Documentation - CommandGuard | Complete Feature Guide

Getting Started

Quick Deployment

CommandGuard is designed for simple on-premise deployment using Docker Compose:

# Clone the repository

$ git clone https://github.com/your-org/commandguard.git

$ cd commandguard

# Start the application

$ docker compose up -d

# Access at http://localhost:8000

CommandGuard uses minimal system resources and stores all configuration in the private_files directory.

System Requirements

Docker & Docker Compose: Version 20.10+ recommended
Memory: Minimum 512MB RAM (1GB recommended)
Storage: 1GB for application and logs
Network: Outbound SSH access to target servers

All data stays on your infrastructure - no external dependencies or cloud services required.

SSH Connection Management

Connection Configuration

Define and manage SSH connections to your servers with support for multiple authentication methods:

Connection Properties

Connection Name: Unique identifier for the connection
SSH Host: Server hostname or IP address
SSH Port: Custom SSH port (default: 22)
Username: SSH login username

Authentication Methods

Password Authentication

Secure password storage with encryption at rest

PEM Key Authentication

Support for private key authentication with passphrase

Best Practices

Use descriptive connection names for easy identification
Prefer key-based authentication over passwords
Test connections before assigning commands
Use non-standard SSH ports for enhanced security

Security Note

SSH credentials are encrypted using AES-256 and stored locally in your infrastructure. CommandGuard never transmits credentials outside your network.

Command Management

Command Sets

Group related commands into sets for better organization and permission management:

Command Set Name: Logical grouping (e.g., "Database Maintenance", "Web Server Controls")
SSH Connection: Associate with specific server connection
Multiple Commands: Add unlimited commands with custom labels

Command Features

Custom Labels:

User-friendly names for complex commands (e.g., "Restart PHP-FPM" for systemctl restart php-fpm)

Real-time Output:

Stream command output in real-time with optional filtering

Command Templates:

Support for parameterized commands and scripts

Example Command Configurations

Web Server Management

• Restart Nginx
• Clear Cache
• View Access Logs
• Deploy Updates

Database Operations

• Backup MySQL
• Check Replication
• Analyze Queries
• Optimize Tables

System Monitoring

• Check Disk Space
• View Process List
• Network Status
• System Resources

User Management & Role-Based Access

User Roles & Permissions

ADMIN Administrator Role

Full system access and configuration
Manage SSH connections and credentials
Create and modify all commands
User management and role assignment
Access to complete audit logs

USER Standard User Role

Execute assigned commands only
View command output and history
Access personal audit logs
Cannot modify connections or commands
No access to other users' data

Granular Permissions: Assign specific command sets to individual users. For example, "Brandon" can only restart PHP-FPM on the web server, while "Lilly" can only trigger backups on the database server.

User Security Features

Secure password requirements with complexity rules
TOTP-based two-factor authentication
Last login tracking and session management
Account lockout after failed attempts

Quick Stats

Active Users Unlimited

Role Types 2 (Admin, User)

Command Assignment Granular

Advanced Security Features

TOTP-Based 2FA

Time-based One-Time Password authentication adds an extra security layer:

Compatible with Google Authenticator
Support for Authy, Microsoft Authenticator
QR code setup for easy configuration
Backup codes for recovery
30-second rotating codes

IP-Based Access Control

Restrict access based on IP addresses for enhanced security:

Whitelist specific IP addresses
Support for IP ranges and CIDR notation
Per-user IP restrictions
Automatic blocking of suspicious IPs
Geo-location based filtering

Time-Based Restrictions

Control when users can access the system:

Day of week restrictions
Time of day access windows
Temporary access grants
Automatic session expiration
Timezone-aware scheduling

Security Best Practices

Enable 2FA for all admin accounts
Use IP whitelisting for production access
Implement time-based access for contractors
Regular password rotation policies

Monitor audit logs for anomalies
Use separate accounts for automation
Implement least privilege principle
Regular security audits and reviews

Webhook Integration

Webhook Configuration

Configure webhooks to receive real-time notifications when commands are executed:

Webhook Payload Structure

{
  "command": "systemctl restart nginx",
  "connection": "web-server-01",
  "user": "brandon",
  "timestamp": "2025-08-10T09:30:00Z",
  "status": "success",
  "output": "nginx.service restarted successfully",
  "execution_time": "1.23s"
}

Supported Events

Command execution started
Command completed successfully
Command failed with error
Connection established/failed

Configuration Options

Custom webhook URLs
HTTP/HTTPS endpoints
Authentication headers
Retry on failure

Integration Examples

Slack Notifications
Send command results to Slack channels
Monitoring Systems
Update Datadog, Prometheus metrics
Ticketing Systems
Auto-close tickets on completion
CI/CD Pipelines
Trigger deployments and builds

Webhook Security

HMAC signature validation
SSL/TLS encryption
IP whitelisting for endpoints
Rate limiting protection

HTTP API Integration

RESTful API for Command Execution

Enable HTTP invocation for commands to integrate with external tools, automation platforms, and CI/CD pipelines:

API Features

Unique API URLs:
Each command gets a unique, secure URL with API key authentication
Secure Authentication:
API key-based authentication with optional IP restrictions
Synchronous/Asynchronous:
Support for both sync and async command execution

Example API Call

# Execute command via HTTP

curl -X POST \

https://your-server/api/cmd/abc123 \

-H "X-API-Key: your-api-key" \

-H "Content-Type: application/json"

# Response

{

"status": "success",

"output": "Command output here",

"execution_time": "0.5s"

}

N8N Integration

Create powerful automation workflows by connecting CommandGuard with N8N's visual workflow builder.

CI/CD Pipelines

Integrate with Jenkins, GitLab CI, GitHub Actions for deployment automation and infrastructure management.

Custom Scripts

Call CommandGuard APIs from your Python, Node.js, or bash scripts for custom automation solutions.

Immutable Audit Logs

Comprehensive Activity Logging

Every action in CommandGuard is logged with complete details for compliance and security auditing:

Logged Events

User Activities

Login attempts (success/failure)
Command executions
Password changes
2FA setup/changes
Session management

Administrative Actions

User creation/deletion
Permission changes
Connection modifications
Command updates
System configuration

Log Entry Details

ID: 37

Event Type: COMMAND_EXECUTION

Username: admin

IP Address: ::1

Date & Time: 2025-08-10 03:39:53

Details: Command executed successfully

Success: ✓

Compliance Features

Immutable Logs
Cannot be modified or deleted
Retention Policies
Configurable log retention periods
Export Options
CSV, JSON export for analysis
Advanced Filtering
Search by date, user, event type

Compliance Standards

SOC 2 Type II

HIPAA

PCI DSS

GDPR

ISO 27001

API Reference

API Endpoints

POST /api/cmd/{command_id}

Execute a specific command

Headers:

X-API-Key: your-api-key

GET /api/status/{execution_id}

Get command execution status

Response:

{"status": "running", "output": "partial output...", "progress": 45}

GET /api/commands

List all available commands for the authenticated user