Advanced Configuration and Maintenance

How to perform maintenance safely on a Root Lock by HeartSuite system, from Setup Mode transitions to Lockdown recovery.

Overview: Every maintenance window is an attack window — in Setup Mode the kernel logs but stops blocking, or on the Non-HS kernel Root Lock by HeartSuite is not loaded at all, while changes are made. These guides cover how to perform maintenance safely without leaving gaps an attacker can exploit. The Dashboard displays the current protection state — including Lockdown status — and provides the Suggested Next Step throughout maintenance.

Maintenance is a time period during which you temporarily step out of Lockdown to make changes. It is not a separate mode. Root Lock by HeartSuite has two modes: Setup Mode and Lockdown. During maintenance, you either switch to Setup Mode (the kernel logs but stops blocking) or boot the Non-HS kernel (Root Lock by HeartSuite is not loaded at all) depending on whether the immutable seal is active — the Dashboard’s Maintenance ([t]) detects this automatically and guides you through the correct path.

For most maintenance — installing packages, applying patches, editing configuration — the correct path is switching to Setup Mode. That requires one reboot, stays on the Root Lock by HeartSuite kernel, and needs no GRUB interaction. Booting the Non-HS kernel is only required when Lockdown+sealed is active.

The Maintenance appears only when the system is in Lockdown, Lockdown+sealed, or on the Non-HS kernel. It is not shown in Setup Mode — because in Setup Mode, you are already in the maintenance-ready state and the Dashboard’s review queues and Suggested Next Step are the workflow.

In this section

  • Protecting During Maintenance — Step-by-step guidance for maintenance windows, from the safety checklist through Lockdown recovery across two reboots.
  • File Backup and Versioning — Automatic versioned backups that even root cannot reach under Lockdown — restore any earlier version of a file when needed.
  • Cache Adjustment — Tuning the allowlist cache for servers with large numbers of concurrent programs.
  • Restricting Kernel Module Loading — Limiting kmod’s access to specific modules for deployments where kmod is allowlisted.
  • Updating HeartSuite — Apply a HeartSuite update bundle, including the two-reboot sequence and Lockdown considerations.
Protecting During Maintenance

Securing your server during maintenance windows to prevent attacks.

Adjusting the Cache Size

How Root Lock by HeartSuite auto-tunes its allowlist cache, and when manual intervention is needed.

Restricting Kernel Module Loading

How to limit kmod’s file access permissions to specific modules before Lockdown engages, for deployments where kmod is allowlisted.

Updating HeartSuite

How to apply a HeartSuite update bundle, including the two-reboot sequence and Lockdown considerations.

File Backup and Versioning

Automatic backups for designated directories and version restoration to protect against malware.


Last modified June 5, 2026: Update product branding to "Root Lock by HeartSuite" (0966771)