Documentation

Everything in ARXOS, from the kernel scheduler to the dock.

A citadel, armed. Offensive and defensive security on a system that was actually designed.

Overview

ARXOS is a heavily-modified Arch system for offensive & defensive security, focused on speed and performance. It pairs a complete security arsenal (2840+ tools under the Weapons menu) with a refined, cohesive desktop, a graphical Calamares installer, and a native tool suite.

  • Default user: arxos · password: root (passwordless sudo via wheel)
  • Kernel: linux-arxos, a source-built BORE + ThinLTO kernel, pinned; switch to rolling linux-arxos-zen anytime from the Control Center
  • Desktop: a refined, cohesive environment on XFCE 4.20
  • Shell: zsh + starship · prompt arxos@admin (user)
  • Runs on: bare metal, QEMU/KVM, VirtualBox and VMware

Install

Write the ISO to a USB drive, boot the live desktop, then launch the installer.

# write the ISO (replace sdX with your drive) sudo dd if=arxos-0.0.1-x86_64.iso of=/dev/sdX bs=4M status=progress oflag=sync # boot it, then on the desktop: Install ARXOS # the Calamares (Qt6) wizard handles the rest

On bare metal it ships firmware + CPU microcode and the full driver set; in a VM it auto-detects the hypervisor and resizes to fit.

The Desktop

A desktop ARXOS makes its own: a top menubar with the Weapons app menu, a centered dock, fluid window controls and a host-matched font stack.

  • App menu → the arsenal lives under a dedicated Weapons menu (red Arch icon).
  • Sensible shortcuts, a themed terminal, and a curated wallpaper slideshow.

arx, the package manager

A quiet TUI over pacman. It suppresses every repo/sync log, shows a clean phase spinner, and collapses errors into one accurate line. All friendly aliases route through it.

PackagesDoes
arx updateUpgrade system + every ARXOS tool, one unified pass
arx toolsSync just the ARXOS tools
arx weapons [grp]Browse / install the arsenal (see below)
arx install <pkg>Install package(s) — arx <pkg> works too
arx install <file>Install a .deb / .rpm / .tar.* / .pkg.tar.* / .AppImage / .zip
arx pip install <pkg>Python packages, with the system-package override
arx aur <pkg>Install from the AUR
arx remove <pkg>Remove package(s) + unused deps
arx downgrade <pkg>Roll a package back to an earlier version
Query
arx search <term>Search the repositories
arx info <pkg>Package details
arx list [filter]Installed packages
arx outdatedList available updates (no install)
arx owns <file>Which package owns a file
arx files <pkg>List a package's files
arx provides <file>Which repo package provides a file
Maintenance
arx mirrorsRank the fastest mirrors
arx keysRepair the keyring / signatures
arx fixRepair lock, keys, mirrors and the database in one go
arx cleanTrim the package cache
arx orphansRemove orphaned deps

Add -y / --yes to assume yes on any command.

Aliases & shortcuts

The default zsh ships loaded with quality-of-life aliases and functions, tuned for security work. A useful cross-section:

Files & system

ll la lt tree # eza listings: long / all / by-time / tree cp mv rm mkdir # safe by default (-i, verbose, mkdir -p) df du free # human-readable · ports # listening sockets myip myip6 # your public v4 / v6 psg name # grep the process list extract file # unpack any archive · mkcd dir # make + cd

Git

gs ga gaa gc gp gl gd # status add add-all commit push pull diff (delta) glog gco gb gst # graph log · checkout · branch · stash gundo gamend gwip gpf # soft-undo · amend · wip commit · force-with-lease

Offensive shortcuts

revshell ip port # print reverse-shell one-liners listen port # nc listener · rlisten # rlwrap'd · ttyup # full TTY portscan host # quick nmap · alive cidr # host discovery setdomain dom; kerberoast; asreproast # AD roasting getTGT getTGS getNPUsers getUserSPNs # impacket shorthands genpass [len] # strong random password hexenc hexdec urlencode urldecode # quick encoders

Package aliases route through arx: yayup = arx update, yayi = arx aur, yayrm = arx remove. Edit them in ~/.zshrc and run reload.

arxctl, the Control Center

ARXOS' own Control Center, a real-time GTK GUI (a clean TUI is still a terminal away via arxctl). Launch from the dock, or with arxctl-gui. Every option is a live card, no terminal pops up.

  • Update (system + tools) · Kernels · Performance (CPU governor) · Privacy (Tor)
  • Snapshots · Services · Wallpaper · System info, each refreshing in real time

Self-update, one unified updater

Every ARXOS tool is its own GitHub repo under thearxos. A single arx update upgrades the system and pulls + reinstalls every ARXOS tool, one command, one clean loader. A systemd timer keeps it current automatically.

