FAQs

A: HeartSuite Core Secure enforces security at the kernel level — not through signatures, behavior prediction, or eBPF filters that attackers routinely bypass. The HeartSuite Core Secure kernel blocks any program execution, file access, or network connection that has not been explicitly approved through the Dashboard’s review process. Because enforcement happens inside the kernel itself, it cannot be circumvented by any program or user, including root.

A: Many security products — including Falco, Cilium Tetragon, and CrowdStrike Falcon on Linux — rely on eBPF filters or user-space agents that run alongside programs. Malware with sufficient privileges can disable, bypass, or unload them. HeartSuite Core Secure’s enforcement is compiled into the kernel itself. There is no agent to kill, no filter to detach, and no module to unload. If the HeartSuite Core Secure kernel is running, enforcement is active. This is the difference between a lock on the door and a guard standing next to it.

A: Lockdown makes all allowlist entries and configuration files immutable at the filesystem level, then disables the ability to change immutability flags at the kernel level. This means not even root can modify, delete, or add allowlist entries while Lockdown is active — the kernel itself prevents it. To make changes, the Dashboard’s Maintenance screen ([t]) guides you through a 3-step process that includes booting the Non-HS kernel to remove the immutable flags. The Dashboard confirms Lockdown status after every reboot.

A: Debian 11, 12, or 13; any Ubuntu-derived distribution; Alpine Linux; or RPM-based distributions (RHEL, Fedora, CentOS, Rocky Linux, AlmaLinux, SUSE, openSUSE) — all on x86 architecture. HeartSuite Core Secure ships with two HeartSuite Core Secure kernel versions: 5.19 and 6.18.

A: Download the tar file from heartsecsuite.com – wget is disabled, so use the website form.

A: Yes. Email support@heartsecsuite.com or visit the tech support page on heartsecsuite.com. We’re happy to help.

A: For bugs, open an issue on GitHub using the Bug Report template. Include your HeartSuite Core Secure version, kernel version, the Safety Banner state shown on your Dashboard, and steps to reproduce. For security vulnerabilities, do not use a public issue — email support@heartsecsuite.com for responsible disclosure.

A: Yes. Every time a file in a configured directory is modified, HeartSuite Core Secure automatically creates a new versioned backup with a timestamp and file size. Only HeartSuite Core Secure can access the backups — no other program, including malware running as root, can read or destroy them. Versions are never automatically deleted. Use the Dashboard’s Backup screen ([b]) to add or remove directories, browse version history, and restore any previous version of a file.

A: No. Most security products generate high volumes of alerts because they flag suspicious patterns — leading to alert fatigue where real threats get lost in the noise. HeartSuite Core Secure only alerts on genuinely unauthorized activity: a program attempting to execute without approval, or an outbound connection to an unapproved destination. Events are deduplicated and batched in 5-minute windows, with an hourly cap on email alerts. In Secure Mode with a complete allowlist, alerts are rare — because the allowlist already covers all legitimate activity. Configure alerts through the Dashboard’s Alert Settings screen ([e]) (email, syslog, or webhook).

A: Secure Mode and Lockdown require a subscription. Setup Mode provides insights for decisions without full protection.

A: Yes, HeartSuite Core Secure allows remote access like SSH – allowlist necessary programs and IPs.

A: The Dashboard is the primary interface for managing HeartSuite Core Secure. It shows your current mode (Setup or Secure), progress through each setup phase, pending or denied event counts, and a Suggested Next Step that tells you exactly what to do next. The Safety Banner at the top confirms the current protection state at a glance. The Dashboard appears automatically on first login.

A: The Dashboard walks you through seven phases, from verifying your installation to activating full protection. Each phase focuses on one task — approving programs ([p]), configuring script launchers ([l]), approving file access ([f]), approving internet access ([i]), and setting up alerts ([e]). The Dashboard tracks your progress and always shows the next step. Secure Mode (full enforcement) unlocks only after all prior phases are complete.

A: No. In Secure Mode, a program can only access files and directories that have been explicitly approved through the Dashboard’s File Access review queue. After allowlisting a program’s execution in Phase 2, you approve its file access in Phase 4 — the Dashboard shows every file the program attempted to read or write.

A: The HeartSuite Core Secure kernel must be loaded during the installation process. Each reboot allows hs-os-boot-setup to capture and allowlist additional startup and shutdown programs. Skipping reboots can leave essential programs unapproved, which would cause the system to hang in Secure Mode.

A: Check GRUB settings (e.g., uncomment GRUB_DISABLE_LINUX_UUID for VMs), verify installation logs, and try recovery mode.

A: Check the Dashboard’s Suggested Next Step — it will indicate what remains. Ensure you are running as root and that you have rebooted between each run of hs-os-boot-setup.

A: In Secure Mode, any program not on the allowlist is blocked. This typically happens after installing new software or a system update that introduces programs HeartSuite Core Secure has not seen before. To resolve it, select the Maintenance screen ([t]) from the Dashboard — it guides you through switching to Setup Mode, where the new program appears as a pending event. Approve it from the review queues, then return to Secure Mode.

A: Yes. When the Dashboard’s File Access review queue presents grouped events from the same directory, you can approve directory-level access rather than approving each file individually. For example, if Python reads 200 files from /usr/lib/python3/, the review queue groups them and lets you approve access to the entire directory at once.

A: The Dashboard unlocks Secure Mode when all prior phases are complete and shows it as the Suggested Next Step. Activation requires typing YES (case-sensitive) to confirm.

A: HeartSuite Core Secure blocks all outbound connections by default. When a program attempts a connection, the event appears in the Dashboard’s Internet Access review queue with the destination IP, reverse DNS, and program metadata. Approve the connection from there.

A: After the Dashboard shows all review phases complete. Take your time in Setup Mode — allow several days to a week for systemd timers, cron jobs, and infrequent services to appear in the review queues. The Dashboard’s System Info Strip shows how long Setup Mode has been active (e.g., “Setup Mode — active for 3d 7h”), so you can easily track your observation period. Switching too early will block programs that have not been approved.

A: Lockdown makes all allowlist entries and configuration files immutable (chattr +i), then disables the ability to change immutability flags at the kernel level. No user or program — including root — can modify, delete, or add allowlist entries while Lockdown is active. Use it in production after confirming all programs work correctly in Secure Mode.

A: Once Secure Mode is active and verified, activate Lockdown from the Dashboard. This requires typing YES (case-sensitive) to confirm.

A: Select the Maintenance screen ([t]) from the Dashboard. It detects that Lockdown is active and guides you through a 3-step process: booting the Non-HS kernel to remove immutable flags ([u]), making your changes, then rebooting back to the HeartSuite Core Secure kernel to review new activity and return to Secure Mode. The Dashboard resumes at the correct step after each reboot.

A: Select the Maintenance screen ([t]) from the Dashboard. It detects whether Lockdown is active and guides you through the correct path — either a simple switch to Setup Mode, or a guided 3-step process across two reboots if Lockdown requires the Non-HS kernel. The Dashboard handles all steps including a pre-maintenance safety checklist.

A: The Dashboard’s Safety Banner at the top of the screen immediately shows whether HeartSuite Core Secure is active and what mode it is in. The Dashboard appears automatically on login.

A: Reboot into a Non-HS kernel (select it from GRUB). The Dashboard resumes automatically on the Non-HS kernel and guides you through the maintenance steps. Once back on the HeartSuite Core Secure kernel, the Dashboard will show any pending events that caused the hang.

A: The Dashboard automatically clears the activity log when all review queues are empty — no manual action is required.