health-control
Health control system for Kodachi that includes network connectivity checks and system health monitoring
Version: 9.0.1 | Size: 8.0MB | Author: Warith Al Maawali
License: Proprietary | Website: https://www.digi77.com
File Information
| Property | Value |
|---|---|
| Binary Name | health-control |
| Version | 9.0.1 |
| Build Date | 2025-10-24T16:44:06.522810764Z |
| Rust Version | 1.82.0 |
| File Size | 8.0MB |
| JSON Data | View Raw JSON |
SHA256 Checksum
Features
| Feature | Description |
|---|---|
| Feature | Network connectivity monitoring |
| Feature | Internet traffic control |
| Feature | Security hardening |
| Feature | System integrity checking |
| Feature | Offline system management |
Security Features
| Feature | Description |
|---|---|
| Authentication | Secure authentication with certificate pinning |
| Encryption | TLS 1.3 for all network communications |
| Inputvalidation | All inputs are validated and sanitized |
| Ratelimiting | Built-in rate limiting for network operations |
System Requirements
| Requirement | Value |
|---|---|
| OS | Linux (Debian-based) |
| Privileges | root/sudo for system operations |
| Dependencies | OpenSSL, libcurl |
Global Options
| Flag | Description |
|---|---|
-h, --help |
Print help information |
-v, --version |
Print version information |
-n, --info |
Display detailed information |
-e, --examples |
Show usage examples |
--json |
Output in JSON format |
--json-pretty |
Pretty-print JSON output with indentation |
--json-human |
Enhanced JSON output with improved formatting (like jq) |
--verbose |
Enable verbose output |
--quiet |
Suppress non-essential output |
--no-color |
Disable colored output |
--config <FILE> |
Use custom configuration file |
--timeout <SECS> |
Set timeout (default: 30) |
--retry <COUNT> |
Retry attempts (default: 3) |
Commands
Data Destruction
wipe-file
Securely wipe a file with multiple passes
Usage:
Examples:
wipe-directory
Securely wipe an entire directory and its contents
Usage:
Examples:
wipe-logs
Securely wipe system logs (journal, syslog, auth.log, kern.log), user history (bash, zsh, python), and application cache logs
Usage:
Examples:
wipe-batch
Batch wipe multiple files
Usage:
Examples:
wipe-browser-data
Wipe browser data and history
Usage:
Examples:
wipe-free-space
Securely wipe free space on a mounted filesystem (use mount points like '/', '/home' or device paths)
Usage:
Examples:
wipe-pattern
Wipe files matching pattern (use --pattern flag or positional argument)
Usage:
Examples:
wipe-schedule
Schedule automatic data wiping
Usage:
Examples:
wipe-verify
Verify that a file was wiped properly
Usage:
Examples:
Emergency Operations
kill-switch-arm
Arm the emergency kill switch - sets system to high-alert state for manual activation. NOTE: This prepares the system for rapid response but does NOT actively monitor for threats. It's a preparedness state that allows quick manual activation via kill-switch-activate command.
Usage:
Examples:
kill-switch-disarm
Disarm the emergency kill switch
Usage:
Examples:
kill-switch-status
Check if kill switch monitoring is armed/disarmed. Shows armed time, trigger count, and monitoring state. Does NOT activate anything - just displays current status.
Usage:
Examples:
kill-switch-activate
IMMEDIATELY activate emergency procedures. Unlike 'arm' which monitors, this executes panic mode NOW. Choose level: soft (network+lock), medium (default: +kill processes), hard (+RAM wipe+shutdown)
Usage:
Examples:
panic-soft
IMMEDIATE soft panic mode. Actions: Kill all network connections, clear clipboard, lock screen. NO CONFIRMATION. Reversible by restarting network. Use for quick privacy protection.
Usage:
Examples:
panic-hard
IMMEDIATE hard panic mode with CONFIRMATION. CRITICAL: Kill network, clear clipboard, terminate ALL processes, clear memory, unmount devices, wipe RAM, IMMEDIATE SHUTDOWN. IRREVERSIBLE - system will shutdown!
Usage:
Examples:
panic-medium
IMMEDIATE medium panic mode with CONFIRMATION. Actions: Kill network, clear clipboard, terminate non-essential processes, clear memory, unmount devices, lock screen. Requires manual system restart to fully restore.
Usage:
Examples:
panic-profile
Configure automated emergency response profile that defines system actions during panic mode activation
Usage:
Examples:
panic-recover
Activate panic recovery mode
Usage:
Examples:
create-recovery-point
Create system recovery checkpoint
Usage:
Examples:
Hardware Security
hardware-rng-verify
Verify hardware random number generator status
Usage:
Examples:
entropy-status
Check system entropy pool status and quality
Usage:
Examples:
coldboot-defense-enable
Enable cold boot defense mechanisms
Usage:
Examples:
coldboot-defense-disable
Disable cold boot defense mechanisms
Usage:
Examples:
boot-integrity-check
Check boot chain integrity and security status
Usage:
Examples:
Hostname Management
set-default-hostname
Set the default hostname
Usage:
Examples:
set-random-hostname
Set a random hostname
Usage:
Examples:
set-custom-hostname
Set a custom hostname
Usage:
Examples:
Internet Traffic Control
block-internet
Block all internet traffic
Usage:
Examples:
unblock-internet
Unblock internet traffic
Usage:
Examples:
internet-status
Check internet blocking status
Usage:
Examples:
recover-internet
Recover internet connectivity
Usage:
Examples:
kill-network
Emergency network kill switch
Usage:
Examples:
kill-network-interface
Kill specific network interface
Usage:
Examples:
kill-process
Kill specific process by name or PID
Usage:
Examples:
enable
Enable a watch-guard to monitor system changes and block internet on triggers
Usage:
Examples:
disable
Disable an active watch-guard and optionally unblock internet
Usage:
Options:
- --type: Type of command to disable
- --no-unblock: Do not unblock internet after disabling watch-guard
Examples:
watch-guard
Show status of active watch-guards
Usage:
Examples:
daemon
Run watch-guard monitoring as a persistent daemon process
Usage:
Options:
- --config-id: Configuration ID to monitor
Examples:
MAC Address Management
mac-change-all
Change all MAC addresses
Usage:
Examples:
mac-force-change
Force change all MAC addresses (disable interfaces first)
Usage:
Examples:
mac-change-specific
Change specific interface MAC address
Usage:
Examples:
mac-show-interfaces
Show available network interfaces
Usage:
Examples:
mac-show-macs
Show current MAC addresses
Usage:
Examples:
mac-reset-all
Reset all MAC addresses to default
Usage:
Examples:
mac-active-interface
Show active network interface
Usage:
Examples:
Memory Management
memory-clean
Clean memory caches and buffers
Usage:
Examples:
memory-force-clean
Force clean memory by killing top process
Usage:
Examples:
memory-wipe
Secure RAM wipe (sdmem)
Usage:
Examples:
memory-wipe-process
Wipe memory of specific process
Usage:
Examples:
memory-limits
Manage process memory limits
Usage:
Examples:
memory-stats
Display memory statistics and history
Usage:
Examples:
swap-configure
Configure swap settings
Usage:
Examples:
disable-swap
Disable swap memory
Usage:
Examples:
enable-swap
Enable swap memory
Usage:
Examples:
Network Connectivity
net-check
Check network connectivity (IP and DNS only)
Usage:
Options:
- --timeout <SECONDS>: Timeout in seconds for each connectivity check
- --http: Include HTTP connectivity check
- --ip-only: Check IP connectivity only, skip DNS checks
- --domain-only: Check domain connectivity only, skip IP ping
Examples:
net-check-http
Check network connectivity including HTTP
Usage:
Examples:
list-ips
List IPs used for connectivity testing
Usage:
Examples:
list-domains
List domains used for connectivity testing
Usage:
Examples:
Offline Actions
offline-postgresql
Manage PostgreSQL database service
Usage:
Examples:
Password Generation
genpass
Generate secure passwords using multiple methods (pass, pwgen, xkcdpass)
Usage:
Examples:
Security
security-status
Show comprehensive security status
Usage:
Examples:
Security Assessment
security-score
Calculate security score and get recommendations
