Safety & Security
How Hive keeps your servers safe while providing powerful AI-driven management.
Three-Tier Command Safety
Hive categorizes every command into three safety levels:
Command Categories
Safe Commands (Auto-Run)
These read-only commands run automatically:
| Category | Commands |
|---|---|
| System Info | uname, hostname, uptime, date, whoami |
| Process Viewing | ps, top, htop, pgrep |
| File Listing | ls, find, locate, tree |
| File Reading | cat, head, tail, less, grep |
| Disk Info | df, du, lsblk |
| Memory Info | free, vmstat |
| Network Info | netstat, ss, ip addr, ping, dig, nslookup |
| Service Status | systemctl status, service status |
| Log Reading | journalctl, reading log files |
Commands Requiring Approval
These commands ask for your permission:
| Category | Commands |
|---|---|
| Service Management | systemctl restart, systemctl stop, service restart |
| Process Control | kill, pkill, killall |
| Package Management | apt install, yum install, npm install |
| File Modification | vim, nano, sed -i, mv, cp |
| Configuration Changes | Editing config files |
| Network Changes | iptables, firewall rules |
| User Management | useradd, usermod, passwd |
Blocked Commands (Never Executed)
These dangerous operations are blocked entirely:
rm -rf /Recursive delete of system directoriesshutdown, reboot
Without explicit request
mkfs, fdisk
Disk formatting
:(){:|:&};Fork bombs and resource exhaustioncurl | bashDownloading and executing remote scripts/etc/shadowPassword/shadow file accessApproval Workflow
When Hive needs to run a command that could change your system:
systemctl restart nginxYou're Always in Control
Network Security
Outbound-Only Connections
The Hive agent only makes outbound HTTPS connections. Your servers never expose inbound ports, eliminating a major attack surface.
Encrypted Communication
| Layer | Protection |
|---|---|
| Transport | TLS 1.2+ encryption for all connections |
| Authentication | API key authentication per agent |
| Authorization | Role-based access control (RBAC) |
Firewall Friendly
- Works through NAT and corporate firewalls
- No VPN required
- No SSH port exposure needed
Access Control
Role-Based Permissions
| Role | Capabilities |
|---|---|
| Viewer | View server status, read logs |
| Operator | Run diagnostic commands, AI chat |
| Admin | Approve changes, manage agents |
| Owner | Full access, manage team members |
Team Collaboration
- All team members can use AI Chat
- Actions are logged per user
- Audit trail for compliance
Audit Logging
Every action is logged with:
| Field | Description |
|---|---|
| Timestamp | When the action occurred |
| User | Who initiated the action |
| Agent | Which server was affected |
| Command | Exact command executed |
| Output | Command result |
| Approval | Who approved (if required) |
2024-01-15 14:32:18 | john@company.com
Agent: production-web-01
Command: systemctl restart nginx
Status: Approved & Executed
Approved by: john@company.com
FAQ
Hive has multiple safety guards. Dangerous commands are blocked, and risky ones require your explicit approval.
Hive can read files to help troubleshoot, but it will ask approval before modifying anything.
You always approve changes before they happen. You can reject any suggestion without consequence.
All connections are encrypted (TLS 1.2+), and your servers never expose inbound ports.