortcuts
emergency-trigger
Execute an emergency plan (dashboard, luks, both). Requires local session token from kodachi-session-helper daemon. Use --dry-run for testing.
Usage:
health-control emergency-trigger --plan <dashboard|luks|both> [--device <dev>] [--silent] [--force] [--dry-run]
Options:
--plan <PLAN>: Emergency plan: dashboard, luks, both--device <DEVICE>: LUKS device path (required for luks/both plans)--dry-run: Log planned actions without executing--silent: Suppress stdout output--force: Skip readiness checks
Examples:
sudo health-control emergency-trigger --plan dashboard --dry-run
sudo health-control emergency-trigger --plan luks --device /dev/sda2 --dry-run
sudo health-control emergency-trigger --plan both --device /dev/sda2 --dry-run --json
emergency-lockdown
Start a delayed countdown that triggers an emergency plan when the timer expires. Persists state for crash recovery. Requires local session token.
Usage:
health-control emergency-lockdown --delay <seconds> [--plan <dashboard|luks|both>] [--device <dev>] [--dry-run]
Options:
--delay <SECONDS>: Countdown delay in seconds--plan <PLAN>: Emergency plan: dashboard (default), luks, both--device <DEVICE>: LUKS device path (required for luks/both plans)--dry-run: Log planned actions without starting timer
Examples:
sudo health-control emergency-lockdown --delay 300 --dry-run
sudo health-control emergency-lockdown --delay 60 --plan luks --device /dev/sda2
sudo health-control emergency-lockdown --delay 120 --plan both --device /dev/sda2 --json
emergency-lockdown-status
Show current emergency lockdown state: active/inactive, remaining seconds, plan. No authentication required (read-only).
Usage:
health-control emergency-lockdown-status [--json]
Examples:
health-control emergency-lockdown-status
health-control emergency-lockdown-status --json
emergency-lockdown-cancel
Cancel an active emergency lockdown countdown. Requires local session token.
Usage:
health-control emergency-lockdown-cancel
Examples:
sudo health-control emergency-lockdown-cancel
sudo health-control emergency-lockdown-cancel --json
Hardware Security
hardware-rng-verify
Verify hardware random number generator status
Usage:
health-control hardware-rng-verify [OPTIONS]
Examples:
sudo health-control hardware-rng-verify
sudo health-control hardware-rng-verify --json
entropy-status
Check system entropy pool status and quality
Usage:
health-control entropy-status [OPTIONS]
Examples:
sudo health-control entropy-status
sudo health-control entropy-status --json
coldboot-defense-enable
Enable cold boot defense mechanisms
Usage:
health-control coldboot-defense-enable [OPTIONS]
Examples:
sudo health-control coldboot-defense-enable
sudo health-control coldboot-defense-enable --json
coldboot-defense-disable
Disable cold boot defense mechanisms
Usage:
health-control coldboot-defense-disable [OPTIONS]
Examples:
sudo health-control coldboot-defense-disable
sudo health-control coldboot-defense-disable --json
sudo health-control coldboot-defense-disable --json-human
coldboot-defense-status
Check cold boot defense mechanisms status
Usage:
health-control coldboot-defense-status [OPTIONS]
Examples:
sudo health-control coldboot-defense-status
sudo health-control coldboot-defense-status --json
boot-integrity-check
Check boot chain integrity and security status
Usage:
health-control boot-integrity-check [OPTIONS]
Examples:
sudo health-control boot-integrity-check
sudo health-control boot-integrity-check --json
Hostname Management
set-default-hostname
Set the default hostname
Usage:
health-control set-default-hostname [OPTIONS]
Examples:
sudo health-control set-default-hostname
sudo health-control set-default-hostname --json
set-random-hostname
Set a random hostname
Usage:
health-control set-random-hostname [OPTIONS]
Examples:
sudo health-control set-random-hostname
sudo health-control set-random-hostname --json
set-custom-hostname
Set a custom hostname
Usage:
health-control set-custom-hostname [OPTIONS]
Examples:
sudo health-control set-custom-hostname --name MyHost
sudo health-control set-custom-hostname --name secure-host --json
Internet Traffic Control
block-internet
Block all internet traffic
Usage:
health-control block-internet [OPTIONS]
Examples:
sudo health-control block-internet
sudo health-control block-internet --method firewall
sudo health-control block-internet --method ufw
sudo health-control block-internet --method iptables
sudo health-control block-internet --method nftables
sudo health-control block-internet --method interfaces
sudo health-control block-internet --method all
sudo health-control block-internet --allow-local
sudo health-control block-internet --method iptables --allow-local
sudo health-control block-internet --method all --allow-local
sudo health-control block-internet --json
unblock-internet
Unblock internet traffic
Usage:
health-control unblock-internet [OPTIONS]
Examples:
sudo health-control unblock-internet
sudo health-control unblock-internet --method firewall
sudo health-control unblock-internet --method ufw
sudo health-control unblock-internet --method iptables
sudo health-control unblock-internet --method nftables
sudo health-control unblock-internet --method interfaces
sudo health-control unblock-internet --method all
sudo health-control unblock-internet --json
block-ping
Block outbound ICMP echo-requests (ping) via iptables and ip6tables
Usage:
health-control block-ping [OPTIONS]
Examples:
sudo health-control block-ping
sudo health-control block-ping --family ipv4
sudo health-control block-ping --family ipv6
sudo health-control block-ping --json
unblock-ping
Unblock outbound ICMP echo-requests (ping) — remove the DROP rules
Usage:
health-control unblock-ping [OPTIONS]
Examples:
sudo health-control unblock-ping
sudo health-control unblock-ping --family ipv4
sudo health-control unblock-ping --family ipv6
sudo health-control unblock-ping --json
internet-status
Check internet blocking status
Usage:
health-control internet-status [OPTIONS]
Examples:
sudo health-control internet-status
sudo health-control internet-status --silent
sudo health-control internet-status --skipnotification
sudo health-control internet-status --skip-notification
sudo health-control internet-status --skipnotifcation
sudo health-control internet-status --json
recover-internet
Recover internet connectivity
Usage:
health-control recover-internet [OPTIONS]
Examples:
sudo health-control recover-internet
sudo health-control recover-internet --check-dns
sudo health-control recover-internet --force
sudo health-control recover-internet --check-dns --force
sudo health-control recover-internet --silent
sudo health-control recover-internet --skipnotification
sudo health-control recover-internet --skip-notification
sudo health-control recover-internet --skipnotifcation
sudo health-control recover-internet --json
fast-recover-internet
Fast internet recovery - bounce interface, restart NetworkManager, renew DHCP
Usage:
health-control fast-recover-internet [OPTIONS]
Examples:
sudo health-control fast-recover-internet
sudo health-control fast-recover-internet --force
sudo health-control fast-recover-internet --force --silent
sudo health-control fast-recover-internet --silent
sudo health-control fast-recover-internet --skipnotification
sudo health-control fast-recover-internet --skip-notification
sudo health-control fast-recover-internet --skipnotifcation
sudo health-control fast-recover-internet --json
kill-network
Emergency network kill switch
Usage:
health-control kill-network [OPTIONS]
Examples:
sudo health-control kill-network
sudo health-control kill-network --json
kill-network-interface
Kill specific network interface
Usage:
health-control kill-network-interface [OPTIONS]
Examples:
sudo health-control kill-network-interface --interface wlan0
sudo health-control kill-network-interface --interface eth0 --json
kill-process
Kill specific process by name or PID
Usage:
health-control kill-process [OPTIONS]
Examples:
sudo health-control kill-process --process firefox
sudo health-control kill-process --process 1234 --json
enable
Enable a watch-guard to monitor system changes and block internet on triggers
Usage:
health-control enable --type watch-guard --watch <TYPE> --method <METHOD>
Options:
--type: Type of watch-guard to enable--watch: What to watch for changes (ip, timezone, interfaces, process)--target: Process name to watch (required for process watch)--method: Blocking method to use when triggered--daemon: Run monitoring as a persistent daemon process--interval: Custom check interval in seconds (1-300)--actions: Comma-separated actions to execute when triggered
Examples:
sudo health-control enable --type watch-guard --watch ip --method nftables
sudo health-control enable --type watch-guard --watch timezone --method iptables
sudo health-control enable --type watch-guard --watch timezone --method iptables --daemon
sudo health-control enable --type watch-guard --watch interfaces --method firewall
sudo health-control enable --type watch-guard --watch process --target tor --method all
sudo health-control enable --type watch-guard --watch process --target firefox --method auto
sudo health-control enable --type watch-guard --watch mac --method nftables --interval 5
sudo health-control enable --type watch-guard --watch hostname --method iptables
sudo health-control enable --type watch-guard --watch vpn --method nftables --interval 3
sudo health-control enable --type watch-guard --watch dns --method firewall
sudo health-control enable --type watch-guard --watch mac --method nftables --actions log_event,randomize_hostname
sudo health-control enable --type watch-guard --watch vpn --method nftables --actions log_event,show_alert,block_network
disable
Disable an active watch-guard and optionally unblock internet
Usage:
health-control disable --type watch-guard <IDENTIFIER>
Options:
--type: Type of command to disable--no-unblock: Do not unblock internet after disabling watch-guard
Examples:
sudo health-control disable --type watch-guard ip
sudo health-control disable --type watch-guard timezone
sudo health-control disable --type watch-guard interfaces
sudo health-control disable --type watch-guard tor
sudo health-control disable --type watch-guard all
sudo health-control disable --type watch-guard all --no-unblock
watch-guard
Show status of active watch-guards
Usage:
health-control watch-guard status
Examples:
sudo health-control watch-guard status
sudo health-control watch-guard status --json
daemon
Run watch-guard monitoring as a persistent daemon process
Usage:
health-control daemon --config-id <ID>
Options:
--config-id: Configuration ID to monitor
Examples:
sudo health-control daemon --config-id timezone_iptables
MAC Address Management
mac-change-all
Change all MAC addresses
Usage:
health-control mac-change-all [OPTIONS]
Examples:
sudo health-control mac-change-all
sudo health-control mac-change-all --json
mac-force-change
Force change all MAC addresses (disable interfaces first)
Usage:
health-control mac-force-change [OPTIONS]
Examples:
sudo health-control mac-force-change
sudo health-control mac-force-change --json
mac-change-specific
Change specific interface MAC address
Usage:
health-control mac-change-specific [OPTIONS]
Examples:
sudo health-control mac-change-specific --interface eth0
sudo health-control mac-change-specific --interface wlan0 --json
mac-show-interfaces
Show available network interfaces
Usage:
health-control mac-show-interfaces [OPTIONS]
Examples:
sudo health-control mac-show-interfaces
sudo health-control mac-show-interfaces --json
mac-show-macs
Show current MAC addresses
Usage:
health-control mac-show-macs [OPTIONS]
Examples:
sudo health-control mac-show-macs
sudo health-control mac-show-macs --json
mac-reset-all
Reset all MAC addresses to default
Usage:
health-control mac-reset-all [OPTIONS]
Examples:
sudo health-control mac-reset-all
sudo health-control mac-reset-all --json
mac-active-interface
Show active network interface
Usage:
health-control mac-active-interface [OPTIONS]
Examples:
sudo health-control mac-active-interface
sudo health-control mac-active-interface --json
Memory Management
memory-clean
Clean memory caches and buffers
Usage:
health-control memory-clean [OPTIONS]
Examples:
sudo health-control memory-clean
sudo health-control memory-clean --json
memory-force-clean
Force clean memory by killing top process
Usage:
health-control memory-force-clean [OPTIONS]
Examples:
sudo health-control memory-force-clean
sudo health-control memory-force-clean --json
memory-wipe
Secure RAM wipe (sdmem)
Usage:
health-control memory-wipe [OPTIONS]
Examples:
sudo health-control memory-wipe
sudo health-control memory-wipe --json
memory-wipe-process
Wipe memory of specific process
Usage:
health-control memory-wipe-process [OPTIONS]
Examples:
sudo health-control memory-wipe-process --value firefox
sudo health-control memory-wipe-process --value 1234 --json
memory-limits
Manage process memory limits
Usage:
health-control memory-limits [OPTIONS]
Examples:
sudo health-control memory-limits
sudo health-control memory-limits --value firefox --limit 1024
sudo health-control memory-limits --value chrome --limit 2048
sudo health-control memory-limits --value brave --limit 1536
sudo health-control memory-limits --json
memory-stats
Display memory statistics and history
Usage:
health-control memory-stats [OPTIONS]
Examples:
sudo health-control memory-stats
sudo health-control memory-stats --history --json
swap-configure
Configure swap settings
Usage:
health-control swap-configure [OPTIONS]
Examples:
sudo health-control swap-configure --swappiness 10 --cache-pressure 50
sudo health-control swap-configure --swappiness 0 --json
disable-swap
Disable swap memory
Usage:
health-control disable-swap [OPTIONS]
Examples:
sudo health-control disable-swap
sudo health-control disable-swap --json
enable-swap
Enable swap memory
Usage:
health-control enable-swap [OPTIONS]
Examples:
sudo health-control enable-swap
sudo health-control enable-swap --size 2048
sudo health-control enable-swap --size 4096
sudo health-control enable-swap --json
Network Connectivity
net-check
Check network connectivity (IP ping, DNS, and HTTP probe)
Usage:
health-control net-check [--timeout <SECONDS>] [--http] [--ip-only|--domain-only|--http-only] [--dns-server <ADDRESS:PORT>]
Options:
--timeout <SECONDS>: Timeout in seconds for each connectivity check--http: Run the extended HTTP-focused check path (IP ping + DNS + HTTP, verbose per-target reporting)--ip-only: Check IP ping only — skip DNS lookups and HTTP probe--domain-only: Check DNS resolution only — skip IP ping and HTTP probe--http-only: Check HTTP reachability only — skip IP ping and DNS lookups (returns HTTP_ONLY_CONNECTIVITY/5 on success)--dns-server <ADDRESS:PORT>: Custom DNS server address (e.g., 127.0.0.1:5353 for Tor DNS)
Examples:
sudo health-control net-check
sudo health-control net-check --json
sudo health-control net-check --timeout 15
sudo health-control net-check --http
sudo health-control net-check --http --json
sudo health-control net-check --ip-only
sudo health-control net-check --domain-only
sudo health-control net-check --http-only
sudo health-control net-check --http-only --json
sudo health-control net-check --domain-only --dns-server 127.0.0.1:5353
net-check-http
Check network connectivity including HTTP
Usage:
health-control net-check-http [OPTIONS]
Examples:
sudo health-control net-check-http
sudo health-control net-check-http --timeout 15
sudo health-control net-check-http --json
list-ips
List IPs used for connectivity testing
Usage:
health-control list-ips [OPTIONS]
Examples:
sudo health-control list-ips
sudo health-control list-ips --json
list-domains
List domains used for connectivity testing
Usage:
health-control list-domains [OPTIONS]
Examples:
sudo health-control list-domains
sudo health-control list-domains --json
Offline Actions
offline-postgresql
Manage PostgreSQL database service
Usage:
health-control offline-postgresql [OPTIONS]
Examples:
sudo health-control offline-postgresql --action disable
sudo health-control offline-postgresql --action enable
sudo health-control offline-postgresql --action check --json
Password Generation
genpass
Generate secure passwords using multiple methods (pass, pwgen, xkcdpass)
Usage:
health-control genpass [OPTIONS]
Examples:
sudo health-control genpass
sudo health-control genpass --method pwgen
sudo health-control genpass --count 10
sudo health-control genpass --method pwgen --count 50
sudo health-control genpass --method xkcdpass --count 20 --json
sudo health-control genpass --length 32 --symbols "@-_!#$"
Security
security-status
Show comprehensive security status
Usage:
health-control security-status [OPTIONS]
Examples:
sudo health-control security-status
sudo health-control security-status --category network
sudo health-control security-status --category all --json
sudo health-control security-status all
sudo health-control security-status network --json
Security Assessment
security-score
Calculate security score and get recommendations
Usage:
health-control security-score [OPTIONS]
Examples:
health-control security-score
health-control security-score --json
security-report
Generate comprehensive security report
Usage:
health-control security-report [OPTIONS]
Examples:
sudo health-control security-report
sudo health-control security-report --format detailed
sudo health-control security-report --format compliance --json
security-profile
Set security profile and thresholds
Usage:
health-control security-profile [OPTIONS]
Examples:
sudo health-control security-profile --value minimal
sudo health-control security-profile --value balanced
sudo health-control security-profile --value paranoid
sudo health-control security-profile --value balanced --json
security-history
View security configuration history
Usage:
health-control security-history [OPTIONS]
Examples:
sudo health-control security-history
sudo health-control security-history --days 30
sudo health-control security-history --json
security-remediate
Auto-remediate security issues
Usage:
health-control security-remediate [OPTIONS]
Examples:
sudo health-control security-remediate
sudo health-control security-remediate --bool true
sudo health-control security-remediate --bool false --json
security-schedule
Schedule security scans (hourly, daily, weekly, monthly, disable)
Usage:
health-control security-schedule [OPTIONS]
Examples:
sudo health-control security-schedule --value daily
sudo health-control security-schedule --value weekly
sudo health-control security-schedule --value disable --json
rootkit-scan-enhanced
Enhanced rootkit scanning with multiple tools
Usage:
health-control rootkit-scan-enhanced [OPTIONS]
Examples:
sudo health-control rootkit-scan-enhanced
sudo health-control rootkit-scan-enhanced --deep
sudo health-control rootkit-scan-enhanced --json
lynis-audit
Run Lynis security audit
Usage:
health-control lynis-audit [OPTIONS]
Examples:
sudo health-control lynis-audit
sudo health-control lynis-audit --value quick
sudo health-control lynis-audit --value pentest --json
lynis-status
Check Lynis installation status
Usage:
health-control lynis-status [OPTIONS]
Examples:
health-control lynis-status
health-control lynis-status --json
clamav-scan
Scan system with ClamAV antivirus
Usage:
health-control clamav-scan [OPTIONS]
Examples:
sudo health-control clamav-scan
sudo health-control clamav-scan --path /home --recursive
sudo health-control clamav-scan --quarantine --json
system-audit
Perform comprehensive system security audit
Usage:
health-control system-audit [OPTIONS]
Examples:
sudo health-control system-audit
sudo health-control system-audit --level comprehensive
sudo health-control system-audit --modules network,filesystem --json
Security Hardening
security-harden
Apply comprehensive security hardening
Usage:
health-control security-harden [OPTIONS]
Examples:
sudo health-control security-harden
sudo health-control security-harden --profile standard
sudo # STANDARD PROFILE (soft) — Nothing breaks, score 5/7
sudo # Applies: Safe kernel sysctls, secure filesystem mounts,
sudo # ASLR=2, symlink/hardlink protection, SYN flood protection,
sudo # auditd monitoring, AppArmor/Firejail detection
sudo # Also normalizes: Reverts any stricter settings left from medium/paranoid
sudo # Safe for: All systems, all browsers, VPN/Tor routing
sudo
sudo health-control security-harden --profile medium
sudo # MEDIUM PROFILE (moderate) — Browsers+internet still work, score 6/7
sudo # Includes Standard, PLUS: hidepid=2 on /proc, hardened_malloc,
sudo # vm.dirty_ratio tuning, file integrity monitoring
sudo # Also normalizes: Reverts paranoid-only settings (namespaces, IP forwarding)
sudo # May affect: LUKS systems (higher memory from hardened_malloc)
sudo
sudo health-control security-harden --profile paranoid
sudo # PARANOID PROFILE (maximum) — Full lockdown, score 7/7
sudo # Includes Medium, PLUS: disable user namespaces, disable IP forwarding,
sudo # MAC spoofing, DNS firewall, LKRG, Tirdad, SMT off, RAM wipe
sudo # WILL BREAK: Browsers, Internet, VPN/Tor routing
sudo # Recover: health-control security-recover
sudo
sudo health-control security-harden --break-monitoring
sudo # Alias for --profile paranoid + makes /sys/class/net root-only
sudo
sudo health-control security-harden --modules kernel,network --json
sudo # Apply only specific modules with JSON output
sudo
sudo # LUKS encryption notice:
sudo # On LUKS systems, medium/paranoid profiles increase memory usage.