Usage:
Examples:
security-report
Generate comprehensive security report
Usage:
Examples:
security-profile
Set security profile and thresholds
Usage:
security-history
View security configuration history
Usage:
Examples:
security-remediate
Auto-remediate security issues
Usage:
Examples:
security-schedule
Schedule security scans (hourly, daily, weekly, monthly, disable)
Usage:
Examples:
rootkit-scan-enhanced
Enhanced rootkit scanning with multiple tools
Usage:
Examples:
lynis-audit
Run Lynis security audit
Usage:
Examples:
lynis-status
Check Lynis installation status
Usage:
Examples:
clamav-scan
Scan system with ClamAV antivirus
Usage:
Examples:
system-audit
Perform comprehensive system security audit
Usage:
Examples:
Security Hardening
security-harden
Apply comprehensive security hardening
Usage:
Examples:
security-verify
Verify if security hardening is properly applied (checks all 7 modules and reports their status)
Usage:
Examples:
security-recover
Temporarily revert security hardening (keeps framework enabled for quick re-hardening)
Usage:
Examples:
security-reset
Completely disable all security modules and framework (permanent removal)
Usage:
Examples:
monitoring-enable
Enable system monitoring features
Usage:
Examples:
monitoring-disable
Disable system monitoring features
Usage:
Examples:
monitoring-status
Check system security monitoring status
Usage:
Examples:
ipv6-disable
Disable IPv6 system-wide
Usage:
Examples:
ipv6-enable
Enable IPv6 system-wide
Usage:
Examples:
tirdad-enable
Enable Tirdad TCP ISN randomization
Usage:
Examples:
tirdad-disable
Disable Tirdad TCP ISN randomization
Usage:
Examples:
tirdad-status
Check Tirdad TCP ISN randomization status
Usage:
Examples:
ipv6-status
Check IPv6 status
Usage:
Examples:
ram-wipe
Enable secure RAM wiping on shutdown
Usage:
Examples:
wipe-ram-install
Install RAM wipe system (hooks + configuration) - Run this first if not already installed
Usage:
Examples:
ram-wipe-status
Show RAM wipe system status - Check this first before installing or configuring
Usage:
Examples:
wipe-ram-config
Update RAM wipe configuration - Use this to modify settings after installation
Usage:
Options:
- --policy <MODE>: Set policy: kodachi-wiper (fast native wiper)|sdmem (secure multi-pass)|both (balanced hybrid)|auto (intelligent auto-detection: prefers kodachi-wiper, falls back to sdmem if unavailable)
- --time <SECS>: Set time budget for shutdown RAM wiping. Recommended: 60-90s desktops, 120-300s servers
- --passes <NUM>: Set number of sdmem passes (1-9). More = secure but slower. Recommended: 3 balanced, 7+ high-security
- --split <PCT>: Set time split for 'both' mode (10-90). Example: 70 = 70% kodachi-wiper, 30% sdmem. Higher = faster but less secure
Examples:
ram-wipe-enable
Enable automatic RAM wiping on shutdown
Usage:
Examples:
ram-wipe-disable
Disable automatic RAM wiping
Usage:
Examples:
wipe-ram-test
Test RAM wipe operation (dry-run with short time budget) - Run this to verify installation before relying on automatic wipes
Usage:
Options:
- --policy <MODE>: Test specific wipe policy: kodachi-wiper (fast)|sdmem (secure DoD-standard)|both (hybrid)|auto (intelligent auto-selection)
- --time <SECS>: Test time budget in seconds (default: 10). Quick test only - actual shutdown wipe uses configured time budget from wipe-ram-config
Examples:
wipe-ram
Execute RAM wipe operation (primarily used by systemd/init shutdown hooks, but can be run manually for testing)
Usage:
Options:
- --shutdown-mode: INTERNAL USE - Shutdown-optimized mode for systemd/init hooks. Users should use 'wipe-ram' without this flag
- --no-console: Disable console output for silent operation (useful in scripts and background tasks)
- --policy <MODE>: Override wipe policy: kodachi-wiper (fast native wiper for quick shutdowns)|sdmem (secure DoD-standard multi-pass for maximum security)|both (hybrid approach: fast+secure)|auto (intelligent auto-selection based on system capabilities)
- --time <SECS>: Override time budget in seconds (how long to spend wiping RAM). Higher values = more memory wiped but longer shutdown time
Examples:
ram-wipe-detect-kicksecure
Detect Kicksecure/Whonix RAM wipe installation
Usage:
Examples:
ram-wipe-update
Update RAM wipe configuration (alias for wipe-ram-config)
Usage:
Options:
- --policy <MODE>: Set policy: kodachi-wiper (fast native wiper)|sdmem (secure multi-pass)|both (balanced hybrid)|auto (intelligent auto-detection: prefers kodachi-wiper, falls back to sdmem if unavailable)
- --time <SECS>: Set time budget in seconds
- --passes <NUM>: Set sdmem passes (1-9)
- --split <PCT>: Set custom/sdmem split for 'both' mode (10-90)
Examples:
disk-encryption-status
Check disk encryption status and security
Usage:
Examples:
swap-enable
Enable swap partition/file
Usage:
Examples:
swap-disable
Disable swap partition/file
Usage:
Examples:
swap-encrypt
Encrypt swap partition/file
Usage:
Examples:
swap-status
Check swap status and configuration
Usage:
Examples:
swap-decrypt
Decrypt encrypted swap partition/file
Usage:
Examples:
swap-encrypt-status
Check swap encryption status
Usage:
Examples:
usb-list
List all USB devices
Usage:
Examples:
luks-nuke
Manage LUKS nuke passwords
Usage:
Examples:
luks-detect
Detect valid LUKS devices on the system
Usage:
Examples:
luks-manage
Manage LUKS encrypted devices
Usage:
Examples:
luks-nuke-advanced
Advanced LUKS nuke configuration (emergency wipe)
Usage:
Examples:
luks-remove
Remove LUKS encryption from device
Usage:
Examples:
luks-manage-advanced
Advanced LUKS device management
Usage:
Examples:
health-control luks-manage-advanced --action backup-header --device /dev/sdb1 --backup-file /tmp/header.backup
health-control luks-manage-advanced --action restore-header --device /dev/sdb1 --backup-file /tmp/header.backup
create-persistence
Create encrypted persistence file
Usage:
Examples:
encryption-status
Check storage encryption status
Usage:
Examples:
container-create
Create encrypted container
Usage:
Examples:
container-mount
Mount encrypted container
Usage:
Examples:
container-unmount
Unmount encrypted container
Usage:
Examples:
Security Tools
rootkit-scan
Quick rootkit scan (fast, essential checks)
Usage:
Examples:
kloak-status
Check Kloak keyboard anonymization status
Usage:
Examples:
kloak-enable
Enable Kloak keyboard anonymization
Usage:
Examples:
kloak-disable
Disable Kloak keyboard anonymization
Usage:
Examples:
kloak-configure
Configure Kloak keystroke anonymization settings
Usage:
Examples:
kloak-event-mode
Set Kloak event processing mode
Usage:
Examples:
kloak-stats
Show Kloak keystroke anonymization statistics
Usage:
Examples:
aide-update
Update AIDE database after legitimate changes
Usage:
Examples:
aide-check
Check file integrity with AIDE
Usage:
Examples:
aide-init
Initialize AIDE database for file integrity monitoring
Usage:
Examples:
aide-reinit
Reinitialize AIDE database (reset baseline)
Usage:
Examples:
aide-scan-dir
Scan specific directory with AIDE
Usage:
Examples:
Storage Security
storage-wipe
Securely wipe storage devices and free space
Usage:
Examples:
storage-encrypt
Encrypt a storage device
Usage:
Examples:
encryption-tune
Optimize encryption performance and security settings
Usage:
Examples:
System Control
get-hostname
Get the current hostname
Usage:
Examples:
change-hostname
Change hostname (prompts for new hostname)
Usage:
Examples:
list-hostnames
List available hostnames by category
Usage:
Examples:
set-random-hostname-category
Set a random hostname from a specific category
Usage:
Examples:
get-logged-user
Get the actual logged-in user (handles sudo correctly)
Usage:
Examples:
show-timezone
Show current system timezone
Usage:
Examples:
sync-timezone
Sync timezone based on IP geolocation
Usage:
Examples:
show-remote-timezone
Show timezone based on current IP location
Usage:
Examples:
set-timezone
Set system timezone
Usage:
Examples:
list-timezones
List available timezones by category
Usage:
Examples:
set-random-timezone
Set a random timezone from a specific category
Usage:
Examples:
play-sound
