Security Tools
SECURITY CENTER
Authentication, health checks, integrity verification, emergency actions, and trust signals in one place.
Start here when you want to confirm your system state, validate files, understand authentication, or use Kodachi security controls safely.
Security and Authentication Command Plane
Security binaries deliver emergency response controls, integrity verification, and authentication lifecycle management as a coordinated defense stack for Kodachi deployments.
Response and Recovery Layer
Response
health-control provides the emergency toolkit for fast containment, network shutdown controls, secure wiping, and system recovery workflows.
213 Commands
4 Response Levels
Sub-Second Triggers
Trust and Verification Layer
Trust
integrity-check and online-auth enforce baseline trust via cryptographic validation, authenticated sessions, and heartbeat-based service authorization.
27 Commands
Session Keep-Alive
Auth Chain Ready
Documentation Navigation
Navigate the documentation:
- Quick Start - Installation guide and getting started
- CLI Reference - Complete command-line reference
Enterprise-Grade Security and Authentication Infrastructure
The security tools in Kodachi OS provide comprehensive protection through multi-layered defense mechanisms, emergency response capabilities, and continuous system integrity monitoring. These production-ready binaries form the backbone of system security, offering everything from panic modes to cryptographic verification.
Core Architecture Principles - Verified
Defense in Depth: Multiple layers of security from authentication to emergency response
Zero-Trust Authentication: Comprehensive auth system with heartbeat monitoring
Forensic Resistance: Multi-pass secure wiping, memory cleaning, emergency data destruction
Continuous Verification: Real-time integrity monitoring and compliance checking
Binary Categories and Requirements
Core Security Tools
| Binary | Primary Function | Commands | Requires Auth | Requires Sudo | Auto-Start |
|---|---|---|---|---|---|
| health-control | Emergency kill switches and panic modes | 213 | Yes | Yes (system ops) | Called by other binaries |
| integrity-check | Cryptographic system integrity verification | 7 | No | No | No |
| online-auth | Secure authentication and heartbeat monitoring | 20 | No | Yes (system-wide) | No (manual start) |
Inter-Binary Dependencies Matrix
Binary Communication Flow
| Service | Calls These Binaries | Called By These Binaries |
|---|---|---|
| health-control | logs-hook, auth-shared, routing-switch | dns-switch, online-info-switch |
| integrity-check | logs-hook | None |
| online-auth | logs-hook, permission-guard, global-launcher | ip-fetch, tor-switch, routing-switch, dns-switch, dns-leak, health-control, online-info-switch |
Critical Service Dependencies
| Dependency Type | Description | Affected Services |
|---|---|---|
| Authentication Chain | Services requiring online-auth for operation | Most network and system services |
| Logging Infrastructure | All services use logs-hook for centralized logging | ALL security binaries |
| Emergency Response | Services that can trigger health-control | dns-switch, online-info-switch |
| Permission Management | Services managed by online-auth | permission-guard, global-launcher |
System Requirements and Permissions
Privilege Escalation Requirements
| Operation Type | Required Permissions | Affected Binaries |
|---|---|---|
| Emergency Operations | sudo/root | health-control (kill switches, panic modes) |
| Authentication Management | sudo/root | online-auth (system-wide operations) |
| Read-Only Verification | Standard user | integrity-check |
Service Daemon Capabilities
| Service | Daemon Mode | Command | Purpose |
|---|---|---|---|
| online-auth | Heartbeat daemon | authenticate --keep-alive |
Maintains authentication session |
| health-control | On-demand | Called by services | Emergency response |
| integrity-check | Scheduled/Manual | check-all |
System verification |
Key Capabilities Overview
Emergency Response System (health-control - 236 commands)
| Capability | Feature | Description |
|---|---|---|
| Kill Switch System | Emergency protocol | 4-stage emergency protocol (arm → disarm → status → activate) |
| Four-Level Panic Modes | Soft panic | Network termination + system lock |
| Four-Level Panic Modes | Medium panic | Network + process termination + data clearing |
| Four-Level Panic Modes | Hard panic | Network + process + RAM wipe + complete shutdown |
| Four-Level Panic Modes | Destroy panic | Hard panic + LUKS header destruction |
| Data Destruction | DoD 5220.22-M pattern | Military-grade 3-pass overwrite pattern |
| Data Destruction | Gutmann method | 35-pass secure deletion algorithm |
| Data Destruction | Random overwrite | Cryptographically secure random data wiping |
| Data Destruction | Zero overwrite | Complete zeroing of target data |
| Data Destruction | Verification system | Post-wipe verification and confirmation |
| Data Destruction | Scheduled destruction | Automated timed data destruction |
| Hardware Security | Hardware RNG verification | Random number generator validation |
| Hardware Security | Entropy pool monitoring | System entropy source monitoring |
| Hardware Security | Cold boot defense | Memory protection against cold boot attacks |
| Hardware Security | Boot chain verification | Secure boot integrity checking |
| Network Emergency Controls | Instant termination | Immediate network connection shutdown |
| Network Emergency Controls | Interface kill switches | Per-interface emergency controls |
| Network Emergency Controls | Internet blocking | System-wide internet access control |
| Network Emergency Controls | Recovery mechanisms | Network restoration and recovery tools |
System Integrity Verification (integrity-check - 7 commands)
| Feature | Description |
|---|---|