sudo # If OOM or browser crashes occur: health-control security-recover
security-verify
Verify if security hardening is properly applied (checks all 7 modules and reports their status)
Usage:
health-control security-verify [OPTIONS]
Examples:
sudo health-control security-verify
sudo # Check status of all 7 security modules against current profile
sudo # Also checks for forbidden leftover settings from higher profiles
sudo # Standard expects: 5/7 modules, no medium/paranoid leftovers
sudo # Medium expects: 6/7 modules, no paranoid leftovers
sudo # Paranoid expects: 7/7 modules configured
sudo
sudo health-control security-verify --profile medium
sudo # Verify against medium profile expectations
sudo
sudo health-control security-verify --profile paranoid
sudo # Verify against paranoid profile expectations
sudo
sudo health-control security-verify --json
sudo # Get detailed JSON output with all verification data + leftover warnings
security-recover
Temporarily revert security hardening (keeps framework enabled for quick re-hardening)
Usage:
health-control security-recover [OPTIONS]
Examples:
sudo # Temporarily revert security hardening (keeps framework ready for re-hardening)
sudo health-control security-recover
sudo
sudo # After recovery, modules show 'ENABLED (needs configuration)'
sudo # This means: Framework is ready but no restrictions are enforced
sudo # Use this when: Troubleshooting issues, planning to re-harden later
sudo
sudo # Recover only specific modules
sudo health-control security-recover --modules network,kernel
sudo
sudo # LUKS systems: If hardening caused OOM kills or browser crashes,
sudo # recovery restores vm.dirty_ratio=20 (default) and re-enables
sudo # user namespaces for browser sandbox compatibility.
sudo
sudo # To re-apply hardening after recovery:
sudo health-control security-harden
security-reset
Completely disable all security modules and framework (permanent removal)
Usage:
health-control security-reset [OPTIONS]
Examples:
sudo # Completely disable all security modules and framework
sudo health-control security-reset
sudo
sudo # After reset, security-verify shows modules as NOT HARDENED
sudo # This means: All applied security hardening has been reverted
sudo # Use this when: You want to permanently remove security hardening
sudo
sudo # Skip confirmation prompt
sudo health-control security-reset --force
sudo
sudo # Warning: After reset, security-harden will need to rebuild framework
monitoring-enable
Enable system monitoring features
Usage:
health-control monitoring-enable [OPTIONS]
Examples:
sudo health-control monitoring-enable
sudo health-control monitoring-enable --modules auditd,lkrg,file-integrity
sudo health-control monitoring-enable --json
monitoring-disable
Disable system monitoring features
Usage:
health-control monitoring-disable [OPTIONS]
Examples:
sudo health-control monitoring-disable
sudo health-control monitoring-disable --modules auditd,lkrg
sudo health-control monitoring-disable --json
monitoring-status
Check system security monitoring status
Usage:
health-control monitoring-status [OPTIONS]
Examples:
sudo health-control monitoring-status
sudo health-control monitoring-status --json
ipv6-disable
Disable IPv6 system-wide
Usage:
health-control ipv6-disable [OPTIONS]
Examples:
sudo health-control ipv6-disable
sudo health-control ipv6-disable --json
ipv6-enable
Enable IPv6 system-wide
Usage:
health-control ipv6-enable [OPTIONS]
Examples:
sudo health-control ipv6-enable
sudo health-control ipv6-enable --json
tirdad-enable
Enable Tirdad TCP ISN randomization
Usage:
health-control tirdad-enable [OPTIONS]
Examples:
sudo health-control tirdad-enable
sudo health-control tirdad-enable --json
tirdad-disable
Disable Tirdad TCP ISN randomization
Usage:
health-control tirdad-disable [OPTIONS]
Examples:
sudo health-control tirdad-disable
sudo health-control tirdad-disable --json
tirdad-status
Check Tirdad TCP ISN randomization status
Usage:
health-control tirdad-status [OPTIONS]
Examples:
health-control tirdad-status
health-control tirdad-status --json
ipv6-status
Check IPv6 status
Usage:
health-control ipv6-status [OPTIONS]
Examples:
health-control ipv6-status
health-control ipv6-status --json
ram-wipe
Enable secure RAM wiping on shutdown
Usage:
health-control ram-wipe [OPTIONS]
Examples:
sudo health-control ram-wipe
sudo health-control ram-wipe --json
wipe-ram-install
Install RAM wipe system (hooks + configuration) - Run this first if not already installed
Usage:
health-control wipe-ram-install [OPTIONS]
Options:
--force: Force installation even if Kicksecure/Whonix RAM wipe detected. WARNING: May conflict with existing systems--policy <MODE>: Initial wipe policy: kodachi-wiper (fast, recommended)|sdmem (secure DoD-standard)|both (hybrid)|auto (intelligent auto-selection)--time <SECS>: Time budget for shutdown RAM wiping (default: 60s). Recommended: 60-90s desktops, 120-300s servers--passes <NUM>: Number of sdmem overwrite passes 1-9 (default: 3). More passes = more secure but slower. Recommended: 3 balanced, 7+ high-security
Examples:
sudo health-control wipe-ram-install
sudo health-control wipe-ram-install --policy kodachi-wiper
sudo health-control wipe-ram-install --policy sdmem --passes 3
sudo health-control wipe-ram-install --time 120
sudo health-control wipe-ram-install --policy sdmem --passes 5
sudo health-control wipe-ram-install --policy both --time 120 --passes 3
sudo health-control wipe-ram-install --force
sudo health-control wipe-ram-install --json
ram-wipe-status
Show RAM wipe system status - Check this first before installing or configuring
Usage:
health-control ram-wipe-status [OPTIONS]
Examples:
sudo health-control ram-wipe-status
sudo health-control ram-wipe-status --json
wipe-ram-config
Update RAM wipe configuration - Use this to modify settings after installation
Usage:
health-control wipe-ram-config [OPTIONS]
Options:
--policy <MODE>: Set policy: kodachi-wiper (fast native wiper)|sdmem (secure multi-pass)|both (balanced hybrid)|auto (intelligent auto-detection: prefers kodachi-wiper, falls back to sdmem if unavailable)--time <SECS>: Set time budget for shutdown RAM wiping. Recommended: 60-90s desktops, 120-300s servers--passes <NUM>: Set number of sdmem passes (1-9). More = secure but slower. Recommended: 3 balanced, 7+ high-security--split <PCT>: Set time split for 'both' mode (10-90). Example: 70 = 70% kodachi-wiper, 30% sdmem. Higher = faster but less secure
Examples:
sudo health-control wipe-ram-config --policy auto
sudo health-control wipe-ram-config --policy kodachi-wiper
sudo health-control wipe-ram-config --time 120
sudo health-control wipe-ram-config --passes 5
sudo health-control wipe-ram-config --split 70
sudo health-control wipe-ram-config --policy both --time 120
sudo health-control wipe-ram-config --policy both --time 90 --passes 3 --split 60
sudo health-control wipe-ram-config --json
ram-wipe-enable
Enable automatic RAM wiping on shutdown
Usage:
health-control ram-wipe-enable [OPTIONS]
Examples:
sudo health-control ram-wipe-enable
sudo health-control ram-wipe-enable --schedule immediate
sudo health-control ram-wipe-enable --schedule delay
sudo health-control ram-wipe-enable --passes 5
sudo health-control ram-wipe-enable --schedule shutdown --passes 3
sudo health-control ram-wipe-enable --json
ram-wipe-disable
Disable automatic RAM wiping
Usage:
health-control ram-wipe-disable [OPTIONS]
Examples:
sudo health-control ram-wipe-disable
sudo health-control ram-wipe-disable --preserve-config
sudo health-control ram-wipe-disable --json
wipe-ram-test
Test RAM wipe operation (dry-run with short time budget) - Run this to verify installation before relying on automatic wipes
Usage:
health-control wipe-ram-test [OPTIONS]
Options:
--policy <MODE>: Test specific wipe policy: kodachi-wiper (fast)|sdmem (secure DoD-standard)|both (hybrid)|auto (intelligent auto-selection)--time <SECS>: Test time budget in seconds (default: 10). Quick test only - actual shutdown wipe uses configured time budget from wipe-ram-config
Examples:
sudo health-control wipe-ram-test
sudo health-control wipe-ram-test --policy kodachi-wiper
sudo health-control wipe-ram-test --policy sdmem
sudo health-control wipe-ram-test --policy both --time 60
sudo health-control wipe-ram-test --time 30
sudo health-control wipe-ram-test --policy kodachi-wiper --time 20
sudo health-control wipe-ram-test --json
wipe-ram
Execute RAM wipe operation (primarily used by systemd/init shutdown hooks, but can be run manually for testing)
Usage:
health-control wipe-ram [OPTIONS]
Options:
--shutdown-mode: INTERNAL USE - Shutdown-optimized mode for systemd/init hooks. Users should use 'wipe-ram' without this flag--no-console: Disable console output for silent operation (useful in scripts and background tasks)--policy <MODE>: Override wipe policy: kodachi-wiper (fast native wiper for quick shutdowns)|sdmem (secure DoD-standard multi-pass for maximum security)|both (hybrid approach: fast+secure)|auto (intelligent auto-selection based on system capabilities)--time <SECS>: Override time budget in seconds (how long to spend wiping RAM). Higher values = more memory wiped but longer shutdown time
Examples:
sudo health-control wipe-ram
sudo health-control wipe-ram --policy kodachi-wiper
sudo health-control wipe-ram --policy sdmem
sudo health-control wipe-ram --policy both --time 120
sudo health-control wipe-ram --time 120
sudo health-control wipe-ram --no-console
sudo health-control wipe-ram --json
sudo health-control wipe-ram --shutdown-mode
ram-wipe-detect-kicksecure
Detect Kicksecure/Whonix RAM wipe installation
Usage:
health-control ram-wipe-detect-kicksecure
Examples:
sudo health-control ram-wipe-detect-kicksecure
sudo health-control ram-wipe-detect-kicksecure --json
sudo health-control ram-wipe-detect-kicksecure --json-human
ram-wipe-update
Update RAM wipe configuration (alias for wipe-ram-config)
Usage:
health-control ram-wipe-update [OPTIONS]
Options:
--policy <MODE>: Set policy: kodachi-wiper (fast native wiper)|sdmem (secure multi-pass)|both (balanced hybrid)|auto (intelligent auto-detection: prefers kodachi-wiper, falls back to sdmem if unavailable)--time <SECS>: Set time budget in seconds--passes <NUM>: Set sdmem passes (1-9)--split <PCT>: Set custom/sdmem split for 'both' mode (10-90)
Examples:
sudo health-control ram-wipe-update --policy auto
sudo health-control ram-wipe-update --policy both --time 150
sudo health-control ram-wipe-update --policy kodachi-wiper
sudo health-control ram-wipe-update --time 120
sudo health-control ram-wipe-update --passes 5
sudo health-control ram-wipe-update --json
disk-encryption-status
Check disk encryption status and security
Usage:
health-control disk-encryption-status [OPTIONS]
Examples:
sudo health-control disk-encryption-status
sudo health-control disk-encryption-status --json
swap-enable
Enable swap partition/file
Usage:
health-control swap-enable [OPTIONS]
Examples:
sudo health-control swap-enable
sudo health-control swap-enable --json
swap-disable
Disable swap partition/file
Usage:
health-control swap-disable [OPTIONS]
Examples:
sudo health-control swap-disable
sudo health-control swap-disable --json
swap-encrypt
Encrypt swap partition/file
Usage:
health-control swap-encrypt [OPTIONS]
Examples:
sudo health-control swap-encrypt
sudo health-control swap-encrypt --json
swap-status
Check swap status and configuration
Usage:
health-control swap-status [OPTIONS]
Examples:
sudo health-control swap-status
sudo health-control swap-status --json
swap-decrypt
Decrypt encrypted swap partition/file
Usage:
health-control swap-decrypt [OPTIONS]
Examples:
sudo health-control swap-decrypt
sudo health-control swap-decrypt --device /dev/sda3
sudo health-control swap-decrypt --json
swap-encrypt-status
Check swap encryption status
Usage:
health-control swap-encrypt-status [OPTIONS]
Examples:
sudo health-control swap-encrypt-status
sudo health-control swap-encrypt-status --json
usb-list
List all USB devices
Usage:
health-control usb-list [OPTIONS]
Examples:
sudo health-control usb-list
sudo health-control usb-list --json
luks-nuke
Manage LUKS nuke passwords
Usage:
health-control luks-nuke [OPTIONS]
Examples:
sudo # AUTOMATED HEADER BACKUP + Nuke Configuration
sudo
sudo # Check nuke password status
sudo health-control luks-nuke --action status
sudo → Shows all LUKS devices and nuke password status
sudo
sudo # Check specific device
sudo health-control luks-nuke --action status --device /dev/sda5
sudo → Shows nuke password status for /dev/sda5 only
sudo
sudo # Configure nuke password (FULLY AUTOMATED)
sudo health-control luks-nuke --action configure --device /dev/sda5
sudo → Backs up LUKS header AUTOMATICALLY to <hooks>/backups/
sudo → Encrypts backup with GPG automatically
sudo → Configures nuke password via cryptsetup-nuke-password
sudo → Verifies everything works
sudo → NO manual cryptsetup commands needed!
sudo
sudo # Configure with CLI password (INSECURE - visible in history)
sudo health-control luks-nuke --action configure --device /dev/sda5 --password nuke123
sudo ⚠️ WARNING: Password visible in shell history!
sudo → Still backs up header automatically
sudo
sudo # Header backup location
sudo # Saved to: <hooks>/backups/header-{device-name}-{timestamp}.img.gpg
sudo # Keep this file SAFE - it's your ONLY recovery option!
sudo
sudo # Remove nuke password
sudo health-control luks-nuke --action remove --device /dev/sda5
sudo → Removes nuke password via cryptsetup-nuke-password
sudo
sudo # MANUAL EMERGENCY EXECUTE (IRREVERSIBLE)
sudo health-control luks-nuke --action execute --device /dev/sda5 --force-execute
sudo → Immediately destroys LUKS key material on selected device.
sudo → Data becomes permanently unrecoverable.