Play notification sound
Usage:
Examples:
notify
Send desktop notification
Usage:
Examples:
System Information
offline-info-system
Display comprehensive system information
Usage:
Examples:
offline-info-hardware
Display hardware information
Usage:
Examples:
offline-info-process
Display process information
Usage:
Examples:
offline-info-security
Display security and encryption status
Usage:
Examples:
offline-info-network
Display network information
Usage:
Examples:
offline-info-user
Display user information
Usage:
Examples:
offline-info-storage
Display storage information
Usage:
Examples:
offline-info-services
Display system services information
Usage:
Examples:
offline-info-all
Display all system information
Usage:
Examples:
System Information & Offline Actions
offline-bluetooth
Enable/disable/check Bluetooth service
Usage:
Examples:
offline-wifi
Manage WiFi connectivity
Usage:
Examples:
offline-usb-storage
Manage USB storage devices
Usage:
Examples:
offline-webcam
Manage webcam device
Usage:
Examples:
offline-microphone
Manage microphone device
Usage:
Examples:
offline-systemlogs
Manage system logging
Usage:
Examples:
offline-cups
Manage CUPS printing service
Usage:
Examples:
offline-networkmanager
Manage NetworkManager service
Usage:
Examples:
offline-numlock
Manage NumLock configuration
Usage:
Examples:
offline-cmdhistory
Manage command history
Usage:
Examples:
offline-autologin
Enable/disable/check auto-login functionality
Usage:
Examples:
offline-screen-lock
Manage screen locking
Usage:
Examples:
offline-fdlimit
Enable/disable/check file descriptor limits
Usage:
Examples:
offline-netoptimize
Enable/disable/check network optimization
Usage:
Examples:
offline-bbr
Enable/disable/check BBR congestion control
Usage:
Examples:
offline-ifspeed
Enable/disable/check interface speed optimization
Usage:
Examples:
offline-avahi
Manage Avahi daemon service
Usage:
Examples:
offline-modem-manager
Manage ModemManager service
Usage:
Examples:
offline-ssh
Manage SSH daemon service
Usage:
Examples:
offline-apache
Manage Apache web server service
Usage:
Examples:
offline-nginx
Manage Nginx web server service
Usage:
Examples:
offline-docker
Manage Docker container service
Usage:
Examples:
offline-mysql
Manage MySQL database service
Usage:
Examples:
System Maintenance
auto-updates-enable
Enable automatic security updates
Usage:
Examples:
auto-updates-disable
Disable automatic security updates
Usage:
Examples:
auto-updates-status
Check automatic updates status
Usage:
Examples:
system-maintenance-enable
Enable system maintenance settings
Usage:
Examples:
system-maintenance-disable
Disable system maintenance settings
Usage:
Examples:
system-maintenance-status
Check system maintenance status
Usage:
Examples:
password-policy-enable
Enable password policy enforcement
Usage:
Examples:
password-policy-disable
Disable password policy enforcement
Usage:
Examples:
password-policy-status
Check password policy status
Usage:
Examples:
user-security-enable
Enable user security hardening
Usage:
Examples:
user-security-disable
Disable user security hardening
Usage:
Examples:
user-security-status
Check user security status
Usage:
Examples:
2fa-enable
Enable two-factor authentication
Usage:
Examples:
2fa-disable
Disable two-factor authentication
Usage:
Examples:
2fa-status
Check two-factor authentication status
Usage:
Examples:
check-and-install
Check and install required packages
Usage:
Examples:
check-and-install-do
Execute installation after checking dependencies
Usage:
Examples:
package-cleanup
Clean up unnecessary packages
Usage:
Examples:
clear-cache
Clear system memory caches
Usage:
Examples:
USB Security
usb-guard-enable
Enable USB Guard protection
Usage:
Examples:
usb-guard-disable
Disable USB Guard protection
Usage:
Examples:
usb-policy
Manage USB device policies
Usage:
Examples:
usb-monitor
Monitor USB device connections in real-time
Usage:
Examples:
usb-history
View USB device connection history
Usage:
Examples:
usb-whitelist
Manage USB device whitelist
Usage:
Examples:
Examples
Network Connectivity
Test network connectivity and configuration
Test both IP and domain connectivity (DNS only)
Expected Output: Network connectivity statusTest IP and domain connectivity including HTTP
Expected Output: HTTP connectivity test resultsNetwork check with JSON output for automation
Expected Output: JSON formatted network statusHTTP network check with JSON output
Expected Output: JSON formatted HTTP connectivity resultsCheck IP connectivity only, skip DNS checks
Expected Output: IP connectivity test resultsCheck domain connectivity only, skip IP ping
Expected Output: Domain connectivity test resultsUse custom timeout for network checks
Expected Output: Network check with 15 second timeoutIP-only connectivity check with JSON output
Expected Output: JSON formatted IP connectivity resultsDomain-only connectivity check with custom timeout
Expected Output: Domain connectivity test with 20 second timeoutShow IPs used for connectivity testing
Expected Output: List of test IP addressesShow domains used for connectivity testing
Expected Output: List of test domain namesInternet Traffic Control
Block and unblock internet traffic
Block internet using auto-detected method (tries nftables, then iptables, then UFW, then interfaces)
Expected Output: Internet blocked successfullyNote
Without --method specified, health-control automatically selects the best available method
Block using iptables firewall rules
Expected Output: Iptables rules applied successfullyBlock using nftables firewall rules (preferred modern firewall)
Expected Output: Nftables rules applied successfullyBlock using UFW (Uncomplicated Firewall)
Expected Output: UFW rules applied successfullyBlock by disabling network interfaces
Expected Output: Network interfaces disabled successfullyBlock using ALL methods (UFW, nftables, iptables, and interfaces)
Expected Output: All blocking methods applied successfullyNote
Applies all available blocking methods for maximum security
Block internet but allow local network traffic
Expected Output: Internet blocked, local traffic allowedBlock internet with JSON output
Expected Output: JSON formatted blocking statusBlock internet with iptables, allow local, JSON output
Expected Output: JSON formatted blocking status with detailsBlock using ALL methods but allow local network traffic
Expected Output: All blocking methods applied, local traffic allowedUnblock internet traffic
Expected Output: Internet unblocked successfullyUnblock using nftables specifically
Expected Output: Internet unblocked using nftablesUnblock using iptables specifically
Expected Output: Internet unblocked using iptablesUnblock using UFW specifically
Expected Output: Internet unblocked using UFWUnblock ALL methods (clears UFW, nftables, iptables, and re-enables interfaces)
Expected Output: All blocking methods cleared successfullyNote
Ensures complete restoration by clearing all possible blocks
Unblock internet with JSON output
Expected Output: JSON formatted unblocking statusCheck current internet blocking status
Expected Output: Internet traffic statusCheck if internet traffic is blocked with JSON output
Expected Output: JSON formatted block statusARM the emergency kill switch - sets system to high-alert monitoring mode
Expected Output: Kill switch ARMED - Monitoring mode activeNote
MONITORING MODE: Sets up automated threat detection using multiple monitoring methods:
• NETWORK MONITORING: Uses netstat, ss, and iptables logs to detect unauthorized connections • FILE SYSTEM WATCHING: Monitors critical system files via inotify for unauthorized modifications • PROCESS MONITORING: Tracks running processes using ps/proc for suspicious behavior patterns • AUTH MONITORING: Watches /var/log/auth.log for failed login attempts (threshold: 5 failures) • SYSTEM INTEGRITY: Checks system file hashes and permissions for tampering Does NOT take action until triggered - only prepares for rapid response. Auto-activates MEDIUM panic level when threats detected.
