High-risk tools in Truenas
34 of the 279 tools in Truenas are classified as high risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.
Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.
Tools at high risk
-
app_startExecuteStart an installed app by its ID.
-
app_stopExecuteStop a running app by its ID.
-
cloud_backup_runExecuteRun a cloud backup task now
-
cloudsync_runExecuteRun a cloud sync task now
-
cronjob_runExecuteRun a cron job immediately
-
pool_scrubExecuteStart, stop, or pause a pool scrub
-
replication_runExecuteManually run a replication task now
-
rsync_task_runExecuteRun an rsync task immediately
-
service_restartExecuteRestart a service by name. Equivalent to stop + start. Useful after configuration changes that require a service reload.
-
service_startExecuteStart a service by name (e.g.
-
service_stopExecuteStop a running service by name (e.g.
-
truenasExecuteManage your TrueNAS SCALE system. 278 actions organized in categories. Usage: - No args or category=
-
vm_restartExecuteRestart a running virtual machine by its ID.
-
vm_startExecuteStart a virtual machine by its ID. Optionally allow memory overcommit.
-
vm_stopExecuteStop a running virtual machine by its ID. Optionally force-stop (power off) instead of graceful shutdown.
-
alertservice_testExecuteSend a test notification through an alert service to verify it is configured correctly.
-
app_pull_imagesExecutePull the latest Docker images for a specific app.
-
app_redeployExecuteRedeploy an app, recreating its containers with the current configuration.
-
app_upgradeExecuteUpgrade an app to a newer version.
-
cloudsync_abortExecuteAbort a running cloud sync task
-
cloudsync_credentials_verifyExecuteVerify a cloud sync credential is working
-
directory_services_cache_refreshExecuteRefresh the directory services cache. Forces re-read of users and groups from the directory server.
-
disk_smart_test_runExecuteRun a SMART test on one or more disks. Returns a job ID for the test.
-
filesystem_chownExecuteChange ownership of a file or directory. Can optionally apply recursively.
-
network_checkinExecuteCheck in after committing network changes to confirm they are working. This prevents the automatic rollback that occurs if you don
-
snapshot_task_runExecuteRun a periodic snapshot task immediately
-
truenas_api_callExecuteMake a raw API call to any TrueNAS endpoint not covered by specific tools. This is an escape hatch for advanced or uncommon operations. The body parameter accepts a JSON string ...
-
boot_scrubExecuteStart a scrub of the boot pool to check for and repair data integrity issues.
-
bootenv_activateExecuteActivate a boot environment so it will be used on next boot.
-
cronjob_createExecuteCreate a new cron job
-
dataset_lockExecuteLock an encrypted dataset
-
mail_sendExecuteSend a test email to verify mail configuration is working. Provide a subject, body text, and one or more recipient addresses.
-
network_commit_changesExecuteCommit pending network interface changes. Network changes are staged and must be committed to take effect. Use checkin_timeout to set a rollback timer — if you do not check in (...
-
update_downloadExecuteDownload pending system updates. This starts the download process; the system is not updated until update_apply is called.
Attacks that target this class
High-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.