sudo
sudo # ℹ️ FILE-BASED LUKS CONTAINERS SUPPORTED
sudo # Works with both block devices (/dev/*) AND file-based containers
sudo
sudo # Configure nuke for live-boot persistence image (AUTOMATED)
sudo health-control luks-nuke --action configure --device /tmp/persistence
sudo → Backs up header automatically
sudo → Supports file-based LUKS containers created by create-persistence
sudo
sudo # Check nuke status on encrypted persistence file
sudo health-control luks-nuke --action status --device /media/kodachi/persistence
sudo → File must exist and be a valid LUKS container
sudo
sudo # Remove nuke from file-based container
sudo health-control luks-nuke --action remove --device /tmp/encrypted-container.img
sudo → Works identically with files and block devices
sudo
sudo # COMPLETE AUTOMATED WORKFLOW
sudo # Create encrypted persistence with nuke password - ZERO manual steps
sudo
sudo # Step 1: List devices to find USB
sudo health-control list-storage-devices
sudo
sudo # Step 2: Check device safety
sudo health-control usb-safety-check --device /dev/sdc2
sudo
sudo # Step 3: Create encrypted persistence (AUTOMATED)
sudo health-control create-persistence-other-os --device /dev/sdc2 --os-type kali --encrypted
sudo → Confirms device selection
sudo → Formats automatically
sudo → Creates persistence.conf automatically
sudo → Done!
sudo
sudo # Step 4: Configure nuke password (AUTOMATED)
sudo health-control luks-nuke --action configure --device /dev/sdc2
sudo → Backs up header automatically to <hooks>/backups/
sudo → Configures nuke password automatically
sudo → Verifies everything works
sudo → Done!
sudo
sudo # ✅ ZERO MANUAL COMMANDS!
sudo # ✅ NO manual mounting/unmounting!
sudo # ✅ NO manual backup commands!
sudo # ✅ Everything automated with safety confirmations!
sudo
sudo # EMERGENCY: Restore header if nuke password used accidentally
sudo gpg -d <hooks>/backups/header-sdc2-*.img.gpg | sudo cryptsetup luksHeaderRestore /dev/sdc2
sudo
sudo # List available encrypted header backups
sudo health-control luks-nuke --action list-backups --device /dev/sda1
sudo
sudo # Restore from encrypted backup
sudo health-control luks-nuke --action restore-backup --device /dev/sda1 --backup-file header-sda1-20260304-014630.img.gpg
sudo
sudo # Delete old backup
sudo health-control luks-nuke --action delete-backup --backup-file header-sda1-20260304-014630.img.gpg
sudo ⚠️ USE ONLY IF nuke password was accidentally entered!
sudo
sudo # JSON output for monitoring
sudo health-control luks-nuke --action status --json
luks-detect
Detect valid LUKS devices on the system
Usage:
health-control luks-detect [OPTIONS]
Examples:
sudo health-control luks-detect
sudo health-control luks-detect --all-devices
sudo health-control luks-detect --json
luks-manage
Manage LUKS encrypted devices
Usage:
health-control luks-manage [OPTIONS]
Examples:
sudo health-control luks-manage --action list
sudo health-control luks-manage --action unlock --device /dev/sdb1
sudo health-control luks-manage --action lock --device /dev/sdb1
luks-nuke-advanced
Advanced LUKS nuke configuration (emergency wipe)
Usage:
health-control luks-nuke-advanced [OPTIONS]
Examples:
sudo health-control luks-nuke-advanced --device /dev/sdb1 --password EMERGENCY
sudo health-control luks-nuke-advanced --device /dev/sda2 --json
luks-remove
Remove LUKS encryption from device
Usage:
health-control luks-remove [OPTIONS]
Examples:
sudo health-control luks-remove /dev/sdb1
sudo health-control luks-remove /dev/sdb1 --force
luks-manage-advanced
Advanced LUKS device management
Usage:
health-control luks-manage-advanced [OPTIONS]
Examples:
sudo health-control luks-manage-advanced --action backup-header --device /dev/sdb1 --backup-file /tmp/header.backup
sudo health-control luks-manage-advanced --action restore-header --device /dev/sdb1 --backup-file /tmp/header.backup
sudo health-control luks-manage-advanced --action add-key --device /dev/sdb1 --key-file /tmp/newkey
create-persistence
Create Debian live-boot persistence media
Usage:
health-control create-persistence [OPTIONS]
Examples:
sudo health-control create-persistence
sudo health-control create-persistence --size 8
sudo health-control create-persistence --encrypted
sudo health-control create-persistence --encrypted --size 8
sudo health-control create-persistence --encrypted --password 'MySecurePass123'
sudo health-control create-persistence --size 4 --output /tmp/persistence --json
create-persistence-other-os
Create persistence for other Linux distributions (Kali, Parrot, Tails)
Usage:
health-control create-persistence-other-os [OPTIONS]
Examples:
sudo # FULLY AUTOMATED - No manual mounting needed!
sudo
sudo # RECOMMENDED: List devices first to see what's safe
sudo health-control list-storage-devices
sudo → Shows which devices are SAFE vs DANGEROUS
sudo
sudo # Check if your device is safe
sudo health-control usb-safety-check --device /dev/sdc2
sudo → Verifies device before formatting
sudo
sudo # Unencrypted persistence for Kali Linux (AUTOMATED)
sudo health-control create-persistence-other-os --device /dev/sdc2 --os-type kali
sudo → Confirms device selection
sudo → Formats partition automatically
sudo → Creates persistence.conf automatically
sudo → Ready to use - NO manual mounting!
sudo
sudo # Encrypted persistence for Parrot OS (FULLY AUTOMATED)
sudo health-control create-persistence-other-os --device /dev/sdc2 --os-type parrot --encrypted
sudo → Password prompted securely (not visible in history)
sudo → Confirms device selection
sudo → Encrypts partition automatically
sudo → Mounts, configures, unmounts automatically
sudo → Everything automated with safety confirmations!
sudo
sudo # Encrypted persistence for Tails with CLI password (INSECURE)
sudo health-control create-persistence-other-os --device /dev/sdc2 --os-type tails --encrypted --password 'MyPass123'
sudo ⚠️ WARNING: Password visible in shell history!
sudo
sudo # Complete safe workflow (AUTOMATED)
sudo health-control list-storage-devices && \
sudo health-control usb-safety-check --device /dev/sdc2 && \
sudo health-control create-persistence-other-os --device /dev/sdc2 --os-type kali --encrypted
sudo → Entire workflow automated - just type YES when prompted!
sudo
sudo # With JSON output
sudo health-control create-persistence-other-os --device /dev/sdc2 --os-type kali --encrypted --json
encryption-status
Check storage encryption status
Usage:
health-control encryption-status [OPTIONS]
Examples:
sudo # Check overall system encryption status
sudo health-control encryption-status
sudo → Shows: LUKS devices, encrypted filesystems, swap encryption
sudo → Shows: Home directory encryption, full disk encryption status
sudo → Reports: Encryption count summary (X/Y devices encrypted)
sudo → Lists: Active encrypted containers and their mount points
sudo
sudo # Typical output includes:
sudo # - LUKS devices: /dev/sda5 (/, 120 GB), /dev/sdb1 (backup, 500 GB)
sudo # - Encrypted swap: Yes (dm-crypt)
sudo # - Home encryption: Yes (LUKS)
sudo # - Full disk encryption: Yes (all partitions encrypted)
sudo # - Encryption strength: AES-256-XTS
sudo
sudo # JSON output for monitoring/scripting
sudo health-control encryption-status --json
sudo → Structured data: luks_devices[], encrypted_filesystems[]
sudo → Boolean flags: home_encryption, swap_encrypted, full_disk_encryption
sudo → Device details: cipher, key_size, device_path, mount_point, size
sudo → Use in monitoring scripts for encryption compliance
container-create
Create encrypted container
Usage:
health-control container-create [OPTIONS]
Examples:
sudo # Create encrypted container (default: ext4, 1GB)
sudo health-control container-create --path /tmp/secure.img
sudo → Size: 1024 MB (default)
sudo → Filesystem: ext4 (default)
sudo → Creates sparse file (doesn't use full size immediately)
sudo → Ready to mount and use
sudo
sudo # Create large LUKS encrypted container
sudo health-control container-create --path /secure/data.img --size 5000 --fs-type luks
sudo → Size: 5000 MB (5 GB)
sudo → Prompts for strong password (8+ chars recommended)
sudo → Uses cryptsetup for LUKS2 format
sudo → Hardware crypto acceleration if available
sudo
sudo # Create VeraCrypt compatible container
sudo health-control container-create --path /backup/portable.img --size 2048 --fs-type veracrypt
sudo → Cross-platform compatibility (Windows, Mac, Linux)
sudo → Can be opened with VeraCrypt GUI
sudo → Good for external backup drives
sudo
sudo # Filesystem types explained:
sudo # --fs-type ext4:
sudo # - Standard Linux filesystem (fastest)
sudo # - No encryption by default
sudo # - Best for temporary/non-sensitive data
sudo
sudo # --fs-type luks:
sudo # - LUKS2 encrypted container (RECOMMENDED for sensitive data)
sudo # - AES-256-XTS encryption
sudo # - Linux native, best performance
sudo # - Requires password to mount
sudo
sudo # --fs-type veracrypt:
sudo # - VeraCrypt compatible (cross-platform)
sudo # - Works on Windows, Mac, Linux
sudo # - Slightly slower than LUKS
sudo # - Good for portability
sudo
sudo # Size guidelines:
sudo # Small (100-500 MB): Documents, passwords, keys
sudo # Medium (500-2000 MB): Photos, code projects
sudo # Large (2000-10000 MB): Videos, backups, archives
sudo # Very Large (10000+ MB): Full system backups
container-mount
Mount encrypted container
Usage:
health-control container-mount [OPTIONS]
Examples:
sudo # Mount encrypted container (password prompted securely)
sudo health-control container-mount --container /path/to/secure.img --mount-point /mnt/secure
sudo → Prompts for LUKS password (not visible, not logged)
sudo → Creates /mnt/secure automatically if it doesn't exist
sudo → Opens LUKS device with cryptsetup
sudo → Mounts to /mnt/secure/ - ready to use
sudo
sudo # Complete workflow: create → mount → use → unmount
sudo
sudo # Step 1: Create encrypted container
sudo health-control container-create --path /tmp/data.img --size 500 --fs-type luks
sudo
sudo # Step 2: Mount container
sudo health-control container-mount --container /tmp/data.img --mount-point /mnt/data
sudo # Enter password when prompted
sudo
sudo # Step 3: Use the container (copy files, edit, etc.)
sudo cp -r /sensitive/documents /mnt/data/
sudo echo 'secret data' > /mnt/data/confidential.txt
sudo
sudo # Step 4: Unmount when done
sudo health-control container-unmount --mount-point /mnt/data
sudo
sudo # ✅ Complete encrypted container lifecycle!
sudo # ✅ Data encrypted at rest, decrypted only when mounted
sudo # ✅ Mount point automatically created and cleaned up
container-unmount
Unmount encrypted container
Usage:
health-control container-unmount [OPTIONS]
Examples:
sudo # Safely unmount encrypted container
sudo health-control container-unmount --mount-point /mnt/secure
sudo → Unmounts filesystem from /mnt/secure
sudo → Closes LUKS mapper device automatically
sudo → Cleans up mount point (removes directory)
sudo → ⚠️ Close all files in /mnt/secure BEFORE unmounting!
sudo
sudo # Check if anything is using the mount before unmounting
sudo lsof +D /mnt/secure # List open files in mount point
sudo # If files are open, close them first, then:
sudo health-control container-unmount --mount-point /mnt/secure
sudo
sudo # Error handling: If unmount fails due to busy device
sudo # 1. Check for open files:
sudo lsof +D /mnt/secure
sudo # 2. Kill processes using the mount:
sudo fuser -km /mnt/secure # Kill processes (use with caution!)
sudo # 3. Try unmounting again:
sudo health-control container-unmount --mount-point /mnt/secure
sudo
sudo # Safe workflow: Always unmount before system shutdown
sudo # 1. Copy files out of container
sudo # 2. Close all applications accessing the mount
sudo # 3. Unmount container
sudo # 4. Container is now encrypted and safe to store/transport
Security Tools
rootkit-scan
Quick rootkit scan (fast, essential checks)
Usage:
health-control rootkit-scan [OPTIONS]
Examples:
sudo health-control rootkit-scan
sudo health-control rootkit-scan --json
kloak-status
Check Kloak keyboard anonymization status
Usage:
health-control kloak-status [OPTIONS]
Examples:
health-control kloak-status
health-control kloak-status --json
kloak-enable
Enable Kloak keyboard anonymization
Usage:
health-control kloak-enable [OPTIONS]
Examples:
sudo health-control kloak-enable
sudo health-control kloak-enable --json
kloak-disable
Disable Kloak keyboard anonymization
Usage:
health-control kloak-disable [OPTIONS]
Examples:
sudo health-control kloak-disable
sudo health-control kloak-disable --json
kloak-configure
Configure Kloak keystroke anonymization settings
Usage:
health-control kloak-configure [OPTIONS]
Examples:
sudo health-control kloak-configure --delay 100
sudo health-control kloak-configure --mode aggressive --jitter 50
sudo health-control kloak-configure --json
kloak-event-mode
Set Kloak event processing mode
Usage:
health-control kloak-event-mode [OPTIONS]
Examples:
sudo health-control kloak-event-mode --mode raw
sudo health-control kloak-event-mode --mode filtered
sudo health-control kloak-event-mode --mode adaptive --json
kloak-stats
Show Kloak keystroke anonymization statistics
Usage:
health-control kloak-stats [OPTIONS]
Examples:
health-control kloak-stats
health-control kloak-stats --reset
health-control kloak-stats --json
aide-update
Update AIDE database after legitimate changes
Usage:
health-control aide-update [OPTIONS]
Examples:
sudo health-control aide-update
sudo health-control aide-update --accept-changes
sudo health-control aide-update --json
aide-check
Check file integrity with AIDE
Usage:
health-control aide-check [OPTIONS]
Examples:
sudo health-control aide-check
sudo health-control aide-check --json
aide-init
Initialize AIDE database for file integrity monitoring
Usage:
health-control aide-init [OPTIONS]
Examples:
sudo health-control aide-init
sudo health-control aide-init --config ./aide.conf
sudo health-control aide-init --timeout 7200
sudo health-control aide-init --background
sudo health-control aide-init --json
aide-reinit
Reinitialize AIDE database (reset baseline)
Usage:
health-control aide-reinit [OPTIONS]
Examples:
sudo health-control aide-reinit
sudo health-control aide-reinit --force
sudo health-control aide-reinit --json
aide-scan-dir
Scan specific directory with AIDE
Usage:
health-control aide-scan-dir [OPTIONS]
Examples:
sudo health-control aide-scan-dir ./config
sudo health-control aide-scan-dir /usr/bin --recursive
sudo health-control aide-scan-dir /home --json
Storage & USB Security
list-storage-devices
List all storage devices with safety information for persistence operations
Usage:
health-control list-storage-devices [OPTIONS]
Examples:
sudo # List all storage devices with safety indicators
sudo health-control list-storage-devices
sudo → Shows which devices are safe (USB) vs dangerous (system)
sudo
sudo # Include all devices (loop, ram, etc)
sudo health-control list-storage-devices --all
sudo
sudo # JSON output for scripting
sudo health-control list-storage-devices --json
sudo
sudo # Before creating persistence (recommended workflow)
sudo health-control list-storage-devices && \
sudo health-control create-persistence-other-os --device /dev/sdc2 --os-type kali
usb-safety-check
Check if a device is safe for persistence/formatting operations
Usage:
health-control usb-safety-check [OPTIONS]
Examples:
sudo # Check if device is safe for persistence
sudo health-control usb-safety-check --device /dev/sdc2
sudo → Returns: SAFE, CAUTION, or DANGER with details
sudo
sudo # Check system drive (will warn)
sudo health-control usb-safety-check --device /dev/sda1
sudo → Shows why device is dangerous (system drive)
sudo
sudo # JSON output for scripting
sudo health-control usb-safety-check --device /dev/sdc2 --json
Storage Security
storage-wipe
Securely wipe storage devices and free space
Usage:
health-control storage-wipe [OPTIONS]
Examples:
sudo health-control storage-wipe --free-space
sudo health-control storage-wipe --device /dev/sdb --json
sudo health-control storage-wipe --device /dev/sdb --allow-root-device --json
storage-encrypt
Encrypt a storage device
Usage:
health-control storage-encrypt [OPTIONS]
Examples:
sudo health-control storage-encrypt --device /dev/sdb1
sudo health-control storage-encrypt --device /dev/sdc --json
encryption-tune
Optimize encryption performance and security settings
Usage:
health-control encryption-tune [OPTIONS]
Examples:
sudo # Understanding encryption performance profiles
sudo
sudo # Benchmark all ciphers and show recommendations (dry-run, no changes)
sudo health-control encryption-tune --profile performance --benchmark
sudo → Benchmarks all available ciphers
sudo → Recommends fastest cipher for your hardware
sudo → Shows throughput in MB/s
sudo → No changes applied (dry-run mode)
sudo
sudo # Apply performance optimizations
sudo health-control encryption-tune --profile performance --apply
sudo → Sets: aes-xts-plain64 cipher, 256-bit key
sudo → Optimizes: I/O scheduler (deadline), queue depth (256)
sudo → Enables hardware crypto acceleration
sudo → May require reboot for full effect
sudo
sudo # Security-focused tuning (paranoid mode)
sudo health-control encryption-tune --profile security --iter-time 5000 --apply
sudo → Maximizes key derivation time (slower unlock, more secure)
sudo → Uses strongest available cipher
sudo → 5000ms iteration time (vs 2000ms default)
sudo → Recommended for high-security environments
sudo
sudo # Balanced profile (default)
sudo health-control encryption-tune --profile balanced
sudo → Good balance between performance and security
sudo → aes-xts-plain64 with 256-bit key
sudo → Standard iteration time (2000ms)
sudo → Shows recommendations without applying (add --apply to implement)
sudo
sudo # Device-specific tuning for external drive
sudo health-control encryption-tune --device /dev/sdb1 --cipher aes-xts-plain64 --key-size 512
sudo → Applies settings to specific device only
sudo → 512-bit key for maximum security
sudo → Requires unlocking and reformatting (data loss!)