DISARM kill switch monitoring
Expected Output: Kill switch DISARMEDNote
Stops monitoring mode. Use after threat has passed or false alarm.
Check if monitoring is armed/disarmed
Expected Output: Shows armed status, trigger count, armed timeNote
READ-ONLY: Just displays current state, takes no action
IMMEDIATELY activate kill switch (default: medium panic)
Expected Output: KILL SWITCH ACTIVATED - emergency procedures executedNote
IMMEDIATE ACTION: Unlike 'arm', this executes panic NOW. Prompts for confirmation. Use --level soft/medium/hard
IMMEDIATE soft panic (NO confirmation)
Expected Output: Soft panic activatedNote
Actions: Kill network, clear clipboard, lock screen. Reversible.
IMMEDIATE medium panic (WITH confirmation)
Expected Output: Medium panic activatedNote
Actions: Kill network, terminate processes, clear memory, unmount devices. Requires manual restart.
IMMEDIATE hard panic with SHUTDOWN (WITH confirmation)
Expected Output: Hard panic activated - system will shutdownNote
CRITICAL: Wipes RAM, unmounts all, IMMEDIATE SHUTDOWN. IRREVERSIBLE!
Recover from panic mode
Expected Output: System recovered from panic modeNote
Re-enables network, remounts volumes, restores services
Watch-Guard Management
Monitor system changes and block internet on triggers
Enable watch-guard to block internet if IP changes (VPN protection)
Expected Output: Watch-guard enabled message with initial IPNote
Blocks internet using nftables if external IP changes
Enable watch-guard for timezone changes
Expected Output: Watch-guard enabled with current timezoneNote
Detects system time manipulation attempts
Monitor network interfaces for changes
Expected Output: Watch-guard monitoring interface listNote
Blocks if new interfaces appear or existing ones change
Monitor Tor process and block if it dies
Expected Output: Watch-guard watching Tor process countNote
Ensures no clearnet traffic if Tor crashes
Monitor Firefox and use all block methods if it stops
Expected Output: Watch-guard active for Firefox processNote
Maximum blocking using all available methods
Show all active watch-guards and their trigger counts
Expected Output: List of active watch-guards with detailsDisable IP watch-guard and unblock internet
Expected Output: Watch-guard disabled confirmationNote
Automatically unblocks internet unless --no-unblock used
Disable all watch-guards but keep internet blocked
Expected Output: All watch-guards disabled messageNote
Use when you want manual control over unblocking
Network Recovery
Diagnose and fix connectivity issues
Automatically diagnose and fix connectivity issues
Expected Output: Recovery steps performed and statusInclude DNS resolution testing and fixes
Expected Output: Recovery with DNS diagnosticsForce recovery even if connectivity appears working
Expected Output: Forced recovery completion statusTimezone Management
Manage system timezone settings
Sync timezone based on IP geolocation
Expected Output: Timezone synchronized to detected locationShow current system timezone
Expected Output: Current timezone informationSet specific timezone
Expected Output: Timezone set to America/New_YorkShow timezone based on current IP location
Expected Output: Remote location timezone informationList all timezone categories
Expected Output: List of timezone categories with countsList all available timezones
Expected Output: Complete list of timezonesList African timezones
Expected Output: List of African timezonesList American timezones
Expected Output: List of North and South American timezonesList Asian timezones
Expected Output: List of Asian timezonesList European timezones
Expected Output: List of European timezonesList Australian timezones
Expected Output: List of Australian timezonesList Pacific timezones
Expected Output: List of Pacific timezonesList UTC timezones
Expected Output: List of UTC timezonesList timezone categories in JSON format
Expected Output: JSON output of timezone categoriesSet a random timezone from all available
Expected Output: Timezone set to random valueNote
Requires sudo privileges
Set random American timezone
Expected Output: Timezone set to random American timezoneNote
Requires sudo privileges
Set random European timezone
Expected Output: Timezone set to random European timezoneNote
Requires sudo privileges
Set random Asian timezone
Expected Output: Timezone set to random Asian timezoneNote
Requires sudo privileges
Set random African timezone
Expected Output: Timezone set to random African timezoneNote
Requires sudo privileges
Set random Pacific timezone with JSON output
Expected Output: JSON output of timezone changeNote
Requires sudo privileges
MAC Address Management
Change and manage MAC addresses
Change MAC addresses for all interfaces
Expected Output: All MAC addresses changedForce change MAC addresses
Expected Output: MAC addresses force-changedNote
Use when regular change fails
Change MAC for specific interface
Expected Output: MAC address changed for eth0Show all network interfaces
Expected Output: List of network interfacesShow current MAC addresses
Expected Output: List of interfaces and MAC addressesReset all MACs to original values
Expected Output: MAC addresses reset to originalShow active network interface
Expected Output: Currently active network interfaceHostname Management
Get and set system hostname
Get current system hostname
Expected Output: Current hostnameGet hostname in JSON format
Expected Output: JSON formatted hostnameGet the actual logged-in user (handles sudo correctly)
Expected Output: Username of logged-in userNote
Returns actual user even when run with sudo
Get logged user with additional info in JSON format
Expected Output: JSON with username, home directory, and detection methodSet default system hostname
Expected Output: Default hostname setSet random hostname for privacy
Expected Output: Random hostname setSet random hostname with JSON output
Expected Output: JSON formatted hostname change resultSet custom hostname
Expected Output: Hostname set to MyHostSet descriptive custom hostname
Expected Output: Hostname set to privacy-machineSet custom hostname with JSON output
Expected Output: JSON formatted hostname change resultList all hostname categories
Expected Output: List of available hostname categories with countsList all available hostnames
Expected Output: Complete list of all predefined hostnamesList Windows hostnames
Expected Output: List of Windows-style hostnamesList Linux hostnames
Expected Output: List of Linux distribution hostnamesList Apple/Mac hostnames
Expected Output: List of macOS and Apple device hostnamesList hostname categories in JSON format
Expected Output: JSON formatted category list with countsSet random hostname from all categories
Expected Output: Random hostname selected and setSet random Windows hostname
Expected Output: Random Windows-style hostname setSet random Linux hostname
Expected Output: Random Linux distribution hostname setSet random fictional hostname with JSON output
Expected Output: Random fictional hostname set with JSON resultSecurity Hardening
Apply and verify comprehensive security settings (7 modules: kernel, process, filesystem, network, memory, monitoring, sandboxing)
Apply standard security hardening (network-safe): kernel hardening, process isolation, filesystem security, memory protection, monitoring, sandboxing - PRESERVES internet connectivity
Expected Output: Security hardening completed (network connectivity preserved)Note
Standard profile maintains system usability and network connectivity
Apply PARANOID profile - WARNING: WILL BREAK INTERNET CONNECTIVITY: All hardening PLUS network isolation, DNS blocking, disabled IP forwarding
Expected Output: Paranoid security applied (network isolated)Note
⚠️ INTERNET CONNECTIVITY DISABLED - To recover: sudo health-control recover-internet
Check if all 7 security modules are enabled and properly configured
Expected Output: Shows each module: ENABLED/DISABLED and configuration statusNote
Use after security-harden to verify settings are applied
Apply only specific modules (kernel sysctl and network firewall)
Expected Output: Applied 2 modules: kernel and network hardeningNote
Modules: kernel, process, filesystem, network, memory, monitoring, sandboxing
Temporarily revert security hardening (keeps framework ready for quick re-hardening)
Expected Output: Security recovery completed - modules show 'ENABLED (needs configuration)'Note
Use for troubleshooting. Framework remains enabled for easy re-hardening with security-harden.
