V
VernisOS
Security

Policy System

VernisOS lets administrators define security policies that the kernel enforces on every operation. All policy changes are logged in the SHA-256 secured audit trail.

policy — Manage Policies

text
> policy list
Active Policies:
  [01] DENY module_load FOR untrusted
  [02] ALLOW file_read FOR all
  [03] DENY ai_control FOR guest
  [04] REQUIRE sandbox FOR external

> policy add ALLOW file_write FOR operator
Policy added. Audit log updated (SHA-256: 4a3f...)

audit_log — View Audit Trail

The audit log records every security-relevant event with a SHA-256 hash chain. Any tampering breaks the chain and is immediately detectable.

text
> audit_log
Audit Log (last 5 entries):
  [2025-01-15 14:23:01] LOGIN admin SHA:7c2a...
  [2025-01-15 14:23:05] POLICY_ADD ALLOW file_write SHA:e91f...
  [2025-01-15 14:24:12] MODULE_LOAD ai_anomaly SHA:b4d2...
  [2025-01-15 14:25:03] AI_SCAN complete SHA:1f8c...
  [2025-01-15 14:25:45] FILE_READ config.sys SHA:a37e...

Chain integrity: VERIFIED ✓
Total entries:   1,247
Log size:        156 KB

Policy Types

ALLOW

Grants a capability to a user or role for a specific resource

DENY

Revokes a capability — takes precedence over ALLOW rules

REQUIRE

Mandates a condition must be met (e.g., must be sandboxed)

ALERT

Allows the action but logs a high-priority audit event

SHA-256 Hash Chain

text
Each audit entry includes:
  - Timestamp
  - Event type (LOGIN, POLICY, MODULE, FILE, AI, etc.)
  - Actor (process ID / user)
  - Previous hash (chain link)
  - Current hash = SHA-256(timestamp + event + prev_hash)

Tampering with any entry breaks the entire chain.
The kernel verifies chain integrity on every read.
← Security ModelAuthentication →