sudo
sudo # Check current tuning status
sudo health-control encryption-tune
sudo → Shows current encryption settings
sudo → Shows cipher, key size, iteration time
sudo → No changes made (default dry-run)
sudo
sudo # JSON output for scripting
sudo health-control encryption-tune --json
sudo → Structured output with recommendations
sudo → Cipher benchmarks and current settings
System Control
get-hostname
Get the current hostname
Usage:
health-control get-hostname
Examples:
health-control get-hostname
health-control get-hostname --json
change-hostname
Change hostname (prompts for new hostname)
Usage:
health-control change-hostname [OPTIONS]
Examples:
sudo health-control change-hostname
sudo health-control change-hostname new-hostname
sudo health-control change-hostname --json
list-hostnames
List available hostnames by category
Usage:
health-control list-hostnames [OPTIONS]
Examples:
health-control list-hostnames
health-control list-hostnames --category all
health-control list-hostnames --category windows
health-control list-hostnames --category linux
health-control list-hostnames --category apple
health-control list-hostnames --category network
health-control list-hostnames --category mobile
health-control list-hostnames --category iot
health-control list-hostnames --category gaming
health-control list-hostnames --category fiction
health-control list-hostnames --json
set-random-hostname-category
Set a random hostname from a specific category
Usage:
health-control set-random-hostname-category [OPTIONS]
Examples:
sudo health-control set-random-hostname-category
sudo health-control set-random-hostname-category --category windows
sudo health-control set-random-hostname-category --category linux
sudo health-control set-random-hostname-category --category apple
sudo health-control set-random-hostname-category --category network
sudo health-control set-random-hostname-category --category fiction --json
get-logged-user
Get the actual logged-in user (handles sudo correctly)
Usage:
health-control get-logged-user [OPTIONS]
Examples:
health-control get-logged-user
health-control get-logged-user --json
sudo health-control get-logged-user
sudo health-control get-logged-user --json-pretty
show-timezone
Show current system timezone
Usage:
health-control show-timezone [OPTIONS]
Examples:
health-control show-timezone
health-control show-timezone --json
sync-timezone
Sync timezone based on IP geolocation
Usage:
health-control sync-timezone [OPTIONS]
Examples:
sudo health-control sync-timezone
sudo health-control sync-timezone --json
show-remote-timezone
Show timezone based on current IP location
Usage:
health-control show-remote-timezone [OPTIONS]
Examples:
health-control show-remote-timezone
health-control show-remote-timezone --json
set-timezone
Set system timezone
Usage:
health-control set-timezone [OPTIONS]
Examples:
sudo health-control set-timezone --timezone America/New_York
sudo health-control set-timezone --timezone Europe/London
sudo health-control set-timezone --timezone Asia/Tokyo --json
sudo health-control set-timezone --value America/Chicago
list-timezones
List available timezones by category
Usage:
health-control list-timezones [OPTIONS]
Examples:
health-control list-timezones
health-control list-timezones --category all
health-control list-timezones --category africa
health-control list-timezones --category americas
health-control list-timezones --category asia
health-control list-timezones --category europe
health-control list-timezones --category australia
health-control list-timezones --category pacific
health-control list-timezones --category utc
health-control list-timezones --json
set-random-timezone
Set a random timezone from a specific category
Usage:
health-control set-random-timezone [OPTIONS]
Examples:
sudo health-control set-random-timezone
sudo health-control set-random-timezone --category americas
sudo health-control set-random-timezone --category europe
sudo health-control set-random-timezone --category asia
sudo health-control set-random-timezone --category africa
sudo health-control set-random-timezone --category pacific --json
play-sound
Play notification sound
Usage:
health-control play-sound [OPTIONS]
Examples:
sudo health-control play-sound
sudo health-control play-sound --sound alert
sudo health-control play-sound success
sudo health-control play-sound warning -m mp3
sudo health-control play-sound alert --debug
notify
Send desktop notification
Usage:
health-control notify [OPTIONS]
Examples:
health-control notify --message "Security check complete"
health-control notify --message "Hello from Kodachi"
health-control notify --message "Alert" --body "VPN connected"
health-control notify --message "Warning" --urgency critical --duration 30
health-control notify --message "Update" --notify-icon "/path/to/icon.png"
System Information
offline-info-system
Display comprehensive system information
Usage:
health-control offline-info-system [OPTIONS]
Examples:
sudo health-control offline-info-system
sudo health-control offline-info-system --json
offline-info-hardware
Display hardware information
Usage:
health-control offline-info-hardware [OPTIONS]
Examples:
sudo health-control offline-info-hardware
sudo health-control offline-info-hardware --json
offline-info-process
Display process information
Usage:
health-control offline-info-process [OPTIONS]
Examples:
sudo health-control offline-info-process
sudo health-control offline-info-process --json
offline-info-security
Display security and encryption status
Usage:
health-control offline-info-security [OPTIONS]
Examples:
sudo health-control offline-info-security
sudo health-control offline-info-security --json
offline-info-network
Display network information
Usage:
health-control offline-info-network [OPTIONS]
Examples:
sudo health-control offline-info-network
sudo health-control offline-info-network --json
offline-info-user
Display user information
Usage:
health-control offline-info-user [OPTIONS]
Examples:
sudo health-control offline-info-user
sudo health-control offline-info-user --json
offline-info-storage
Display storage information
Usage:
health-control offline-info-storage [OPTIONS]
Examples:
sudo health-control offline-info-storage
sudo health-control offline-info-storage --json
offline-info-services
Display system services information
Usage:
health-control offline-info-services [OPTIONS]
Examples:
sudo health-control offline-info-services
sudo health-control offline-info-services --json
offline-info-all
Display all system information
Usage:
health-control offline-info-all [OPTIONS]
Examples:
sudo health-control offline-info-all
sudo health-control offline-info-all --json
ping
Ping a random privacy-respecting target and return latency
Usage:
health-control ping [OPTIONS]
Examples:
health-control ping
health-control ping --json
process-age
Get process uptime for VPN or Tor
Usage:
health-control process-age [OPTIONS]
Examples:
health-control process-age --process vpn
health-control process-age --process tor
health-control process-age --process vpn --json
health-control process-age --process tor --json
System Information & Offline Actions
offline-bluetooth
Enable/disable/check Bluetooth service
Usage:
health-control offline-bluetooth [OPTIONS]
Examples:
sudo health-control offline-bluetooth --action disable
sudo health-control offline-bluetooth --action enable
sudo health-control offline-bluetooth --action check --json
offline-wifi
Manage WiFi connectivity
Usage:
health-control offline-wifi [OPTIONS]
Examples:
sudo health-control offline-wifi --action disable
sudo health-control offline-wifi --action enable
sudo health-control offline-wifi --action check --json
offline-usb-storage
Manage USB storage devices
Usage:
health-control offline-usb-storage [OPTIONS]
Examples:
sudo health-control offline-usb-storage --action disable
sudo health-control offline-usb-storage --action enable
sudo health-control offline-usb-storage --action check --json
offline-webcam
Manage webcam device
Usage:
health-control offline-webcam [OPTIONS]
Examples:
sudo health-control offline-webcam --action disable
sudo health-control offline-webcam --action enable
sudo health-control offline-webcam --action check --json
offline-microphone
Manage microphone device
Usage:
health-control offline-microphone [OPTIONS]
Examples:
sudo health-control offline-microphone --action disable
sudo health-control offline-microphone --action enable
sudo health-control offline-microphone --action check --json
offline-systemlogs
Manage system logging
Usage:
health-control offline-systemlogs [OPTIONS]
Examples:
sudo health-control offline-systemlogs --action disable
sudo health-control offline-systemlogs --action enable
sudo health-control offline-systemlogs --action check --json
offline-cups
Manage CUPS printing service
Usage:
health-control offline-cups [OPTIONS]
Examples:
sudo health-control offline-cups --action disable # Disable printer service (CUPS)
sudo health-control offline-cups --action enable # Enable printer service (CUPS)
sudo health-control offline-cups --action check --json
offline-networkmanager
Manage NetworkManager service
Usage:
health-control offline-networkmanager [OPTIONS]
Examples:
sudo health-control offline-networkmanager --action disable
sudo health-control offline-networkmanager --action enable
sudo health-control offline-networkmanager --action check --json
offline-numlock
Manage NumLock configuration
Usage:
health-control offline-numlock [OPTIONS]
Examples:
sudo health-control offline-numlock --action enable
sudo health-control offline-numlock --action disable
sudo health-control offline-numlock --action check --json
offline-cmdhistory
Manage command history
Usage:
health-control offline-cmdhistory [OPTIONS]
Examples:
sudo health-control offline-cmdhistory --action disable
sudo health-control offline-cmdhistory --action enable
sudo health-control offline-cmdhistory --action check --json
offline-autologin
Enable/disable/check auto-login functionality
Usage:
health-control offline-autologin [OPTIONS]
Examples:
sudo health-control offline-autologin --action disable
sudo health-control offline-autologin --action enable
sudo health-control offline-autologin --action check --json
offline-screen-lock
Manage screen locking
Usage:
health-control offline-screen-lock [OPTIONS]
Examples:
sudo health-control offline-screen-lock --action enable
sudo health-control offline-screen-lock --action disable
sudo health-control offline-screen-lock --action check --json
offline-fdlimit
Enable/disable/check file descriptor limits
Usage:
health-control offline-fdlimit [OPTIONS]
Examples:
sudo health-control offline-fdlimit --action enable --soft-limit 1024 --hard-limit 4096
sudo health-control offline-fdlimit --action disable
sudo health-control offline-fdlimit --action check --json
offline-netoptimize
Enable/disable/check network optimization
Usage:
health-control offline-netoptimize [OPTIONS]
Examples:
sudo health-control offline-netoptimize --action enable
sudo health-control offline-netoptimize --action disable
sudo health-control offline-netoptimize --action check --json
offline-bbr
Enable/disable/check BBR congestion control
Usage:
health-control offline-bbr [OPTIONS]
Examples:
sudo health-control offline-bbr --action enable
sudo health-control offline-bbr --action disable
sudo health-control offline-bbr --action check --json
offline-ifspeed
Enable/disable/check interface speed optimization
Usage:
health-control offline-ifspeed [OPTIONS]
Examples:
sudo health-control offline-ifspeed --action enable --interface eth0 --speed 1000
sudo health-control offline-ifspeed --action disable
sudo health-control offline-ifspeed --action check --json
sudo health-control offline-ifspeed --action enable --interface wlan0
offline-avahi
Manage Avahi daemon service
Usage:
health-control offline-avahi [OPTIONS]
Examples:
sudo health-control offline-avahi --action disable
sudo health-control offline-avahi --action enable
sudo health-control offline-avahi --action check --json
offline-modem-manager
Manage ModemManager service
Usage:
health-control offline-modem-manager [OPTIONS]
Examples:
sudo health-control offline-modem-manager --action disable
sudo health-control offline-modem-manager --action enable
sudo health-control offline-modem-manager --action check --json
offline-ssh
Manage SSH daemon service
Usage:
health-control offline-ssh [OPTIONS]
Examples:
sudo health-control offline-ssh --action disable
sudo health-control offline-ssh --action enable
sudo health-control offline-ssh --action check --json
offline-apache
Manage Apache web server service
Usage:
health-control offline-apache [OPTIONS]
Examples:
sudo health-control offline-apache --action disable
sudo health-control offline-apache --action enable
sudo health-control offline-apache --action check --json
offline-nginx
Manage Nginx web server service
Usage:
health-control offline-nginx [OPTIONS]
Examples:
sudo health-control offline-nginx --action disable
sudo health-control offline-nginx --action enable
sudo health-control offline-nginx --action check --json
offline-docker
Manage Docker container service
Usage:
health-control offline-docker [OPTIONS]
Examples:
sudo health-control offline-docker --action disable
sudo health-control offline-docker --action enable
sudo health-control offline-docker --action check --json
offline-mysql
Manage MySQL database service
Usage:
health-control offline-mysql [OPTIONS]
Examples:
sudo health-control offline-mysql --action disable
sudo health-control offline-mysql --action enable
sudo health-control offline-mysql --action check --json
System Maintenance
auto-updates-enable
Enable automatic security updates
Usage:
health-control auto-updates-enable [OPTIONS]
Examples:
sudo health-control auto-updates-enable
sudo health-control auto-updates-enable --json
auto-updates-disable
Disable automatic security updates
Usage:
health-control auto-updates-disable [OPTIONS]
Examples:
sudo health-control auto-updates-disable
sudo health-control auto-updates-disable --json
auto-updates-status
Check automatic updates status
Usage:
health-control auto-updates-status [OPTIONS]
Examples:
sudo health-control auto-updates-status
sudo health-control auto-updates-status --json
system-maintenance-enable
Enable system maintenance settings
Usage:
health-control system-maintenance-enable [OPTIONS]
Examples:
health-control system-maintenance-enable
health-control system-maintenance-enable --json
system-maintenance-disable
Disable system maintenance settings
Usage:
health-control system-maintenance-disable [OPTIONS]
Examples:
health-control system-maintenance-disable
health-control system-maintenance-disable --json
system-maintenance-status
Check system maintenance status
Usage:
health-control system-maintenance-status [OPTIONS]
Examples:
health-control system-maintenance-status
health-control system-maintenance-status --json
password-policy-enable
Enable password policy enforcement
Usage:
health-control password-policy-enable [OPTIONS]
Examples:
sudo health-control password-policy-enable
sudo health-control password-policy-enable --json
password-policy-disable
Disable password policy enforcement
Usage:
health-control password-policy-disable [OPTIONS]
Examples:
sudo health-control password-policy-disable
sudo health-control password-policy-disable --json
password-policy-status
Check password policy status
Usage:
health-control password-policy-status [OPTIONS]
Examples:
sudo health-control password-policy-status
sudo health-control password-policy-status --json
user-security-enable
Enable user security hardening
Usage:
health-control user-security-enable [OPTIONS]
Examples:
sudo health-control user-security-enable
sudo health-control user-security-enable --json
user-security-disable
Disable user security hardening
Usage:
health-control user-security-disable [OPTIONS]
Examples:
sudo health-control user-security-disable
sudo health-control user-security-disable --json
user-security-status
Check user security status
Usage:
health-control user-security-status [OPTIONS]
Examples:
sudo health-control user-security-status
sudo health-control user-security-status --json
2fa-enable
Enable two-factor authentication
Usage:
health-control 2fa-enable [OPTIONS]
Examples:
# ⚠️ WARNING: 2FA has known bugs with XFCE/LightDM login!
# Works reliably for: SSH, sudo | Unreliable for: XFCE login, lock screen
health-control 2fa-enable
health-control 2fa-enable --value $(whoami) --json
⚠ Security Note: Using $(whoami) exposes current username in command history
2fa-disable
Disable two-factor authentication
Usage:
health-control 2fa-disable [OPTIONS]
Examples:
# ⚠️ WARNING: 2FA has known bugs with XFCE/LightDM login!
health-control 2fa-disable
health-control 2fa-disable --json
2fa-status
Check two-factor authentication status
Usage:
health-control 2fa-status [OPTIONS]
Examples:
# ⚠️ WARNING: 2FA has known bugs with XFCE/LightDM login!
# Works reliably for: SSH, sudo | Unreliable for: XFCE login, lock screen
health-control 2fa-status
health-control 2fa-status --json
check-and-install
Check and install required packages
Usage:
health-control check-and-install [OPTIONS]
Examples:
sudo health-control check-and-install tor openvpn
sudo health-control check-and-install rkhunter chkrootkit --json
check-and-install-do
Execute installation after checking dependencies
Usage:
health-control check-and-install-do [OPTIONS]
Examples:
sudo health-control check-and-install-do
sudo health-control check-and-install-do --json
package-cleanup
Clean up unnecessary packages
Usage:
health-control package-cleanup [OPTIONS]
Examples:
health-control package-cleanup
health-control package-cleanup --json
clear-cache
Clear system memory caches
Usage:
health-control clear-cache [OPTIONS]
Examples:
sudo health-control clear-cache
sudo health-control clear-cache --level 1
sudo health-control clear-cache --level 2
sudo health-control clear-cache --level 3
sudo health-control clear-cache --json
System Recovery
fix-sudo
Fix broken sudo permissions (uses pkexec/su, no sudo required)
Usage:
health-control fix-sudo [OPTIONS]
Examples:
sudo health-control fix-sudo
sudo health-control fix-sudo --json
sudo # This command tries pkexec first, then su -c, to fix sudo without sudo
check-sudo
Check sudo installation status and permissions
Usage:
health-control check-sudo [OPTIONS]
Examples:
sudo health-control check-sudo
sudo health-control check-sudo --json
USB Security
usb-status
Check USB Guard protection status
Usage:
health-control usb-status [OPTIONS]
Examples:
sudo health-control usb-status
sudo health-control usb-status --json
usb-guard-enable
Enable USB Guard protection
Usage:
health-control usb-guard-enable [OPTIONS]
Examples:
sudo health-control usb-guard-enable
sudo health-control usb-guard-enable --json
usb-guard-disable
Disable USB Guard protection
Usage:
health-control usb-guard-disable [OPTIONS]
Examples:
sudo health-control usb-guard-disable
sudo health-control usb-guard-disable --json
usb-policy
Manage USB device policies
Usage:
health-control usb-policy [OPTIONS]
Examples:
sudo health-control usb-policy --action list
sudo health-control usb-policy --action add --device-id 1234:5678 --allow
sudo health-control usb-policy --action remove --device-id 1234:5678
usb-monitor
Monitor USB device connections in real-time
Usage:
health-control usb-monitor [OPTIONS]
Examples:
sudo health-control usb-monitor
sudo health-control usb-monitor --duration 300
sudo health-control usb-monitor --alert
sudo health-control usb-monitor --block-unauthorized --log-only
sudo health-control usb-monitor --json
usb-history
View USB device connection history
Usage:
health-control usb-history [OPTIONS]
Examples:
sudo health-control usb-history
sudo health-control usb-history --days 30
sudo health-control usb-history --device-id 1234:5678
sudo health-control usb-history --clear --days 90
sudo health-control usb-history --json
usb-whitelist
Manage USB device whitelist
Usage:
health-control usb-whitelist [OPTIONS]
Examples:
sudo # Find device IDs first (use lsusb)
sudo lsusb # Shows vendor:product IDs (e.g., 1234:5678)
sudo → Bus 003 Device 002: ID 1234:5678 Vendor Name Product Name
sudo
sudo # List current whitelist
sudo health-control usb-whitelist --action list
sudo → Shows all whitelisted device IDs
sudo
sudo # Add device to whitelist
sudo health-control usb-whitelist --action add --device-id 1234:5678
sudo → Device allowed to connect automatically
sudo
sudo # Remove device from whitelist
sudo health-control usb-whitelist --action remove --device-id 1234:5678
sudo → Device will be blocked on next connection
sudo
sudo # Export whitelist (backup configuration)
sudo health-control usb-whitelist --action export --file ~/usb-whitelist-backup.json
sudo → Saves whitelist to JSON file for backup/transfer
sudo
sudo # Import whitelist (restore configuration)
sudo health-control usb-whitelist --action import --file ~/usb-whitelist-backup.json
sudo → Restores whitelist from JSON backup file
sudo
sudo # Clear all whitelisted devices
sudo health-control usb-whitelist --action clear
sudo ⚠️ WARNING: Removes ALL whitelisted devices - use with caution!