Recover only specific security modules
Expected Output: Selected modules recoveredNote
Available modules: kernel, filesystem, network, memory, monitoring, smt
Completely disable all security modules and framework (permanent removal)
Expected Output: All modules show 'DISABLED' - framework completely removedNote
WARNING: Unlike security-recover, this permanently disables the framework. Requires rebuilding to re-enable.
Reset security framework without confirmation prompt
Expected Output: Security framework completely disabledNote
Use --force to skip the confirmation prompt in automation scripts
Enable system security monitoring (auditd, LKRG, file integrity, auth events)
Expected Output: Security monitoring enabledNote
Enables auditd for system call auditing, LKRG for kernel integrity, file integrity monitoring (AIDE/Tripwire), and auth event logging
Disable system security monitoring services
Expected Output: Security monitoring disabledNote
Stops all security monitoring services - reduces system overhead but decreases security visibility
Check current system security monitoring status
Expected Output: Security monitoring status detailsNote
Shows status of auditd, LKRG, AIDE, and auth logging - helps verify which monitoring services are active
Enable Tirdad kernel module for TCP ISN randomization (prevents OS fingerprinting)
Expected Output: Tirdad enabled successfullyNote
Randomizes TCP Initial Sequence Numbers to prevent remote OS fingerprinting attacks and TCP sequence prediction
Disable Tirdad TCP ISN randomization module
Expected Output: Tirdad disabled successfullyNote
Restores default TCP ISN generation - may make system identifiable via network fingerprinting
Check Tirdad TCP ISN randomization module status
Expected Output: Tirdad status: ENABLED/DISABLEDNote
Shows if kernel module is loaded and TCP ISN randomization is active
Check disk encryption status
Expected Output: Disk encryption configurationNote
Displays LUKS encryption status for all disks, cipher algorithms, and key slot usage
List all USB devices
Expected Output: Connected USB devicesNote
Shows all connected USB devices with vendor/product IDs for security auditing
Create system persistence
Expected Output: System persistence createdNote
Creates encrypted persistence partition for storing data across reboots on live systems
Show overall encryption status
Expected Output: System encryption status reportNote
Comprehensive report of all encryption: disks, swap, home directories, and key management
System Health & Security Tools
Monitor system health and run security audits
Perform comprehensive system security audit
Expected Output: System audit status reportScan system for rootkits
Expected Output: Rootkit scan resultsCheck system security status
Expected Output: JSON formatted security status infoRun comprehensive Lynis security audit
Expected Output: Complete Lynis audit reportNote
Comprehensive security assessment
Check Lynis installation and status
Expected Output: Lynis service statusInitialize AIDE database
Expected Output: AIDE database created successfullyNote
First time setup required
Check file integrity with AIDE
Expected Output: File integrity check resultsCheck kloak keystroke anonymization status
Expected Output: Kloak service status and configurationEnable kloak keystroke anonymization
Expected Output: Kloak enabled successfullyDisable kloak keystroke anonymization
Expected Output: Kloak disabled successfullyIPv6 Management
Control and monitor IPv6 protocol settings
Check current IPv6 configuration status
Expected Output: IPv6 Status: ENABLED/DISABLED with interface detailsNote
Shows runtime status, boot config, and active interfaces
Disable IPv6 system-wide (sysctl and GRUB)
Expected Output: IPv6 disabled with details of changes appliedNote
Reboot recommended for full effect
Enable IPv6 system-wide
Expected Output: IPv6 enabled with details of changes appliedNote
Reboot recommended for full effect
Get detailed IPv6 status in JSON format
Expected Output: Complete IPv6 configuration including runtime, boot config, and interfacesMemory and Storage Security
Advanced memory management and storage security
List all LUKS devices
Expected Output: LUKS device status and configurationConfigure nuke password interactively
Expected Output: LUKS nuke password configuredNote
Interactive password setup
USB and Device Security
USB device control and security policies
List all connected USB devices
Expected Output: USB device list with security statusCheck USB security policies
Expected Output: USB security policy assessmentData Destruction
Secure data wiping procedures
Securely wipe file with 7 passes
Expected Output: File securely wiped and unrecoverableNote
Multiple passes increase security
Securely wipe entire directory
Expected Output: Directory and contents wiped securelyNote
All files in directory will be destroyed
Wipe free space on device
Expected Output: Free space wiped securelyNote
Prevents recovery of deleted files
Wipe system and application logs
Expected Output: Logs wiped successfullyNote
Removes log file traces
Wipe browser history and data
Expected Output: Browser data wipedNote
Removes browsing history and cache
Schedule automatic temporary file wiping daily
Expected Output: File wipe scheduled successfullyNote
Automatically wipes temp files based on frequency
Wipe all temporary files matching pattern
Expected Output: Files matching pattern wipedNote
Uses glob patterns to match files for wiping
Verify file has been securely wiped
Expected Output: File wipe verification resultsBatch wipe multiple files with 7 passes
Expected Output: Batch file wiping completedNote
Space-separated file paths
System Maintenance and Updates
Automated updates, password policies, and system maintenance
Enable automatic security updates
Expected Output: Automatic security updates enabledDisable automatic updates
Expected Output: Automatic updates disabledCheck automatic updates status
Expected Output: Auto-updates configuration statusEnable strong password policy
Expected Output: Strong password policy enforcedDisable strong password policy
Expected Output: Password policy disabledEnable user security checks
Expected Output: User security policies enabledEnable 2FA for specific user
Expected Output: Two-factor authentication enabledDisable 2FA for user
Expected Output: Two-factor authentication disabledEnable automatic system maintenance
Expected Output: System maintenance automation enabledClean up unnecessary packages
Expected Output: System packages cleaned and optimizedCheck password policy status
Expected Output: Current password policy configurationDisable user security checks
Expected Output: User security policies disabledCheck user security status
Expected Output: User security configuration statusCheck 2FA status for users
Expected Output: Two-factor authentication statusDisable automatic system maintenance
Expected Output: System maintenance automation disabledCheck system maintenance status
Expected Output: System maintenance configuration statusSystem Control
System configuration and control operations