| Hash-Based Verification | BLAKE3 integrity checking for critical files (with SHA256 fallback for compatibility) |
| Signature Validation | Cryptographic signature verification |
| Version Monitoring | Package version tracking against repositories |
| Configuration Auditing | Config file integrity verification |
| Comprehensive Checking | All-in-one system verification |
| Audit Trail | Detailed logging of all integrity checks |
Authentication Infrastructure (online-auth - 20 commands)
| Component | Functionality |
|---|---|
| Session Management | Secure login/logout with keep-alive options |
| Heartbeat Monitoring | Automatic session maintenance |
| API Key Management | Secure synchronization and validation |
| User Classification | VIP/premium user detection |
| Group Management | User group identification |
| Permission Guard Integration | Automated permission monitoring |
| Global Launcher Control | Service deployment management |
Common Workflows
Initial Security Setup
# Authenticate and verify status
sudo online-auth authenticate --keep-alive
online-auth check-login
# Perform initial integrity check
integrity-check generate # Create baseline
integrity-check check-all # Verify system
# Configure emergency response
sudo health-control kill-switch-arm
sudo health-control panic-profile --profile stealth
Continuous Security Monitoring
# Authentication with keep-alive
sudo online-auth authenticate --keep-alive
# Regular integrity checks
integrity-check check-all --json
# Monitor system health
sudo health-control net-check
sudo health-control hardware-rng-verify
Emergency Response Procedures
# Quick privacy mode
sudo health-control panic-soft
sudo health-control wipe-browser-data
# Network isolation
sudo health-control block-internet
sudo health-control kill-network-interface --interface eth0
# Complete lockdown
sudo health-control panic-hard
Data Protection Operations
# Secure file wiping
sudo health-control wipe-file --file /sensitive/data --passes 35
sudo health-control wipe-verify --path /sensitive/data
# Batch operations
sudo health-control wipe-batch --paths /tmp/file1,/tmp/file2
# Scheduled wiping
sudo health-control wipe-schedule temp --frequency daily
Performance Metrics
| Metric | Value | Description |
|---|---|---|
| Total Commands | 240 | Across all security binaries |
| Response Time | < 100ms | For critical operations |
| Memory Usage | < 100MB | Combined for all services |
| CPU Usage | < 5% | During active monitoring |
| Reliability | 99.99% | Service uptime |
Security Implementation Details
Authentication Flow
- Initial authentication:
sudo online-auth authenticate --keep-alive - Status verification:
online-auth check-login - Heartbeat maintenance: Auto-maintained with
--keep-aliveflag - Service usage: Authenticated services verify automatically
- Session termination:
online-auth logout
Emergency Response Levels
Note: All panic modes are manually triggered via commands. There is no automatic detection or escalation.
| Level | Manual Trigger Command | Actions | Recovery |
|---|---|---|---|
| Soft | panic-soft |
Network termination + screen lock | Manual recovery |
| Medium | panic-medium |
Network + process termination + memory clearing | Recovery mode |
| Hard | panic-hard |
Network + process + RAM wipe + immediate shutdown | Full system restart |
| Destroy | panic-destroy |
Hard panic + LUKS header destruction | Data unrecoverable |
Data Destruction Standards
| Pattern | Passes | Standard | Use Case |
|---|---|---|---|
| DoD 5220.22-M | 3 | US Military | General sensitive data |
| Gutmann | 35 | Maximum security | Highly classified |
| Random | 1-7 | Configurable | Quick wipe |
| Zeros | 1 | Fast wipe | Non-sensitive |
Integration Points
The security tools integrate seamlessly with:
| Integration Type | Services/Systems |
|---|---|
| Network Services | tor-switch, routing-switch, dns-switch |
| System Services | logs-hook, permission-guard |
| Infrastructure | global-launcher, deps-checker |
| Kernel Modules | Security frameworks, audit system |
| Hardware | TPM, hardware RNG, secure boot |
Security Considerations
Important Security Notice
These tools provide powerful capabilities that should be used responsibly. Emergency response features can cause data loss and system unavailability. Always maintain secure backups and test emergency procedures in controlled environments.
Best Practices
| Practice | Description |
|---|---|
| Regular Verification | Run integrity checks daily |
| Emergency Preparedness | Test panic modes quarterly |
| Authentication Management | Rotate credentials regularly |
| Audit Review | Check logs weekly |
| Update Policies | Keep security policies current |
Compliance Features
| Feature | Description |
|---|---|
| Audit Trails | Complete logging of all operations |
| Forensic Readiness | Evidence preservation capabilities |
| Regulatory Support | Configurable retention policies |
| Incident Response | Automated response procedures |
Troubleshooting
Common Issues
| Issue | Solution | Prevention |
|---|---|---|
| Authentication failure | Check network, verify credentials | Use keep-alive mode |
| Integrity check fails | Review changes, update baseline | Regular updates |
| Panic mode triggered | Follow recovery procedure | Configure thresholds |
| Kill switch stuck | Use force recovery | Test regularly |
Recovery Procedures
# Recover from soft panic
sudo health-control panic-recover
# Restore network after kill switch
sudo health-control recover-internet
# Reset authentication
sudo online-auth logout
sudo online-auth authenticate --relogin
System Information
| Component | Version | Build Date | License |
|---|---|---|---|
| health-control | 9.0.1 | 2026-05-28 | Proprietary |
| integrity-check | 9.0.1 | 2026-05-28 | Proprietary |
| online-auth | 9.0.1 | 2026-05-28 | Proprietary |
| Documentation | 9.0.1 | 2026-05-28 | © 2026 Linux Kodachi |