sudo
sudo # Repair the base policy (composite mice/mics getting blocked?)
sudo health-control usb-whitelist --action repair-policy
sudo → Installs the canonical block-first policy if the on-disk one is
sudo missing/empty or the legacy 'equals' policy; keeps your whitelist
sudo and backs up the old file. Safe no-op if already current.
sudo
sudo # JSON output for scripting
sudo health-control usb-whitelist --action list --json
Operational Scenarios
Scenario-oriented workflows generated from the binary's built-in -e --json examples.
Scenario 1: Network Connectivity
Test network connectivity and configuration
Step 1: Full connectivity check: IP ping + DNS + HTTP probe
sudo health-control net-check
Step 2: Full check via the extended HTTP path with per-target verbose reporting
sudo health-control net-check --http
Step 3: Full connectivity check with JSON output for automation
sudo health-control net-check --json
Step 4: Extended HTTP check path with JSON output
sudo health-control net-check --http --json
Step 5: Check IP ping only, skip DNS lookups and HTTP probe
sudo health-control net-check --ip-only
Note
Mutually exclusive with --domain-only and --http-only.
Step 6: Check DNS resolution only, skip IP ping and HTTP probe
sudo health-control net-check --domain-only
Note
Mutually exclusive with --ip-only and --http-only.
Step 7: Check HTTP reachability only, skip IP ping and DNS lookups
sudo health-control net-check --http-only
Note
Mutually exclusive with --ip-only and --domain-only.
Step 8: HTTP-only reachability check with JSON output
sudo health-control net-check --http-only --json
Step 9: Full connectivity check with a custom 15 second timeout
sudo health-control net-check --timeout 15
Step 10: IP-only ping check with JSON output
sudo health-control net-check --ip-only --json
Step 11: Domain-only DNS check with a custom 20 second timeout
sudo health-control net-check --domain-only --timeout 20
Step 12: Show IPs used for connectivity testing
sudo health-control list-ips
Step 13: Show domains used for connectivity testing
sudo health-control list-domains
Step 14: Dedicated HTTP connectivity probe with a custom timeout in seconds
sudo health-control net-check-http --timeout 10
Note
--timeout defaults to 10 seconds when omitted.
Scenario 2: Internet Traffic Control
Block and unblock internet traffic
Step 1: Block internet using auto-detected method (tries nftables, then iptables, then UFW, then interfaces)
sudo health-control block-internet
Note
Without --method specified, health-control automatically selects the best available method
Step 2: Block using iptables firewall rules
sudo health-control block-internet --method iptables
Step 3: Block using nftables firewall rules (preferred modern firewall)
sudo health-control block-internet --method nftables
Step 4: Block using UFW (Uncomplicated Firewall)
sudo health-control block-internet --method firewall
Step 5: Block by disabling network interfaces
sudo health-control block-internet --method interfaces
Step 6: Block using ALL methods (UFW, nftables, iptables, and interfaces)
sudo health-control block-internet --method all
Note
Applies all available blocking methods for maximum security
Step 7: Block internet but allow local network traffic
sudo health-control block-internet --allow-local
Step 8: Block internet with JSON output
sudo health-control block-internet --json
Step 9: Block internet with iptables, allow local, JSON output
sudo health-control block-internet --method iptables --allow-local --json
Step 10: Block using ALL methods but allow local network traffic
sudo health-control block-internet --method all --allow-local
Step 11: Unblock internet traffic
sudo health-control unblock-internet
Step 12: Unblock using nftables specifically
sudo health-control unblock-internet --method nftables
Step 13: Unblock using iptables specifically
sudo health-control unblock-internet --method iptables
Step 14: Unblock using UFW specifically
sudo health-control unblock-internet --method firewall
Step 15: Unblock ALL methods (clears UFW, nftables, iptables, and re-enables interfaces)
sudo health-control unblock-internet --method all
Note
Ensures complete restoration by clearing all possible blocks
Step 16: Unblock internet with JSON output
sudo health-control unblock-internet --json
Step 17: Block OUTBOUND ICMP echo-requests (ping) for both IPv4 and IPv6. Inserts a DROP rule in the iptables/ip6tables OUTPUT chain so this host can no longer ping out, while all normal TCP/UDP traffic (web, DNS, apps) keeps working
sudo health-control block-ping
Note
Equivalent to: sudo iptables -I OUTPUT -p icmp --icmp-type echo-request -j DROP AND sudo ip6tables -I OUTPUT -p ipv6-icmp --icmpv6-type echo-request -j DROP. Idempotent — running it twice does not add duplicate rules. Use this to reduce the host's network fingerprint (stealth) without killing connectivity.
Step 18: Block ping for IPv4 only (iptables), leave IPv6 ICMP untouched
sudo health-control block-ping --family ipv4
Note
Equivalent to: sudo iptables -I OUTPUT -p icmp --icmp-type echo-request -j DROP
Step 19: Block ping for IPv6 only (ip6tables)
sudo health-control block-ping --family ipv6
Note
Equivalent to: sudo ip6tables -I OUTPUT -p ipv6-icmp --icmpv6-type echo-request -j DROP. Reports 'unavailable' if ip6tables is absent (IPv6 disabled).
Step 20: Block ping with JSON output (per-family result envelope)
sudo health-control block-ping --json
Step 21: Unblock OUTBOUND ICMP echo-requests (ping) — removes the DROP rule(s) for both IPv4 and IPv6 so this host can ping out again
sudo health-control unblock-ping
Note
Equivalent to: sudo iptables -D OUTPUT -p icmp --icmp-type echo-request -j DROP AND sudo ip6tables -D OUTPUT -p ipv6-icmp --icmpv6-type echo-request -j DROP. Removes every duplicate copy of the rule; safe to run when no rule exists (reports 'already-unblocked').
Step 22: Unblock ping for IPv4 only
sudo health-control unblock-ping --family ipv4
Note
Equivalent to: sudo iptables -D OUTPUT -p icmp --icmp-type echo-request -j DROP
Step 23: Unblock ping for IPv6 only with JSON output
sudo health-control unblock-ping --family ipv6 --json
Step 24: Check current internet blocking status
sudo health-control internet-status
Step 25: Check if internet traffic is blocked with JSON output
sudo health-control internet-status --json
Step 26: ARM the emergency kill switch - sets system to high-alert monitoring mode
sudo health-control kill-switch-arm
Note
MONITORING MODE: Sets up automated threat detection using multiple monitoring methods: • NETWORK MONITORING: Uses netstat, ss, and iptables logs to detect unauthorized connections • FILE SYSTEM WATCHING: Monitors critical system files via inotify for unauthorized modifications • PROCESS MONITORING: Tracks running processes using ps/proc for suspicious behavior patterns • AUTH MONITORING: Watches /var/log/auth.log for failed login attempts (threshold: 5 failures) • SYSTEM INTEGRITY: Checks system file hashes and permissions for tampering Does NOT take action until triggered - only prepares for rapid response. Auto-activates MEDIUM panic level when threats detected.
Step 27: DISARM kill switch monitoring
sudo health-control kill-switch-disarm
Note
Stops monitoring mode. Use after threat has passed or false alarm.
Step 28: Check if monitoring is armed/disarmed
sudo health-control kill-switch-status
Note
READ-ONLY: Just displays current state, takes no action
Step 29: IMMEDIATELY activate kill switch (default: medium panic)
sudo health-control kill-switch-activate
Note
IMMEDIATE ACTION: Unlike 'arm', this executes panic NOW. Prompts for confirmation. Use --level soft/medium/hard
Step 30: IMMEDIATE soft panic (NO confirmation)
sudo health-control panic-soft
Note
Actions: Kill network, clear clipboard (adaptive: wl-copy/xclip/xsel for Wayland/X11), lock screen. Reversible.
Step 31: IMMEDIATE medium panic (WITH confirmation)
sudo health-control panic-medium
Note
Actions: Kill network, terminate processes, clear memory, unmount devices. Requires manual restart.
Step 32: IMMEDIATE hard panic with SHUTDOWN (WITH confirmation)
sudo health-control panic-hard
Note
CRITICAL: Wipes RAM, unmounts all, IMMEDIATE SHUTDOWN. IRREVERSIBLE!
Step 33: Recover from panic mode
sudo health-control panic-recover
Note
Re-enables network, remounts volumes, restores services
Step 34: ⚠️ Immediately kill ALL network connectivity (emergency cut-off)
sudo health-control kill-network
Note
⚠️ DANGEROUS: Severs all networking instantly. Takes no arguments. Use recover-internet / panic-recover to restore connectivity.
Scenario 3: Watch-Guard Management
Monitor system changes and block internet on triggers
Step 1: Enable watch-guard to block internet if IP changes (VPN protection)
sudo health-control enable --type watch-guard --watch ip --method nftables
Note
Blocks internet using nftables if external IP changes
Step 2: Enable watch-guard for timezone changes
sudo health-control enable --type watch-guard --watch timezone --method iptables
Note
Detects system time manipulation attempts
Step 3: Monitor network interfaces for changes
sudo health-control enable --type watch-guard --watch interfaces --method firewall
Note
Blocks if new interfaces appear or existing ones change
Step 4: Monitor Tor process and block if it dies
sudo health-control enable --type watch-guard --watch process --target tor --method interfaces
Note
Ensures no clearnet traffic if Tor crashes
Step 5: Monitor Firefox and use all block methods if it stops
sudo health-control enable --type watch-guard --watch process --target firefox --method all
Note
Maximum blocking using all available methods
Step 6: Show all active watch-guards and their trigger counts
sudo health-control watch-guard status
Step 7: Disable IP watch-guard and unblock internet
sudo health-control disable --type watch-guard ip
Note
Automatically unblocks internet unless --no-unblock used
Step 8: Disable all watch-guards but keep internet blocked
sudo health-control disable --type watch-guard all --no-unblock
Note
Use when you want manual control over unblocking
Step 9: Run watch-guard monitoring as a persistent daemon process
sudo health-control daemon --config-id my-config
Note
--config-id is required. Add --json for machine-readable output. Long-running foreground process intended for service supervision.
Scenario 4: Network Recovery
Diagnose and fix connectivity issues
Step 1: Automatically diagnose and fix connectivity issues
sudo health-control recover-internet
Step 2: Include DNS resolution testing and fixes
sudo health-control recover-internet --check-dns
Step 3: Force recovery even if connectivity appears working
sudo health-control recover-internet --force
Step 4: Run full internet recovery without desktop/terminal notifications
sudo health-control recover-internet --silent
Note
Also supports --skipnotification, --skip-notification, and typo-compatible --skipnotifcation
Step 5: Fast recovery: bounce interface + restart NetworkManager + DHCP renew
sudo health-control fast-recover-internet
Note
Lightweight alternative to recover-internet — tries quick fix before full 9-method recovery
Step 6: Run fast recovery without desktop/terminal notifications
sudo health-control fast-recover-internet --silent
Note
Also supports --skipnotification, --skip-notification, and typo-compatible --skipnotifcation
Step 7: Fast recovery with JSON output
sudo health-control fast-recover-internet --json
Scenario 5: Timezone Management
Manage system timezone settings
Step 1: Sync timezone based on IP geolocation
sudo health-control sync-timezone
Step 2: Show current system timezone
sudo health-control show-timezone
Step 3: Set specific timezone
sudo health-control set-timezone --timezone "America/New_York"
Step 4: Show timezone based on current IP location
sudo health-control show-remote-timezone
Step 5: List all timezone categories
health-control list-timezones
Step 6: List all available timezones
health-control list-timezones --category all
Step 7: List African timezones
health-control list-timezones --category africa
Step 8: List American timezones
health-control list-timezones --category americas
Step 9: List Asian timezones
health-control list-timezones --category asia
Step 10: List European timezones
health-control list-timezones --category europe
Step 11: List Australian timezones
health-control list-timezones --category australia
Step 12: List Pacific timezones
health-control list-timezones --category pacific
Step 13: List UTC timezones
health-control list-timezones --category utc
Step 14: List timezone categories in JSON format
health-control list-timezones --json
Step 15: Set a random timezone from all available
sudo health-control set-random-timezone
Note
Requires sudo privileges
Step 16: Set random American timezone
sudo health-control set-random-timezone --category americas
Note
Requires sudo privileges
Step 17: Set random European timezone
sudo health-control set-random-timezone --category europe
Note
Requires sudo privileges
Step 18: Set random Asian timezone
sudo health-control set-random-timezone --category asia
Note
Requires sudo privileges
Step 19: Set random African timezone
sudo health-control set-random-timezone --category africa
Note
Requires sudo privileges
Step 20: Set random Pacific timezone with JSON output
sudo health-control set-random-timezone --category pacific --json
Note
Requires sudo privileges
Scenario 6: MAC Address Management
Change and manage MAC addresses
Step 1: Change MAC addresses for all interfaces
sudo health-control mac-change-all
Step 2: Force change MAC addresses
sudo health-control mac-force-change
Note
Use when regular change fails
Step 3: Change MAC for specific interface
sudo health-control mac-change-specific --interface eth0
Step 4: Show all network interfaces
sudo health-control mac-show-interfaces
Step 5: Show current MAC addresses
sudo health-control mac-show-macs
Step 6: Reset all MACs to original values
sudo health-control mac-reset-all
Step 7: Show active network interface
sudo health-control mac-active-interface
Scenario 7: Hostname Management
Get and set system hostname
Step 1: Get current system hostname
sudo health-control get-hostname
Step 2: Get hostname in JSON format
sudo health-control get-hostname --json
Step 3: Get the actual logged-in user (handles sudo correctly)
health-control get-logged-user
Note
Returns actual user even when run with sudo
Step 4: Get logged user with additional info in JSON format
sudo health-control get-logged-user --json
Step 5: Set default system hostname
sudo health-control set-default-hostname
Step 6: Set random hostname for privacy
sudo health-control set-random-hostname
Step 7: Set random hostname with JSON output
sudo health-control set-random-hostname --json
Step 8: Set custom hostname
sudo health-control set-custom-hostname --name MyHost
Step 9: Set descriptive custom hostname
sudo health-control set-custom-hostname --name privacy-machine
Step 10: Set custom hostname with JSON output
sudo health-control set-custom-hostname --name secure-workstation --json
Step 11: List all hostname categories
health-control list-hostnames
Step 12: List all available hostnames
health-control list-hostnames --category all
Step 13: List Windows hostnames
health-control list-hostnames --category windows
Step 14: List Linux hostnames
health-control list-hostnames --category linux
Step 15: List Apple/Mac hostnames
health-control list-hostnames --category apple
Step 16: List hostname categories in JSON format
health-control list-hostnames --json
Step 17: Set random hostname from all categories
sudo health-control set-random-hostname-category
Step 18: Set random Windows hostname
sudo health-control set-random-hostname-category --category windows
Step 19: Set random Linux hostname
sudo health-control set-random-hostname-category --category linux
Step 20: Set random fictional hostname with JSON output
sudo health-control set-random-hostname-category --category fiction --json
Step 21: Set the system hostname to a specific value
sudo health-control change-hostname mylaptop
Note
HOSTNAME positional argument is optional; when omitted a hostname is generated/applied per default behavior.