Play system alert sound
Expected Output: Sound played successfullyPlay success notification sound
Expected Output: Success sound playedPlay warning sound in MP3 format
Expected Output: Warning sound played in MP3Play alert sound with debug output
Expected Output: Alert sound played with debug infoSend system notification
Expected Output: Notification sent successfullySend basic notification message
Expected Output: Notification sent successfullySend notification with message body
Expected Output: Detailed notification sentSend critical notification with 30 second duration
Expected Output: Critical notification sentSend notification with custom icon
Expected Output: Notification with icon sentEmergency Operations - Kill Switch & Panic Modes
Emergency security measures with two modes: MONITORING (arm/disarm) prepares for threats, IMMEDIATE (panic/activate) executes emergency procedures
ARM kill switch monitoring (preparation mode)
Expected Output: Kill switch ARMED - Monitoring mode activeNote
MONITORING MODE: Sets up automated threat detection using multiple monitoring methods:
• NETWORK MONITORING: Uses netstat, ss, and iptables logs to detect unauthorized connections • FILE SYSTEM WATCHING: Monitors critical system files via inotify for unauthorized modifications • PROCESS MONITORING: Tracks running processes using ps/proc for suspicious behavior patterns • AUTH MONITORING: Watches /var/log/auth.log for failed login attempts (threshold: 5 failures) • SYSTEM INTEGRITY: Checks system file hashes and permissions for tampering Does NOT take action until triggered - only prepares for rapid response. Auto-activates MEDIUM panic level when threats detected.
DISARM kill switch monitoring
Expected Output: Kill switch DISARMEDNote
Stops monitoring mode. Use after threat has passed or false alarm.
Check if monitoring is armed/disarmed
Expected Output: Shows armed status, trigger count, armed timeNote
READ-ONLY: Just displays current state, takes no action
IMMEDIATELY activate kill switch (default: medium panic)
Expected Output: KILL SWITCH ACTIVATED - emergency procedures executedNote
IMMEDIATE ACTION: Unlike 'arm', this executes panic NOW. Prompts for confirmation. Use --level soft/medium/hard
IMMEDIATE soft panic (NO confirmation)
Expected Output: Network killed, clipboard cleared, screen lockedNote
INSTANT: Kill network + clear clipboard + lock screen. Reversible. Good for quick privacy.
IMMEDIATE medium panic (requires confirmation)
Expected Output: Panic mode activated after confirmationNote
WITH CONFIRMATION: Kill network + clear clipboard + terminate processes + clear memory + unmount devices + lock screen (6 actions). Requires manual restart to restore.
IMMEDIATE hard panic (double confirmation)
Expected Output: System shutdown initiatedNote
CRITICAL - DOUBLE CONFIRM: All medium actions + RAM wipe + IMMEDIATE shutdown (7 actions total). IRREVERSIBLE! System shuts down NOW!
Create recovery checkpoint BEFORE panic
Expected Output: Recovery point createdNote
Create BEFORE activating panic modes. Allows restoration of configs after emergency.
Restore system after panic activation
Expected Output: System recovered from panic modeNote
Use AFTER panic to restore normal operation. Restarts services, fixes permissions.
Configure panic response to paranoid security level
Expected Output: Panic profile set: paranoid Actions configured: 12Note
PROFILE MODES:
• STEALTH: Light response (network blocking only, preserve user data) • PARANOID: Maximum security (network kill, data wipe, process termination, interface shutdown) • RECOVERY: System restoration (restart services, fix permissions, restore connectivity)
Profile determines automatic actions when panic mode triggers. Use 'kill-switch-activate' to manually trigger the configured profile.
Kill specific network interface
Expected Output: Network interface eth0 terminatedNote
Selective network isolation
Terminate specific process immediately
Expected Output: Process firefox terminatedNote
Emergency process termination
Security
General security status and monitoring
USB Security
USB device control and monitoring
Enable USB Guard protection
Expected Output: USB Guard enabled successfullyDisable USB Guard protection
Expected Output: USB Guard disabled successfullyAdd USB device to allow policy
Expected Output: USB device policy addedNote
Use lsusb to find device IDs
List all USB policies
Expected Output: Current USB device policiesStart USB device monitoring
Expected Output: USB monitoring startedView USB device history for last 7 days
Expected Output: USB device connection historyStorage Security
Storage encryption and secure wiping
Encrypt storage device
Expected Output: Storage device encrypted successfullyNote
Backup data before encryption
Securely wipe storage device
Expected Output: Storage device wiped securelyNote
Data will be permanently destroyed
Security Assessment
Security scoring and reporting
Calculate overall security score
Expected Output: Shows score (0-100), security level (Critical/Poor/Fair/Good/Excellent), and actionable fixesGet security score in JSON format
Expected Output: Full JSON with category breakdowns (Core/Network/Hardening/Device/Advanced), individual check scores, and specific remediation commandsGenerate comprehensive security report
Expected Output: Detailed security assessment reportGenerate security report in JSON format
Expected Output: JSON formatted security reportView security score history for last 30 days
Expected Output: Security score trends and historical dataNote
Shows security improvements over time
View last 7 days security history in JSON
Expected Output: JSON formatted security historyReview security fixes before applying
Expected Output: Security fix recommendations displayedNote
Manual review mode for security fixes
Hardware Security
Hardware-level security features
Verify hardware random number generator
Expected Output: Hardware RNG status and qualityNote
Checks if hardware RNG is available and functioning properly for cryptographic operations
Check system entropy status
Expected Output: Entropy pool status and qualityNote
Monitors available entropy for secure random number generation, critical for encryption
Check boot integrity
Expected Output: Boot integrity verification resultsNote
Verifies boot process integrity to detect tampering or unauthorized modifications to bootloader/kernel
System Information & Offline Actions
System information, diagnostics, and hardware/service management
Display comprehensive system information
Expected Output: Complete system details and configurationDisplay hardware information
Expected Output: Hardware components and specificationsDisplay hardware information in JSON
Expected Output: JSON formatted hardware detailsDisplay process information
Expected Output: Running processes and resource usageDisplay security configuration
Expected Output: Security settings and statusDisplay network configuration
Expected Output: Network interfaces and settingsDisplay user information
Expected Output: User accounts and permissionsDisplay storage information
Expected Output: Disk usage and filesystem detailsDisplay services information
Expected Output: System services statusDisplay all system information
Expected Output: Complete system information reportEnable Bluetooth service
Expected Output: Bluetooth enabled successfullyDisable Bluetooth service
Expected Output: Bluetooth disabled successfullyEnable WiFi service
Expected Output: WiFi enabled successfullyDisable WiFi with persistent blacklisting
Expected Output: WiFi disabled and blacklistedEnable webcam devices
Expected Output: Webcam access enabledDisable webcam devices
Expected Output: Webcam access disabledEnable microphone devices
Expected Output: Microphone access enabledDisable microphone devices
Expected Output: Microphone access disabledEnable automatic screen lock
Expected Output: Screen lock enabledDisable system logging
Expected Output: System logging disabledDisable CUPS printing service
Expected Output: CUPS printing disabledDisable NetworkManager
Expected Output: NetworkManager disabledEnable NumLock on boot
Expected Output: NumLock enabled on bootDisable command history logging
Expected Output: Command history disabledDisable automatic login
Expected Output: Automatic login disabledSet file descriptor limits
Expected Output: File descriptor limit setEnable network optimizations
Expected Output: Network optimizations enabledEnable BBR congestion control
Expected Output: BBR congestion control enabledConfigure interface speed
Expected Output: Interface speed configuredDisable Avahi service discovery
Expected Output: Avahi service disabledNote
Supported services: avahi, modem-manager, ssh, apache, nginx, docker, mysql, postgresql
Disable ModemManager service
Expected Output: ModemManager disabledEnable SSH service
Expected Output: SSH service enabledDisable Apache web server
Expected Output: Apache web server disabledDisable Nginx web server
Expected Output: Nginx web server disabledDisable Docker service
Expected Output: Docker service disabledDisable MySQL database service
Expected Output: MySQL service disabledDisable PostgreSQL database service
Expected Output: PostgreSQL service disabledEnable USB storage devices
Expected Output: USB storage access enabledDisable USB storage devices
Expected Output: USB storage access blockedPassword Generation
Generate secure passwords using multiple methods with batch support (auto-detects installed packages)
Generate one password using all three methods
Expected Output: Three passwords (pass, pwgen, xkcdpass)Note
Automatically uses system packages if available, falls back to native implementations
Generate 10 random passwords using pwgen method
Expected Output: 10 random passwordsNote
Use --count for batch generation; max 1000 per method
Generate 50 memorable XKCD-style passphrases
Expected Output: 50 word-based passphrasesNote
XKCD method creates memorable multi-word passwords
Generate 90 passwords from each method (270 total)
Expected Output: 270 passwords (90 from each of the 3 methods)Note
When using --count without --method, generates specified count from ALL methods
Generate 20 custom passwords with specific length and symbols
Expected Output: 20 passwords with 32 characters including specified symbolsNote
Customize password generation with --length and --symbols options
Generate 15 passwords with only uppercase letters and digits
Expected Output: 15 alphanumeric passwords (uppercase + digits only)Generate 100 passwords from each method in JSON format
Expected Output: JSON array with 300 passwordsNote
JSON output ideal for scripting and automation
Force use of native Rust implementations (skip package detection)
Expected Output: 25 passwords from each method using native fallbacksNote
Useful for testing or when system packages are unreliable
RAM Wipe & Cold Boot Protection
Automatic RAM wiping on shutdown with multiple policies (custom, sdmem, both, auto), installation, configuration, testing, and cold boot attack defenses
Complete workflow for first-time RAM wipe setup
Expected Output: Step-by-step guideNote
STEP 1: Install hooks (REQUIRED FIRST): sudo health-control wipe-ram-install
STEP 2: Configure policy (OPTIONAL): sudo health-control wipe-ram-config --policy sdmem STEP 3: Enable if disabled: sudo health-control ram-wipe-enable STEP 4: Verify status: sudo health-control ram-wipe-status
KEY DIFFERENCES: • wipe-ram-install = FIRST-TIME SETUP (installs systemd shutdown hooks) • ram-wipe-enable = ENABLE/DISABLE (turns functionality on/off, hooks must exist) • wipe-ram-config = UPDATE SETTINGS (change policy, passes, time budget) • wipe-ram = MANUAL EXECUTION (test or emergency wipe NOW, not on shutdown)
Install RAM wipe system with default settings (kodachi-wiper policy, 60s timeout)
Expected Output: RAM wipe system installed successfullyNote
FIRST-TIME SETUP - Installs systemd hooks, configures policies, detects Kicksecure compatibility. Creates /etc/kodachi-ram-wipe.conf with defaults
Install RAM wipe with kodachi-wiper policy and 60 second time budget
Expected Output: Installed with kodachi-wiper policyNote
Fastest installation - Single-pass wipe, suitable for systems with <8GB RAM or frequent reboots
Install RAM wipe with sdmem policy using 3 overwrite passes
Expected Output: Installed with sdmem 3-pass policyNote
SECURE INSTALLATION - 3 passes (random, zeros, random). Good balance of security and speed. Recommended for 8-16GB RAM systems
Install with both policies: 60% time for kodachi-wiper, 40% for sdmem
Expected Output: Installed with dual-policy splitNote
HYBRID APPROACH - Time-split between kodachi-wiper (fast) and sdmem (thorough). Example: 120s budget = 72s kodachi-wiper + 48s sdmem. Maximum security coverage
Force installation even if Kicksecure/Whonix RAM wipe detected
Expected Output: Force installed, Kicksecure overriddenNote
OVERRIDE MODE - Bypasses Kicksecure detection. Use when you want Kodachi's RAM wipe instead of Kicksecure's built-in wipe. May cause conflicts
Check RAM wipe configuration and current status
Expected Output: RAM wipe status with memory info and auto-wipe settingsNote
Shows: enabled/disabled state, current policy (kodachi-wiper/sdmem/both/auto), time budget, sdmem passes, total RAM size, Kicksecure detection
RAM wipe status in JSON format for automation
Expected Output: JSON formatted status with all configuration detailsNote
JSON OUTPUT DEMO - Shows all config fields in machine-readable format for scripts and monitoring systems
Update existing RAM wipe policy to auto-detection
Expected Output: Policy updated to autoUpdate sdmem passes to 5 and time split to 70/30
Expected Output: Multiple parameters updatedNote
PASS COUNT - More passes = more thorough but slower. 1-3=fast, 4-6=balanced, 7-9=maximum. SPLIT - Higher kodachi-wiper%=speed, higher sdmem%=security
Enable RAM wipe configuration (hooks must be installed first)
Expected Output: RAM wipe configuration enabled + WARNING if hooks not installedNote
IMPORTANT: This only enables the CONFIG. You must run 'wipe-ram-install' FIRST to install systemd hooks. Will show clear warning if hooks are missing.