Scenario 8: IPv6 Management
Control and monitor IPv6 protocol settings
Step 1: Check current IPv6 configuration status
sudo health-control ipv6-status
Note
Shows runtime status, boot config, and active interfaces
Step 2: Disable IPv6 system-wide (sysctl and GRUB)
sudo health-control ipv6-disable
Note
Reboot recommended for full effect
Step 3: Enable IPv6 system-wide
sudo health-control ipv6-enable
Note
Reboot recommended for full effect
Step 4: Get detailed IPv6 status in JSON format
sudo health-control ipv6-status --json
Scenario 9: Security Hardening
Apply and verify comprehensive security settings (7 modules: kernel, process, filesystem, network, memory, monitoring, sandboxing)
Step 1: Apply standard security hardening (network-safe): kernel hardening, process isolation, filesystem security, memory protection, monitoring, sandboxing - PRESERVES internet connectivity
sudo health-control security-harden
Note
Standard profile maintains system usability and network connectivity
Step 2: Apply MEDIUM profile - Enhanced security with hidepid, hardened_malloc, file integrity monitoring. Browsers and internet still work
sudo health-control security-harden --profile medium
Note
Medium profile adds hidepid=2, hardened_malloc, dirty_ratio tuning, file integrity. May increase memory on LUKS systems
Step 3: Apply PARANOID profile - WARNING: WILL BREAK browsers and internet: disables user namespaces, IP forwarding, DNS firewall, MAC spoofing
sudo health-control security-harden --profile paranoid
Note
⚠️ BROWSERS AND INTERNET DISABLED - To recover: sudo health-control security-recover
Step 4: Apply paranoid profile plus break-monitoring mode: forces /sys/class/net to root-only and breaks non-root monitoring tools (btop/conky/dashboard)
sudo health-control security-harden --break-monitoring
Note
⚠️ ALSO BREAKS NON-ROOT MONITORING - Use only when this behavior is explicitly required
Step 5: Check if all 7 security modules are enabled and properly configured
sudo health-control security-verify
Note
Use after security-harden to verify settings are applied
Step 6: Apply only specific modules (kernel sysctl and network firewall)
sudo health-control security-harden --modules kernel,network
Note
Modules: kernel, process, filesystem, network, memory, monitoring, sandboxing
Step 7: Temporarily revert security hardening (keeps framework ready for quick re-hardening)
sudo health-control security-recover
Note
Use for troubleshooting. Framework remains enabled for easy re-hardening with security-harden.
Step 8: Recover only specific security modules
sudo health-control security-recover --modules network,kernel
Note
Available modules: kernel, filesystem, network, memory, monitoring, smt
Step 9: Completely disable all security modules and framework (permanent removal)
sudo health-control security-reset
Note
WARNING: Unlike security-recover, this permanently disables the framework. Requires rebuilding to re-enable.
Step 10: Reset security framework without confirmation prompt
sudo health-control security-reset --force
Note
Use --force to skip the confirmation prompt in automation scripts
Step 11: Enable system security monitoring (auditd, LKRG, file integrity, auth events)
sudo health-control monitoring-enable
Note
Enables auditd for system call auditing, LKRG for kernel integrity, file integrity monitoring (AIDE/Tripwire), and auth event logging
Step 12: Disable system security monitoring services
sudo health-control monitoring-disable
Note
Stops all security monitoring services - reduces system overhead but decreases security visibility
Step 13: Check current system security monitoring status
sudo health-control monitoring-status
Note
Shows status of auditd, LKRG, AIDE, and auth logging - helps verify which monitoring services are active
Step 14: Enable Tirdad kernel module for TCP ISN randomization (prevents OS fingerprinting)
sudo health-control tirdad-enable
Note
Randomizes TCP Initial Sequence Numbers to prevent remote OS fingerprinting attacks and TCP sequence prediction
Step 15: Disable Tirdad TCP ISN randomization module
sudo health-control tirdad-disable
Note
Restores default TCP ISN generation - may make system identifiable via network fingerprinting
Step 16: Check Tirdad TCP ISN randomization module status
sudo health-control tirdad-status
Note
Shows if kernel module is loaded and TCP ISN randomization is active
Step 17: Check disk encryption status
sudo health-control disk-encryption-status
Note
Displays LUKS encryption status for all disks, cipher algorithms, and key slot usage
Step 18: List all USB devices
sudo health-control usb-list
Note
Shows all connected USB devices with vendor/product IDs for security auditing
Step 19: Create unencrypted live-boot persistence media
sudo health-control create-persistence
Note
Creates a 4GB unencrypted ext4 persistence image named 'persistence' with a root persistence.conf of '/ union' so /opt, /etc, and other system paths survive reboots on Kodachi live USBs. Use --encrypted for LUKS encryption or --size to change size.
Step 20: Create encrypted persistence (interactive)
sudo health-control create-persistence --encrypted
Note
Creates LUKS2-encrypted Debian live-boot persistence media named 'persistence' and writes '/ union' to persistence.conf. Secure method - password not visible in history.
Step 21: Create encrypted persistence (CLI password)
sudo health-control create-persistence --encrypted --password 'pass123'
Note
⚠️ INSECURE: Password visible in shell history! Shows security warnings. Use interactive mode instead.
Step 22: Show overall encryption status
sudo health-control encryption-status
Note
Comprehensive report of all encryption: disks, swap, home directories, and key management
Scenario 10: System Health & Security Tools
Monitor system health and run security audits
Step 1: Perform comprehensive system security audit
sudo health-control system-audit
Step 2: Scan system for rootkits
sudo health-control rootkit-scan
Step 3: Check system security status
sudo health-control security-status --json
Step 4: Run comprehensive Lynis security audit
sudo health-control lynis-audit
Note
Comprehensive security assessment
Step 5: Check Lynis installation and status
sudo health-control lynis-status
Step 6: Initialize AIDE database
sudo health-control aide-init
Note
First time setup required
Step 7: Check file integrity with AIDE
sudo health-control aide-check
Step 8: Check kloak keystroke anonymization status
sudo health-control kloak-status
Step 9: Enable kloak keystroke anonymization
sudo health-control kloak-enable
Step 10: Disable kloak keystroke anonymization
sudo health-control kloak-disable
Step 11: Configure kloak keystroke delay, jitter and operating mode
sudo health-control kloak-configure --delay 100 --jitter 30 --mode normal
Note
--mode accepts normal, aggressive, or minimal. All flags are optional.
Step 12: Set the kloak event-processing mode
sudo health-control kloak-event-mode --mode adaptive
Note
--mode is required: raw, filtered, or adaptive.
Step 13: Show kloak keystroke anonymization statistics
sudo health-control kloak-stats
Note
Add --reset to clear the statistics counters.
Step 14: Update the AIDE baseline database after reviewing changes
sudo health-control aide-update
Note
Add --accept-changes to accept all detected changes and update the baseline.
Step 15: Reinitialize the AIDE database from scratch
sudo health-control aide-reinit --force
Note
--force skips the confirmation prompt. Replaces the existing baseline.
Step 16: Run an AIDE integrity scan against a specific directory
sudo health-control aide-scan-dir /etc --recursive
Note
PATH positional argument is required. -r/--recursive scans subdirectories.
Scenario 11: LUKS Nuke & Data Destruction
LUKS nuke passwords for emergency data destruction
Step 1: List all LUKS devices and nuke password status
sudo health-control luks-nuke --action status
Note
Shows which devices have nuke passwords configured
Step 2: ⚠️ STEP 1: Check current nuke status for target device
sudo health-control luks-nuke --action status --device /dev/sda5
Note
⚠️ ALWAYS backup header BEFORE configuring nuke password. This status check helps confirm current device state before changes.
Step 3: ⚠️ STEP 2: Configure nuke password (DATA DESTRUCTION FEATURE)
sudo health-control luks-nuke --action configure --device /dev/sda5 --password 'StrongNukePassword123!'
Note
⚠️ CRITICAL WARNING: This creates a password that will PERMANENTLY DESTROY all data on /dev/sda5 when entered! Use only if you understand the consequences. Requires header backup from STEP 1. Password must be strong (12+ chars, mixed case, numbers, symbols). Avoid obvious words like 'nuke', 'destroy', 'emergency'.
Step 4: Remove nuke password from device
sudo health-control luks-nuke --action remove --device /dev/sda5
Note
Removes the data destruction feature from the device. You will be prompted to confirm which keyslot to remove (usually keyslot 7). Requires current LUKS password.
Step 5: ⚠️ EMERGENCY: Restore LUKS header after nuke password was used
gpg -d ~/Desktop/header-backup-*.img.gpg | sudo cryptsetup luksHeaderRestore /dev/sda5
Note
⚠️ USE ONLY IF nuke password was accidentally used! This restores the LUKS header from your encrypted backup. You MUST have created a header backup BEFORE the nuke password was triggered. After restoration, you can unlock the device with your original LUKS password. Without a backup, data is PERMANENTLY LOST.
Step 6: Detect LUKS-encrypted devices on the system
sudo health-control luks-detect
Note
Add --all-devices to also scan loop and other block devices.
Step 7: Manage LUKS devices (add, remove, unlock, lock, list)
sudo health-control luks-manage --action list
Note
--action defaults to list. Use --device to target a specific device path for add/remove/unlock/lock.
Step 8: Advanced LUKS header operations and key management
sudo health-control luks-manage-advanced --action backup-header --device /dev/sda5 --backup-file ~/Desktop/header.img
Note
--action is required: create, format, backup-header, restore-header, change-key, add-key, remove-key. Provide --device / --key-file / --backup-file as the action requires.
Step 9: ⚠️ Configure an advanced LUKS nuke password (DATA DESTRUCTION)
sudo health-control luks-nuke-advanced --device /dev/sda5 --password 'StrongNukePassword123!'
Note
⚠️ CRITICAL: --device is required; entering the nuke --password later PERMANENTLY DESTROYS all data on the device. Always back up the LUKS header first.
Step 10: ⚠️ Remove LUKS encryption from a device
sudo health-control luks-remove /dev/sda5 --force
Note
⚠️ DESTRUCTIVE: DEVICE positional argument is required. --force skips the confirmation prompt.
Scenario 12: Emergency Nuke Operations
Full system data destruction for emergency situations. IRREVERSIBLE - use with extreme caution.
Step 1: ⚠️ TEST MODE: Preview what would be destroyed without actually wiping
health-control nuke-execute --dry-run
Note
ALWAYS test with --dry-run first! Shows exactly what will be destroyed including: SSH keys, GPG keys, crypto wallets, browser data, messaging apps, email, documents, and system logs.
Step 2: Fast wipe mode (1-pass) - quickest destruction (~27 seconds)
health-control nuke-execute --method fast --dry-run
Note
Best for SSDs where multi-pass is ineffective. Uses blkdiscard for SSDs, single shred pass for HDDs.
Step 3: Secure wipe mode (3-pass DoD) - balanced security (~45 seconds)
health-control nuke-execute --method secure --dry-run
Note
DEFAULT mode. 3-pass overwrite following DoD 5220.22-M standard. Good balance of speed and security for HDDs.
Step 4: Paranoid wipe mode (7-pass) - maximum security (~60 seconds)
health-control nuke-execute --method paranoid --dry-run
Note
Maximum security. 7-pass overwrite. Also wipes boot sector, GRUB, kernel, initrd, and MBR. System will be unbootable.
Step 5: ⚠️ DANGER: Execute REAL fast wipe - DESTROYS ALL DATA
health-control nuke-execute --method fast --force
Note
⚠️ IRREVERSIBLE! This PERMANENTLY DESTROYS: ~/.ssh, ~/.gnupg, crypto wallets (Bitcoin/Monero/Electrum), all browsers, Signal/Telegram/Discord, Thunderbird, Documents/Downloads/Desktop, AWS/Docker/Kube credentials, bash history, system logs. System forces reboot after completion.
Step 6: Check current nuke operation progress
health-control nuke-progress
Note
Monitor ongoing destruction progress. Shows current phase, completion status, and any errors.
Step 7: Detect storage type for optimal wipe method
health-control nuke-storage-detect --device /dev/sda
Note
Detects if device is SSD, HDD, or NVMe. SSDs use blkdiscard (instant secure erase), HDDs use shred (multi-pass overwrite), NVMe uses nvme format command.
Scenario 13: USB & Device Security
Complete USB security management - device listing, USBGuard policies, storage control, and monitoring
Step 1: List all connected USB devices
sudo health-control usb-list
Step 2: Check USB storage module status (all 4 layers)
sudo health-control offline-usb-storage --action check
Note
Shows complete status of all USB storage control layers
Step 3: Enable USB storage completely (recommended)
sudo health-control offline-usb-storage --action enable
Note
Handles ALL 4 layers: Removes blacklist, loads modules, authorizes devices, integrates with USBGuard. Your USB drives should appear immediately in 'lsblk' after this command.
Step 4: Enable USB storage with detailed layer-by-layer output
sudo health-control offline-usb-storage --action enable --verbose
Note
Use verbose mode to see exactly what happens at each layer
Step 5: Disable USB storage completely (security lockdown)
sudo health-control offline-usb-storage --action disable
Note
Blocks USB storage at all 4 layers: deauthorizes devices, blocks in USBGuard, unloads modules, creates blacklist
Step 6: Enable USB Guard protection service
sudo health-control usb-guard-enable
Note
⚠️ This only enables USBGuard service - does NOT enable USB storage modules! If USB storage modules are blocked, your drives won't appear even with USBGuard enabled. Use 'offline-usb-storage --action enable' for complete access.
Step 7: Disable USB Guard protection service
sudo health-control usb-guard-disable
Note
Disables USBGuard service but does NOT affect USB storage modules. Storage modules may still be blocked separately.
Step 8: Add USB device to USBGuard allow policy
sudo health-control usb-policy --action add --device-id 1234:5678 --allow
Note
Use lsusb to find device IDs. This manages USBGuard policy only. Device must also be authorized at kernel level (handled by offline-usb-storage).
Step 9: List all USB policies in USBGuard
sudo health-control usb-policy --action list
Step 10: Check USB security policies
sudo health-control usb-policy --action status
Step 11: Start USB device monitoring
sudo health-control usb-monitor
Step 12: View USB device history for last 7 days
sudo health-control usb-history --days 7
Step 13: Show overall USB security status
sudo health-control usb-status
Step 14: Manage the USB device whitelist (add, remove, list, import, export)
sudo health-control usb-whitelist --action add --device-id 1234:5678
Note
--action defaults to list. Use --device-id (vendor:product) for add/remove, or --file for import/export.
Scenario 14: Data Destruction & Secure Wiping
Secure data wiping procedures
Step 1: Securely wipe file with 7 passes
sudo health-control wipe-file --file /path/to/file --passes 7
Note
Multiple passes increase security
Step 2: Securely wipe entire directory
sudo health-control wipe-directory --path /path/to/directory --passes 3
Note
All files in directory will be destroyed
Step 3: Wipe free space on device
sudo health-control wipe-free-space --device /dev/sda1
Note
Prevents recovery of deleted files
Step 4: Wipe system and application logs
sudo health-control wipe-logs
Note
Removes log file traces
Step 5: Wipe browser history and data
sudo health-control wipe-browser-data
Note
Removes browsing history and cache
Step 6: Schedule automatic temporary file wiping daily
sudo health-control wipe-schedule temp --frequency daily
Note
Automatically wipes temp files based on frequency
Step 7: Wipe all temporary files matching pattern
sudo health-control wipe-pattern "*.tmp"
Note
Uses glob patterns to match files for wiping
Step 8: Verify file has been securely wiped
sudo health-control wipe-verify /path/to/file
Step 9: Batch wipe multiple files with 7 passes
sudo health-control wipe-batch /path1 /path2 /path3 --passes 7
Note
Space-separated file paths
Step 10: ⚠️ Securely wipe a standard user directory
sudo health-control wipe-user-dir --target downloads
Note
⚠️ DESTRUCTIVE: --target is required and must be one of downloads, desktop, documents. All contents are permanently destroyed.
Scenario 15: System Maintenance & Updates
Automated updates, password policies, and system maintenance
Step 1: Enable automatic security updates
sudo health-control auto-updates-enable
Step 2: Disable automatic updates
sudo health-control auto-updates-disable
Step 3: Check automatic updates status
sudo health-control auto-updates-status
Step 4: Enable strong password policy
sudo health-control password-policy-enable
Step 5: Disable strong password policy
sudo health-control password-policy-disable
Step 6: Enable user security checks
sudo health-control user-security-enable
Step 7: Enable 2FA for specific user
sudo health-control 2fa-enable --value username
Step 8: Disable 2FA for user
sudo health-control 2fa-disable
Step 9: Enable automatic system maintenance
sudo health-control system-maintenance-enable
Step 10: Clean up unnecessary packages
sudo health-control package-cleanup
Step 11: Check password policy status
sudo health-control password-policy-status
Step 12: Disable user security checks
sudo health-control user-security-disable
Step 13: Check user security status
sudo health-control user-security-status
Step 14: Check 2FA status for users
sudo health-control 2fa-status
Step 15: Disable automatic system maintenance
sudo health-control system-maintenance-disable
Step 16: Check system maintenance status
sudo health-control system-maintenance-status
Step 17: Check whether packages are installed and install the missing ones
sudo health-control check-and-install curl wget
Note
PACKAGES is a required, space-separated list of one or more package names.
Step 18: Run the predefined check-and-install routine for required packages
sudo health-control check-and-install-do
Note
Takes no arguments; installs the built-in required package set.
Step 19: Clear system caches at the specified level
sudo health-control clear-cache --level 3
Note
--level accepts 1, 2 or 3 (defaults to 3, the most thorough).