Disable automatic RAM wiping
Expected Output: RAM wipe disabled successfullyNote
WARNING - Disabling RAM wipe leaves sensitive data in RAM accessible to physical attacks
Test RAM wipe system with dry-run (no actual wiping)
Expected Output: RAM wipe test completed successfullyNote
SAFE TESTING - Simulates wipe operation without actually overwriting memory. Tests configuration, timing, and policy execution. Use before first real wipe
Test kodachi-wiper policy with 10 second time budget
Expected Output: Kodachi-wiper policy test completed in 10sNote
Quick test - Validates kodachi-wiper policy works correctly. 10s budget ensures fast test completion
Test RAM wipe with detailed JSON diagnostic metrics
Expected Output: JSON test results with performance dataNote
DIAGNOSTIC OUTPUT - Returns timing, memory stats, policy execution details, and potential issues. Essential for troubleshooting
Execute RAM wipe operation manually with configured policy
Expected Output: RAM wiped successfullyNote
ADVANCED - Manually trigger RAM wipe using system configuration. Automatically called by shutdown hooks. Use for testing or emergency wipe
Execute RAM wipe optimized for shutdown context
Expected Output: RAM wiped in shutdown modeNote
INTERNAL USE - Shutdown-optimized mode disables unnecessary checks and output. Used by systemd shutdown hooks
Execute RAM wipe using kodachi-wiper overwrite policy
Expected Output: RAM wiped with kodachi-wiper policyNote
POLICY: Kodachi-wiper fast overwrite algorithm - Single pass with random data. Fastest but least thorough (60-120 seconds for 8GB)
Execute RAM wipe using sdmem utility (multiple passes)
Expected Output: RAM wiped with sdmemNote
POLICY: sdmem (secure-delete memory) - Multiple passes with patterns. Slower but more thorough (3-7 passes configurable). Government-grade erasure
Execute RAM wipe using both kodachi-wiper AND sdmem sequentially
Expected Output: RAM wiped with combined policyNote
POLICY: Maximum security - Kodachi-wiper FIRST (fast pass), then sdmem (thorough passes). Best security but longest time. Recommended for high-security environments
Execute RAM wipe with automatic policy selection based on available RAM
Expected Output: RAM wiped with auto-detected policyNote
POLICY: Auto-detection - Chooses policy based on RAM size and available time: <4GB=kodachi-wiper, 4-16GB=both, >16GB=sdmem. Balances speed and security
Execute RAM wipe with 120 second time budget
Expected Output: RAM wiped within time limitNote
TIME BUDGET - Maximum seconds allowed for wipe operation. System will shutdown/reboot when time expires even if wipe incomplete. Critical for automated shutdowns
Detect if Kicksecure/Whonix RAM wipe is installed
Expected Output: Kicksecure detection resultsNote
COMPATIBILITY CHECK - Detects Kicksecure's ram-wipe-on-boot package. Prevents conflicts between Kodachi and Kicksecure RAM wipe systems
Update RAM wipe policy to auto with 150 second time budget
Expected Output: Policy and time budget updatedNote
SMART MODE - System automatically selects best policy based on: RAM size, shutdown urgency, battery status (laptops). Recommended for most users
Enable cold boot attack defense mechanisms
Expected Output: Cold boot defense enabledNote
PHYSICAL SECURITY - Protects against cold boot attacks that recover encryption keys from RAM after power loss. Enables: RAM overwriting on shutdown, memory scrambling, DMA protection
Disable cold boot attack defense
Expected Output: Cold boot defense disabledNote
WARNING - Disabling leaves encryption keys vulnerable to physical RAM extraction attacks. Only disable if you have alternative physical security
Swap Management & Encryption
Swap space enable/disable, configuration, encryption with dm-crypt, and performance tuning with swappiness and cache pressure settings
Enable and activate swap space for memory overflow
Expected Output: Swap enabled successfullyNote
STABILITY FEATURE - Activates swap partitions/files for memory overflow. Improves system stability under memory pressure but may leak sensitive data to disk
Disable and deactivate all swap space
Expected Output: Swap disabled successfullyNote
SECURITY FEATURE - Deactivates all swap to prevent disk leakage of sensitive data. May cause out-of-memory errors if RAM insufficient
Check swap status, devices, size, and usage
Expected Output: Swap devices list with usage statisticsNote
Shows: active swap devices, total/used/available size, swap usage percentage, encryption status, swappiness value
Configure swap parameters for optimal performance
Expected Output: Swap parameters configuredNote
PERFORMANCE TUNING - Swappiness (0-100): 0=never swap, 10=minimal, 60=default, 100=aggressive. Cache pressure controls VFS cache retention (default 100)
Encrypt swap with random key generated on each boot
Expected Output: Swap space encryptedNote
ENCRYPTION SECURITY - Uses dm-crypt with random key per boot. Protects swapped memory from offline disk forensics. Slight performance impact (~5-10%)
Remove swap encryption and revert to plain swap
Expected Output: Swap decryptedNote
WARNING - Removes encryption protection. Swapped data will be readable from disk in clear text. Only use if encryption causes performance issues
Check swap encryption status and configuration
Expected Output: Encryption status with cipher detailsNote
Shows: encryption enabled/disabled, cipher type (aes-xts-plain64), key size, whether using random keys, encrypted device mapper name
Enable swap (alternative command alias)
Expected Output: Swap enabledDisable swap (alternative command alias)
Expected Output: Swap disabledMemory Statistics & Cleanup
Memory usage statistics, cache cleaning, and memory optimization without data loss
Show current memory usage statistics (total, available, used, cached)
Expected Output: Memory usage breakdown with utilization percentagesMemory statistics in human-readable JSON format
Expected Output: Pretty-printed JSON with human-readable sizes (MB/GB)Note
JSON OUTPUT DEMO - Use --json for compact machine-readable format, --json-human for readable format with color and formatting
Clean memory caches and buffers (pagecache, dentries, inodes)
Expected Output: Memory cleaned successfullyNote
Safe operation - drops caches but does NOT kill processes. Improves available memory without data loss
Force aggressive memory cleanup (sync + drop_caches=3)
Expected Output: Memory force cleanedNote
ADVANCED - Kills top memory-consuming process + aggressive cache drop. Use with caution in production
Process Memory Security
Secure process memory wiping before termination and per-process memory limits using cgroups for browsers and applications
Securely wipe memory contents (anti-forensics)
Expected Output: Memory wiped securelyNote
SECURITY FEATURE - Overwrites memory with random data to prevent forensic recovery. Used for sensitive operations
Securely wipe Firefox process memory before termination
Expected Output: Firefox process memory wiped successfullyNote
PRIVACY PROTECTION - Clears sensitive data (passwords, session keys, browsing history) from process memory before kill
Securely wipe Chrome browser memory
Expected Output: Chrome process memory wiped successfullyNote
Clears authentication tokens, cached passwords, and browsing data from Chrome's memory space
Securely wipe Thunderbird email client memory
Expected Output: Thunderbird process memory wiped successfullyNote
Erases email content, credentials, and encryption keys from email client memory
Securely wipe Tor Browser memory
Expected Output: Tor Browser process memory wiped successfullyNote
Clears Tor circuit keys, browsing session data, and cached .onion addresses from memory
Set Firefox memory limit to 2048 MB using cgroups
Expected Output: Firefox memory limit set to 2048 MBNote
RESOURCE CONTROL - Uses Linux cgroups to enforce hard memory limits per process. Prevents single process from consuming excessive memory. Process killed if limit exceeded
Set Chrome memory limit to 1024 MB
Expected Output: Chrome memory limit set to 1024 MBNote
Chrome often consumes excessive memory. Limiting prevents system slowdown. Note: Limit applies to total browser memory across all processes
Set Tor Browser memory limit to 1536 MB
Expected Output: Tor Browser memory limit set to 1536 MBNote
Tor Browser requires more memory than standard browsers due to Tor circuit management and enhanced security features. 1536MB recommended minimum
List all configured memory limits and their current usage
Expected Output: Table of processes with memory limits and usageNote
Shows: process name, configured limit, current memory usage, limit utilization percentage, cgroup path, status (active/inactive)
Environment Variables
| Variable | Description | Default | Values |
|---|---|---|---|
RUST_LOG |
Set logging level | info | error |
NO_COLOR |
Disable all colored output when set | unset | 1 |
Exit Codes
| Code | Description |
|---|---|
| 0 | Success |
| 1 | General error |
| 2 | Invalid arguments |
| 3 | Permission denied |
| 4 | Network error |
| 5 | File not found |