Step 20: Diagnose whether sudo is working correctly
sudo health-control check-sudo
Note
Read-only check; takes no arguments. Use fix-sudo to repair a broken sudo configuration.
Step 21: Repair a broken sudo configuration without requiring sudo
sudo health-control fix-sudo
Note
Takes no arguments. Designed to recover from a misconfigured/broken sudoers state.
Scenario 16: System Control & Notifications
System configuration and control operations
Step 1: Play system alert sound
sudo health-control play-sound --sound alert
Step 2: Play success notification sound
sudo health-control play-sound success
Step 3: Play warning sound in MP3 format
sudo health-control play-sound warning -m mp3
Step 4: Play alert sound with debug output
sudo health-control play-sound alert --debug
Step 5: Send system notification
health-control notify --message "Security check complete"
Step 6: Send basic notification message
health-control notify --message "Hello from Kodachi"
Step 7: Send notification with message body
health-control notify --message "Alert" --body "VPN connected"
Step 8: Send critical notification with 30 second duration
health-control notify --message "Warning" --urgency critical --duration 30
Step 9: Send notification with custom icon
health-control notify --message "Update" --notify-icon "/path/to/icon.png"
Scenario 17: Emergency Operations - Kill Switch & Panic Modes
Emergency security measures with two modes: MONITORING (arm/disarm) prepares for threats, IMMEDIATE (panic/activate) executes emergency procedures
Step 1: ARM kill switch monitoring (preparation mode)
sudo health-control kill-switch-arm
Note
MONITORING MODE: Sets up automated threat detection using multiple monitoring methods: • NETWORK MONITORING: Uses netstat, ss, and iptables logs to detect unauthorized connections • FILE SYSTEM WATCHING: Monitors critical system files via inotify for unauthorized modifications • PROCESS MONITORING: Tracks running processes using ps/proc for suspicious behavior patterns • AUTH MONITORING: Watches /var/log/auth.log for failed login attempts (threshold: 5 failures) • SYSTEM INTEGRITY: Checks system file hashes and permissions for tampering Does NOT take action until triggered - only prepares for rapid response. Auto-activates MEDIUM panic level when threats detected.
Step 2: DISARM kill switch monitoring
sudo health-control kill-switch-disarm
Note
Stops monitoring mode. Use after threat has passed or false alarm.
Step 3: Check if monitoring is armed/disarmed
sudo health-control kill-switch-status
Note
READ-ONLY: Just displays current state, takes no action
Step 4: IMMEDIATELY activate kill switch (default: medium panic)
sudo health-control kill-switch-activate
Note
IMMEDIATE ACTION: Unlike 'arm', this executes panic NOW. Prompts for confirmation. Use --level soft/medium/hard
Step 5: IMMEDIATE soft panic (NO confirmation)
sudo health-control panic-soft
Note
INSTANT: Kill network + clear clipboard (wl-copy/xclip/xsel) + lock screen. Reversible. Good for quick privacy.
Step 6: IMMEDIATE medium panic (requires confirmation)
sudo health-control panic-medium
Note
WITH CONFIRMATION: Kill network + clear clipboard (adaptive: wl-copy/xclip/xsel) + terminate processes + clear memory + unmount devices + lock screen (6 actions). Requires manual restart to restore.
Step 7: IMMEDIATE hard panic (double confirmation)
sudo health-control panic-hard
Note
CRITICAL - DOUBLE CONFIRM: All medium actions + RAM wipe + IMMEDIATE shutdown (7 actions total). IRREVERSIBLE! System shuts down NOW!
Step 8: Create recovery checkpoint BEFORE panic
sudo health-control create-recovery-point
Note
Create BEFORE activating panic modes. Allows restoration of configs after emergency.
Step 9: Restore system after panic activation
sudo health-control panic-recover
Note
Use AFTER panic to restore normal operation. Restarts services, fixes permissions.
Step 10: Configure panic response to paranoid security level
sudo health-control panic-profile --profile paranoid
Note
PROFILE MODES: • STEALTH: Light response (network blocking only, preserve user data) • PARANOID: Maximum security (network kill, data wipe, process termination, interface shutdown) • RECOVERY: System restoration (restart services, fix permissions, restore connectivity) Profile determines automatic actions when panic mode triggers. Use 'kill-switch-activate' to manually trigger the configured profile.
Step 11: Kill specific network interface
sudo health-control kill-network-interface --interface eth0
Note
Selective network isolation
Step 12: Terminate specific process immediately
sudo health-control kill-process --process firefox
Note
Emergency process termination
Scenario 18: Storage Encryption & Secure Containers
Storage device encryption, secure wiping, LUKS encrypted containers, and volume management
Step 1: List all storage devices with safety indicators (SAFE/CAUTION/DANGER)
sudo health-control list-storage-devices
Note
Use BEFORE creating persistence to identify safe devices. Protects against accidental system drive formatting.
Step 2: List all storage devices including loop and ram devices
sudo health-control list-storage-devices --all
Step 3: Check if specific device is safe for persistence operations
sudo health-control usb-safety-check --device /dev/sdc2
Note
Validates device before destructive operations. Prevents accidental system drive formatting.
Step 4: Encrypt storage device
sudo health-control storage-encrypt --device /dev/sdb1
Note
Backup data before encryption
Step 5: Securely wipe storage device
sudo health-control storage-wipe --device /dev/sdb1 --passes 3
Note
Data will be permanently destroyed
Step 6: Create encrypted container (500MB)
sudo health-control container-create /secure/data.img --size 500
Note
Creates LUKS2-encrypted container file. You'll be prompted for password interactively. Container file path is positional argument (not --output).
Step 7: Create small encrypted container (100MB)
sudo health-control container-create /tmp/secure.img --size 100
Note
Smaller size for testing. Password will be prompted.
Step 8: Mount encrypted container
sudo health-control container-mount /secure/data.img --mount-point /mnt/secure
Note
You'll be prompted for the container password. Mount point will be created automatically if it doesn't exist.
Step 9: Unmount encrypted container
sudo health-control container-unmount /mnt/secure
Note
Automatically closes the LUKS mapper device.
Step 10: Recommend or apply LUKS encryption tuning settings
sudo health-control encryption-tune --profile balanced
Note
--profile defaults to balanced (also performance, security). Optional --cipher, --key-size, --iter-time, --device, --benchmark. Runs as a dry-run unless --apply is given.
Step 11: Create persistence storage for another live OS (Kali, Parrot, or Tails)
sudo health-control create-persistence-other-os --device /dev/sdc2 --os-type kali --force
Note
⚠️ --device and --os-type are required; targets/formats the given partition. --force is required for non-interactive use (dashboard/scripts/--json). Add --encrypted (optionally with --password) for LUKS.
Scenario 19: Security Assessment & Scoring
Security scoring and reporting
Step 1: Calculate overall security score
sudo health-control security-score
Step 2: Get security score in JSON format
sudo health-control security-score --json
Step 3: Generate comprehensive security report
sudo health-control security-report
Step 4: Generate security report in JSON format
sudo health-control security-report --json
Step 5: View security score history for last 30 days
sudo health-control security-history --days 30
Note
Shows security improvements over time
Step 6: View last 7 days security history in JSON
sudo health-control security-history --days 7 --json
Step 7: Review security fixes before applying
sudo health-control security-remediate
Note
Manual review mode for security fixes
Step 8: Run the enhanced rootkit scanner
sudo health-control rootkit-scan-enhanced --deep
Note
Add --deep to perform a thorough deep scan.
Step 9: Scan the filesystem for malware with ClamAV
sudo health-control clamav-scan --path / --recursive
Note
--path defaults to /. Add --recursive to descend into subdirectories and --quarantine to isolate infected files.
Step 10: Set the security profile and scoring thresholds
sudo health-control security-profile --value balanced
Note
--value is required: minimal, balanced, or paranoid.
Step 11: Schedule automated security assessments
sudo health-control security-schedule --value daily
Note
--value is required: hourly, daily, weekly, monthly, or disable.
Scenario 20: Hardware Security
Hardware-level security features
Step 1: Verify hardware random number generator
sudo health-control hardware-rng-verify
Note
Checks if hardware RNG is available and functioning properly for cryptographic operations
Step 2: Check system entropy status
sudo health-control entropy-status
Note
Monitors available entropy for secure random number generation, critical for encryption
Step 3: Check boot integrity
sudo health-control boot-integrity-check
Note
Verifies boot process integrity to detect tampering or unauthorized modifications to bootloader/kernel
Scenario 21: System Information & Offline Actions
System information, diagnostics, and hardware/service management
Step 1: Display comprehensive system information
sudo health-control offline-info-system
Step 2: Display hardware information
sudo health-control offline-info-hardware
Step 3: Display hardware information in JSON
sudo health-control offline-info-hardware --json
Step 4: Display process information
sudo health-control offline-info-process
Step 5: Display security configuration
sudo health-control offline-info-security
Step 6: Display network configuration
sudo health-control offline-info-network
Step 7: Display user information
sudo health-control offline-info-user
Step 8: Display storage information
sudo health-control offline-info-storage
Step 9: Display services information
sudo health-control offline-info-services
Step 10: Display all system information
sudo health-control offline-info-all
Step 11: Check Bluetooth status
sudo health-control offline-bluetooth --action check
Step 12: Enable Bluetooth service
sudo health-control offline-bluetooth --action enable
Step 13: Disable Bluetooth service
sudo health-control offline-bluetooth --action disable
Step 14: Check WiFi status
sudo health-control offline-wifi --action check
Step 15: Enable WiFi service
sudo health-control offline-wifi --action enable
Step 16: Disable WiFi with persistent blacklisting
sudo health-control offline-wifi --action disable
Step 17: Check webcam status
sudo health-control offline-webcam --action check
Step 18: Enable webcam devices
sudo health-control offline-webcam --action enable
Step 19: Disable webcam devices
sudo health-control offline-webcam --action disable
Step 20: Check microphone status
sudo health-control offline-microphone --action check
Step 21: Enable microphone devices
sudo health-control offline-microphone --action enable
Step 22: Disable microphone devices
sudo health-control offline-microphone --action disable
Step 23: Check automatic screen lock status
sudo health-control offline-screen-lock --action check
Step 24: Enable automatic screen lock
sudo health-control offline-screen-lock --action enable
Step 25: Disable automatic screen lock
sudo health-control offline-screen-lock --action disable
Step 26: Check system logging status
sudo health-control offline-systemlogs --action check
Step 27: Enable system logging
sudo health-control offline-systemlogs --action enable
Step 28: Disable system logging
sudo health-control offline-systemlogs --action disable
Step 29: Check CUPS printing service status
sudo health-control offline-cups --action check
Step 30: Enable CUPS printing service
sudo health-control offline-cups --action enable
Step 31: Disable CUPS printing service
sudo health-control offline-cups --action disable
Step 32: Check NetworkManager status
sudo health-control offline-networkmanager --action check
Step 33: Enable NetworkManager
sudo health-control offline-networkmanager --action enable
Step 34: Disable NetworkManager
sudo health-control offline-networkmanager --action disable
Step 35: Check NumLock-on-boot status
sudo health-control offline-numlock --action check
Step 36: Enable NumLock on boot
sudo health-control offline-numlock --action enable
Step 37: Disable NumLock on boot
sudo health-control offline-numlock --action disable
Step 38: Check command history logging status
sudo health-control offline-cmdhistory --action check
Step 39: Enable command history logging
sudo health-control offline-cmdhistory --action enable
Step 40: Disable command history logging
sudo health-control offline-cmdhistory --action disable
Step 41: Check automatic login status
sudo health-control offline-autologin --action check
Step 42: Enable automatic login
sudo health-control offline-autologin --action enable
Step 43: Disable automatic login
sudo health-control offline-autologin --action disable
Step 44: Check current file descriptor limits
sudo health-control offline-fdlimit --action check
Step 45: Set file descriptor limits
sudo health-control offline-fdlimit --action enable --soft-limit 1024 --hard-limit 4096
Step 46: Revert file descriptor limits to defaults
sudo health-control offline-fdlimit --action disable
Step 47: Check network optimization status
sudo health-control offline-netoptimize --action check
Step 48: Enable network optimizations
sudo health-control offline-netoptimize --action enable
Step 49: Disable network optimizations
sudo health-control offline-netoptimize --action disable
Step 50: Check BBR congestion control status
sudo health-control offline-bbr --action check
Step 51: Enable BBR congestion control
sudo health-control offline-bbr --action enable
Step 52: Disable BBR congestion control
sudo health-control offline-bbr --action disable
Step 53: Check current interface speed configuration
sudo health-control offline-ifspeed --action check
Step 54: Configure interface speed
sudo health-control offline-ifspeed --action enable --interface eth0 --speed 1000
Step 55: Revert interface speed to auto-negotiation
sudo health-control offline-ifspeed --action disable --interface eth0
Step 56: Check Avahi service discovery status
sudo health-control offline-avahi --action check
Note
Supported services: avahi, modem-manager, ssh, apache, nginx, docker, mysql, postgresql
Step 57: Enable Avahi service discovery
sudo health-control offline-avahi --action enable
Step 58: Disable Avahi service discovery
sudo health-control offline-avahi --action disable
Step 59: Check ModemManager service status
sudo health-control offline-modem-manager --action check
Step 60: Enable ModemManager service
sudo health-control offline-modem-manager --action enable
Step 61: Disable ModemManager service
sudo health-control offline-modem-manager --action disable
Step 62: Check SSH service status
sudo health-control offline-ssh --action check
Step 63: Enable SSH service
sudo health-control offline-ssh --action enable
Step 64: Disable SSH service
sudo health-control offline-ssh --action disable
Step 65: Check Apache web server status
sudo health-control offline-apache --action check
Step 66: Enable Apache web server
sudo health-control offline-apache --action enable
Step 67: Disable Apache web server
sudo health-control offline-apache --action disable
Step 68: Check Nginx web server status
sudo health-control offline-nginx --action check
Step 69: Enable Nginx web server
sudo health-control offline-nginx --action enable
Step 70: Disable Nginx web server
sudo health-control offline-nginx --action disable
Step 71: Check Docker service status
sudo health-control offline-docker --action check
Step 72: Enable Docker service
sudo health-control offline-docker --action enable
Step 73: Disable Docker service
sudo health-control offline-docker --action disable
Step 74: Check MySQL database service status
sudo health-control offline-mysql --action check
Step 75: Enable MySQL database service
sudo health-control offline-mysql --action enable
Step 76: Disable MySQL database service
sudo health-control offline-mysql --action disable
Step 77: Check PostgreSQL database service status
sudo health-control offline-postgresql --action check
Step 78: Enable PostgreSQL database service
sudo health-control offline-postgresql --action enable
Step 79: Disable PostgreSQL database service
sudo health-control offline-postgresql --action disable
Step 80: Enable USB storage devices
sudo health-control offline-usb-storage --action enable
Step 81: Disable USB storage devices
sudo health-control offline-usb-storage --action disable
Step 82: Lightweight connectivity ping helper (used by conky panels)
sudo health-control ping
Note
Takes no arguments. Fast helper for status panels.
Step 83: Report how long a tracked process has been running
sudo health-control process-age --process tor
Note
--process is required and must be 'vpn' or 'tor'.
Scenario 22: Password Generation
Generate secure passwords using multiple methods with batch support (auto-detects installed packages)
Step 1: Generate one password using all three methods
sudo health-control genpass
Note
Automatically uses system packages if available, falls back to native implementations
Step 2: Generate 10 random passwords using pwgen method
sudo health-control genpass --method pwgen --count 10
Note
Use --count for batch generation; max 1000 per method
Step 3: Generate 50 memorable XKCD-style passphrases
sudo health-control genpass --method xkcdpass --count 50
Note
XKCD method creates memorable multi-word passwords
Step 4: Generate 90 passwords from each method (270 total)
sudo health-control genpass --count 90
Note
When using --count without --method, generates specified count from ALL methods
Step 5: Generate 20 custom passwords with specific length and symbols
sudo health-control genpass --method pwgen --count 20 --length 32 --symbols "@-_!#$"
Note
Customize password generation with --length and --symbols options
Step 6: Generate 15 passwords with only uppercase letters and digits
sudo health-control genpass --uppercase --digits --count 15
Step 7: Generate 100 passwords from each method in JSON format
sudo health-control genpass --count 100 --json
Note
JSON output ideal for scripting and automation
Step 8: Force use of native Rust implementations (skip package detection)
sudo health-control genpass --force-native --count 25
Note
Useful for testing or when system packages are unreliable
Scenario 23: RAM Wipe & Cold Boot Protection
Automatic RAM wiping on shutdown with multiple policies (custom, sdmem, both, auto), installation, configuration, testing, and cold boot attack defenses
Step 1: Complete workflow for first-time RAM wipe setup
# WORKFLOW: Setting up RAM wipe on shutdown
Note
STEP 1: Install hooks (REQUIRED FIRST): sudo health-control wipe-ram-install STEP 2: Configure policy (OPTIONAL): sudo health-control wipe-ram-config --policy sdmem STEP 3: Enable if disabled: sudo health-control ram-wipe-enable STEP 4: Verify status: sudo health-control ram-wipe-status KEY DIFFERENCES: • wipe-ram-install = FIRST-TIME SETUP (installs systemd shutdown hooks) • ram-wipe-enable = ENABLE/DISABLE (turns functionality on/off, hooks must exist) • wipe-ram-config = UPDATE SETTINGS (change policy, passes, time budget) • wipe-ram = MANUAL EXECUTION (test or emergency wipe NOW, not on shutdown)
Step 2: Install RAM wipe system with default settings (kodachi-wiper policy, 60s timeout)
sudo health-control wipe-ram-install
Note
FIRST-TIME SETUP - Installs systemd hooks, configures policies, detects Kicksecure compatibility. Creates /etc/kodachi-ram-wipe.conf with defaults
Step 3: Install RAM wipe with kodachi-wiper policy and 60 second time budget
sudo health-control wipe-ram-install --policy kodachi-wiper --time 60
Note
Fastest installation - Single-pass wipe, suitable for systems with <8GB RAM or frequent reboots
Step 4: Install RAM wipe with sdmem policy using 3 overwrite passes
sudo health-control wipe-ram-install --policy sdmem --passes 3
Note
SECURE INSTALLATION - 3 passes (random, zeros, random). Good balance of security and speed. Recommended for 8-16GB RAM systems
Step 5: Install with both policies: 60% time for kodachi-wiper, 40% for sdmem
sudo health-control wipe-ram-install --policy both --split 60
Note
HYBRID APPROACH - Time-split between kodachi-wiper (fast) and sdmem (thorough). Example: 120s budget = 72s kodachi-wiper + 48s sdmem. Maximum security coverage
Step 6: Force installation even if Kicksecure/Whonix RAM wipe detected
sudo health-control wipe-ram-install --force
Note
OVERRIDE MODE - Bypasses Kicksecure detection. Use when you want Kodachi's RAM wipe instead of Kicksecure's built-in wipe. May cause conflicts
Step 7: Check RAM wipe configuration and current status
sudo health-control ram-wipe-status
Note
Shows: enabled/disabled state, current policy (kodachi-wiper/sdmem/both/auto), time budget, sdmem passes, total RAM size, Kicksecure detection
Step 8: RAM wipe status in JSON format for automation
sudo health-control ram-wipe-status --json
Note
JSON OUTPUT DEMO - Shows all config fields in machine-readable format for scripts and monitoring systems
Step 9: Update existing RAM wipe policy to auto-detection
sudo health-control wipe-ram-config --policy auto
Step 10: Update sdmem passes to 5 and time split to 70/30
sudo health-control wipe-ram-config --passes 5 --split 70
Note
PASS COUNT - More passes = more thorough but slower. 1-3=fast, 4-6=balanced, 7-9=maximum. SPLIT - Higher kodachi-wiper%=speed, higher sdmem%=security
Step 11: Enable RAM wipe configuration (hooks must be installed first)
sudo health-control ram-wipe-enable
Note
IMPORTANT: This only enables the CONFIG. You must run 'wipe-ram-install' FIRST to install systemd hooks. Will show clear warning if hooks are missing.
Step 12: Disable automatic RAM wiping
sudo health-control ram-wipe-disable
Note
WARNING - Disabling RAM wipe leaves sensitive data in RAM accessible to physical attacks
Step 13: Test RAM wipe system with dry-run (no actual wiping)
sudo health-control wipe-ram-test
Note
SAFE TESTING - Simulates wipe operation without actually overwriting memory. Tests configuration, timing, and policy execution. Use before first real wipe
Step 14: Test kodachi-wiper policy with 10 second time budget
sudo health-control wipe-ram-test --policy kodachi-wiper --time 10
Note
Quick test - Validates kodachi-wiper policy works correctly. 10s budget ensures fast test completion
Step 15: Test RAM wipe with detailed JSON diagnostic metrics
sudo health-control wipe-ram-test --json
Note
DIAGNOSTIC OUTPUT - Returns timing, memory stats, policy execution details, and potential issues. Essential for troubleshooting
Step 16: Execute RAM wipe operation manually with configured policy
sudo health-control wipe-ram
Note
ADVANCED - Manually trigger RAM wipe using system configuration. Automatically called by shutdown hooks. Use for testing or emergency wipe
Step 17: Execute RAM wipe optimized for shutdown context
sudo health-control wipe-ram --shutdown-mode
Note
INTERNAL USE - Shutdown-optimized mode disables unnecessary checks and output. Used by systemd shutdown hooks
Step 18: Execute RAM wipe using kodachi-wiper overwrite policy
sudo health-control wipe-ram --policy kodachi-wiper
Note
POLICY: Kodachi-wiper fast overwrite algorithm - Single pass with random data. Fastest but least thorough (60-120 seconds for 8GB)
Step 19: Execute RAM wipe using sdmem utility (multiple passes)
sudo health-control wipe-ram --policy sdmem
Note
POLICY: sdmem (secure-delete memory) - Multiple passes with patterns. Slower but more thorough (3-7 passes configurable). Government-grade erasure
Step 20: Execute RAM wipe using both kodachi-wiper AND sdmem sequentially
sudo health-control wipe-ram --policy both
Note
POLICY: Maximum security - Kodachi-wiper FIRST (fast pass), then sdmem (thorough passes). Best security but longest time. Recommended for high-security environments
Step 21: Execute RAM wipe with automatic policy selection based on available RAM
sudo health-control wipe-ram --policy auto
Note
POLICY: Auto-detection - Chooses policy based on RAM size and available time: <4GB=kodachi-wiper, 4-16GB=both, >16GB=sdmem. Balances speed and security
Step 22: Execute RAM wipe with 120 second time budget
sudo health-control wipe-ram --time 120
Note
TIME BUDGET - Maximum seconds allowed for wipe operation. System will shutdown/reboot when time expires even if wipe incomplete. Critical for automated shutdowns
Step 23: Detect if Kicksecure/Whonix RAM wipe is installed
sudo health-control ram-wipe-detect-kicksecure
Note
COMPATIBILITY CHECK - Detects Kicksecure's ram-wipe-on-boot package. Prevents conflicts between Kodachi and Kicksecure RAM wipe systems
Step 24: Update RAM wipe policy to auto with 150 second time budget
sudo health-control ram-wipe-update --policy auto --time 150
Note
SMART MODE - System automatically selects best policy based on: RAM size, shutdown urgency, battery status (laptops). Recommended for most users
Step 25: Enable cold boot attack defense mechanisms
sudo health-control coldboot-defense-enable
Note
PHYSICAL SECURITY - Protects against cold boot attacks that recover encryption keys from RAM after power loss. Enables: RAM overwriting on shutdown, memory scrambling, DMA protection
Step 26: Disable cold boot attack defense
sudo health-control coldboot-defense-disable
Note
WARNING - Disabling leaves encryption keys vulnerable to physical RAM extraction attacks. Only disable if you have alternative physical security
Step 27: Show current cold boot attack defense status
sudo health-control coldboot-defense-status
Note
READ-ONLY: Takes no arguments. Reports the active cold boot protection state.
Step 28: ⚠️ Wipe system RAM contents immediately
sudo health-control ram-wipe
Note
⚠️ DANGEROUS: Overwrites memory contents and takes no arguments. Use ram-wipe-enable/-disable to manage the on-shutdown policy instead.
Scenario 24: Swap Management & Encryption
Swap space enable/disable, configuration, encryption with dm-crypt, and performance tuning with swappiness and cache pressure settings
Step 1: Enable and activate swap space for memory overflow
sudo health-control swap-enable
Note
STABILITY FEATURE - Activates swap partitions/files for memory overflow. Improves system stability under memory pressure but may leak sensitive data to disk
Step 2: Disable and deactivate all swap space
sudo health-control swap-disable
Note
SECURITY FEATURE - Deactivates all swap to prevent disk leakage of sensitive data. May cause out-of-memory errors if RAM insufficient
Step 3: Check swap status, devices, size, and usage
sudo health-control swap-status
Note
Shows: active swap devices, total/used/available size, swap usage percentage, encryption status, swappiness value
Step 4: Configure swap parameters for optimal performance
sudo health-control swap-configure --swappiness 10 --cache-pressure 100
Note
PERFORMANCE TUNING - Swappiness (0-100): 0=never swap, 10=minimal, 60=default, 100=aggressive. Cache pressure controls VFS cache retention (default 100)
Step 5: Encrypt swap with random key generated on each boot
sudo health-control swap-encrypt
Note
ENCRYPTION SECURITY - Uses dm-crypt with random key per boot. Protects swapped memory from offline disk forensics. Slight performance impact (~5-10%)
Step 6: Remove swap encryption and revert to plain swap
sudo health-control swap-decrypt
Note
WARNING - Removes encryption protection. Swapped data will be readable from disk in clear text. Only use if encryption causes performance issues
Step 7: Check swap encryption status and configuration
sudo health-control swap-encrypt-status
Note
Shows: encryption enabled/disabled, cipher type (aes-xts-plain64), key size, whether using random keys, encrypted device mapper name
Step 8: Enable swap (alternative command alias)
sudo health-control enable-swap
Step 9: Disable swap (alternative command alias)
sudo health-control disable-swap
Scenario 25: Memory Statistics & Cleanup
Memory usage statistics, cache cleaning, and memory optimization without data loss
Step 1: Show current memory usage statistics (total, available, used, cached)
sudo health-control memory-stats
Step 2: Memory statistics in human-readable JSON format
sudo health-control memory-stats --json-human
Note
JSON OUTPUT DEMO - Use --json for compact machine-readable format, --json-human for readable format with color and formatting
Step 3: Clean memory caches and buffers (pagecache, dentries, inodes)
sudo health-control memory-clean
Note
Safe operation - drops caches but does NOT kill processes. Improves available memory without data loss
Step 4: Force aggressive memory cleanup (sync + drop_caches=3)
sudo health-control memory-force-clean
Note
ADVANCED - Kills top memory-consuming process + aggressive cache drop. Use with caution in production
Scenario 26: Process Memory Security
Secure process memory wiping before termination and per-process memory limits using cgroups for browsers and applications
Step 1: Securely wipe memory contents (anti-forensics)
sudo health-control memory-wipe
Note
SECURITY FEATURE - Overwrites memory with random data to prevent forensic recovery. Used for sensitive operations
Step 2: Securely wipe Firefox process memory before termination
sudo health-control memory-wipe-process --value firefox
Note
PRIVACY PROTECTION - Clears sensitive data (passwords, session keys, browsing history) from process memory before kill
Step 3: Securely wipe Chrome browser memory
sudo health-control memory-wipe-process --value chrome
Note
Clears authentication tokens, cached passwords, and browsing data from Chrome's memory space
Step 4: Securely wipe Thunderbird email client memory
sudo health-control memory-wipe-process --value thunderbird
Note
Erases email content, credentials, and encryption keys from email client memory
Step 5: Securely wipe Tor Browser memory
sudo health-control memory-wipe-process --value tor-browser
Note
Clears Tor circuit keys, browsing session data, and cached .onion addresses from memory
Step 6: Set Firefox memory limit to 2048 MB using cgroups
sudo health-control memory-limits --value firefox --limit 2048
Note
RESOURCE CONTROL - Uses Linux cgroups to enforce hard memory limits per process. Prevents single process from consuming excessive memory. Process killed if limit exceeded
Step 7: Set Chrome memory limit to 1024 MB
sudo health-control memory-limits --value chrome --limit 1024
Note
Chrome often consumes excessive memory. Limiting prevents system slowdown. Note: Limit applies to total browser memory across all processes
Step 8: Set Tor Browser memory limit to 1536 MB
sudo health-control memory-limits --value tor-browser --limit 1536
Note
Tor Browser requires more memory than standard browsers due to Tor circuit management and enhanced security features. 1536MB recommended minimum
Step 9: List all configured memory limits and their current usage
sudo health-control memory-limits --list
Note
Shows: process name, configured limit, current memory usage, limit utilization percentage, cgroup path, status (active/inactive)
Scenario 27: Emergency Shortcuts - Keyboard-Triggered Actions
Hardware keyboard shortcuts for emergency operations via kodachi-session-helper daemon. All commands use LOCAL session tokens (no online auth required). Works fully offline. Session token is read automatically from $XDG_RUNTIME_DIR/kodachi-session-helper/session.token
Step 1: Dry-run dashboard nuke to test without executing destructive actions
sudo health-control emergency-trigger --plan dashboard --dry-run
Note
SAFE TESTING - Validates session token and plan without executing. Use for testing shortcut configuration and daemon integration. Session token read from $XDG_RUNTIME_DIR/kodachi-session-helper/session.token
Step 2: Trigger dashboard nuke via emergency shortcut (wipe dashboard data, logs, configs)
sudo health-control emergency-trigger --plan dashboard
Note
KEYBOARD: The session helper uses the shortcut currently configured in the dashboard. Hold the approved combo for roughly 2-3 seconds. The global trigger is silent and does not reopen the dashboard UI.
Step 3: Trigger LUKS nuke via emergency shortcut (destroy encrypted partition headers)
sudo health-control emergency-trigger --plan luks --device /dev/sda2
Note
KEYBOARD: Uses the dashboard-configured approved combo. Hold it for roughly 2-3 seconds. IRREVERSIBLE - destroys LUKS headers making encrypted data unrecoverable. --device is required for luks and both plans.
Step 4: Trigger full nuke (dashboard + LUKS combined) via emergency shortcut
sudo health-control emergency-trigger --plan both --device /dev/sda2
Note
KEYBOARD: Uses the dashboard-configured approved combo and should be held for roughly 2-3 seconds. Combines dashboard-nuke and luks-nuke for maximum data destruction. IRREVERSIBLE.
Step 5: Trigger emergency action with JSON output for automation
sudo health-control emergency-trigger --plan dashboard --json
Note
JSON output includes: plan name, success status, execution duration, affected components. Useful for logging and monitoring.
Step 6: Dry-run LUKS nuke with JSON output for pre-flight validation
sudo health-control emergency-trigger --plan luks --device /dev/sda2 --dry-run --json
Note
Combines --dry-run and --json for safe testing with machine-readable output. Ideal for dashboard integration testing.
Step 7: Force-trigger full nuke silently (skip readiness checks, suppress output)
sudo health-control emergency-trigger --plan both --device /dev/sda2 --force --silent
Note
DAEMON MODE - Used by kodachi-session-helper daemon. --force skips readiness checks, --silent suppresses stdout. For automated invocation only.
Step 8: Dry-run a 5-minute delayed lockdown for dashboard nuke
sudo health-control emergency-lockdown --delay 300 --plan dashboard --dry-run
Note
SAFE TESTING - Preview lockdown without starting timer. Validates parameters and session token.
Step 9: Start a 5-minute delayed lockdown that triggers dashboard nuke
sudo health-control emergency-lockdown --delay 300 --plan dashboard
Note
DELAYED LOCKDOWN - Schedules emergency action after countdown. User can cancel before timer expires with emergency-lockdown-cancel. Useful for dead-man-switch scenarios.
Step 10: Start a 1-minute delayed lockdown for LUKS nuke
sudo health-control emergency-lockdown --delay 60 --plan luks --device /dev/sda2
Note
SHORT TIMER - 60 second countdown before LUKS header destruction. Cancel with emergency-lockdown-cancel if needed.
Step 11: Check if a delayed lockdown is currently active and its remaining time
sudo health-control emergency-lockdown-status
Note
READ-ONLY - No session token required. Shows: active status, scheduled plan, remaining seconds, start time. Returns 'No active lockdown' if none pending.
Step 12: Check lockdown status in JSON format for dashboard integration
sudo health-control emergency-lockdown-status --json
Note
JSON output for dashboard polling and monitoring systems. No authentication required for status checks.
Step 13: Cancel an active delayed lockdown before it triggers
sudo health-control emergency-lockdown-cancel
Note
Cancels pending lockdown and kills the timer process. Requires valid session token. Returns error if no lockdown is active.
Step 14: Cancel lockdown with JSON confirmation output
sudo health-control emergency-lockdown-cancel --json
Note
Machine-readable cancellation confirmation for dashboard integration.
Scenario 28: Display & Power
Conky, screensaver, DPMS, and session power controls
Step 1: Start Conky widget
health-control conky-enable
Step 2: Stop Conky widget
health-control conky-disable
Step 3: Conky status as JSON
health-control conky-status --json
Step 4: Enable Conky autostart on boot
health-control conky-boot-enable
Step 5: Disable Conky autostart
health-control conky-boot-disable
Step 6: Disable XFCE screensaver
health-control screensaver-disable
Step 7: Re-enable screensaver
health-control screensaver-enable
Step 8: Check screensaver state
health-control screensaver-status --json
Step 9: Keep display always on
health-control dpms-disable
Step 10: Restore display power saving
health-control dpms-enable
Step 11: Check DPMS timeouts
health-control dpms-status --json
Step 12: Lock screen immediately
health-control lock-screen
Note
Multi-fallback: loginctl > xdg-screensaver > xflock4
Step 13: End XFCE session
health-control session-logout
Note
Fallback: loginctl terminate-user
Step 14: Suspend to RAM
health-control suspend
Note
Fallback: systemctl suspend
Step 15: Mask sensitive info in Conky panels for safe screenshots
health-control conky-mask-enable
Step 16: Unmask Conky panels to show real data
health-control conky-mask-disable
Step 17: Check if Conky privacy masking is active
health-control conky-mask-status
Environment Variables
| Variable | Description | Default | Values |
|---|---|---|---|
RUST_LOG |
Set logging level | info | error|warn|info|debug|trace |
NO_COLOR |
Disable all colored output when set | unset | 1|true|yes (any value disables color) |
Exit Codes
| Code | Description |
|---|---|
| 0 | Success |
| 1 | General error |
| 2 | Invalid arguments |
| 3 | Permission denied |
| 4 | Network error |
| 5 | File not found |