# system packages + every ARXOS tool, in one pass arx update # just the ARXOS tools (the former standalone arxupd) arx tools # (maintainers) commit + push all feature repos at once arxpush "message"

The manifest lives at /etc/arxos/repos.list and points only at thearxos/* repos.

Kernels

ARXOS boots linux-arxos, a source-built BORE + ThinLTO kernel pinned to a known-good version. Switch, update or roll back from arxctl → Kernels:

  • linux-arxos, the pinned default: BORE scheduler, Clang ThinLTO, 1000 Hz, BBRv3, built for x86-64-v3
  • linux-arxos-zen, rolling and performance first: BORE + full Clang LTO, always the freshest base
  • Every build is a versioned release, so you update to the newest or roll back to any earlier kernel in one click, and pick which one boots
  • Self-sufficient: it provides the base kernel and headers, so DKMS and every tool build against it and no stock kernel is needed

Weapons, the arsenal

ARXOS curates 2860+ tools across four menus. Nothing is preloaded on Scout, so browse with arx weapons and install a whole category by its code, or the lot, on demand:

# browse everything, or one menu arx weapons arx weapons Offensive # install a category by its code, or all of it arx weapons install web # every web tool arx weapons install exp # every exploitation tool arx weapons install all # the entire arsenal

Offensive · 824 tools

exp exploitation (181) · pwd passwords (161) · win Windows/AD (158) · wire wireless (69) · se social-eng (60) · c2 C2 (52) · dos DoS (27) · bt Bluetooth (26) · voip VoIP (22) · tun tunneling (18) · spoof spoofing (18) · steg stego (13) · wl wordlists (5) · drone drones (4) · auto automation (4) · key keyloggers (3) · eva evasion (2) · nfc NFC (1)

Bug Bounty · 1339 tools

web web apps (319) · scan scanning (310) · recon recon (257) · net network (146) · auto automation (109) · fuzz fuzzing (85) · mob mobile (46) · prox proxies (31) · fp fingerprinting (30) · db databases (5) · ids IDS (1)

Defensive · 290 tools

for forensics (126) · blue blue-team (44) · sniff sniffing (39) · mal malware analysis (32) · audit auditing (30) · honey honeypots (16) · af anti-forensics (2) · threat threat intel (1)

Research · 413 tools

misc misc (148) · crypt crypto (80) · bin binary (63) · rev reversing (33) · sdr SDR (30) · dec decompilers (18) · dis disassembly (17) · dbg debugging (10) · hw hardware (5) · ai AI/ML (5) · fw firmware (4)

Privacy & AnonKit

Firefox ships arkenfox-level hardened (fingerprint resistance, HTTPS-only, encrypted DNS, zero telemetry) and Brave comes debloated. ArxOS AnonKit then routes the whole system through Tor from one place:

anonkit start # transparent Tor: DNS closed, MAC spoofed, IPv6 off anonkit stop # restore the network exactly as it was anonkit --new # fresh Tor circuit / new exit IP anonkit --safe # leak test: Tor routing, DNS/IPv6, kill-switch, MAC anonkit --mac # spoof your MAC (random vendor) anonkit --snowflake # reach Tor over a Snowflake bridge to beat censorship

Hide Tor from your ISP

Chain a VPN in front of Tor so your ISP only ever sees the VPN, never Tor, that is the correct order:

arxos-vpntor # auto-pulls a free VPN Gate config, then VPN → Tor arxos-vpntor --own f.ovpn # use your own hardened .ovpn (script-locked)

Or use the GUI

Launch anonkit-gui from the dock: Start/Stop Tor, New Identity, Safety Test, MAC spoof + vendor, obfs4 / Snowflake bridges and live status, all passwordless via a scoped polkit rule. Control Center → Privacy shows the same toggle and your current exit IP.

AnonKit is honest about the limits: the leak test tells you exactly what is and isn't covered, and stopping it puts your original MAC, DNS and firewall back. No tool makes you invisible, this makes your posture verifiable.

arxguard, zero-trust command guard

Every command is screened before it runs. On bash, CRITICAL findings are blocked; MEDIUM findings warn and continue. Zero overhead on clean input, a pure-shell scan, no per-command process.

  • Blocked: homograph / IDN URLs (a hidden Cyrillic і), bidi / invisible characters, base64 → bash, pipe-to-root-shell, fork bombs, rm -rf /, dd/mkfs to a disk
  • Warned: curl … | sh, chmod 777, credential-file exfiltration, raw-IP fetches
arxguard status # live protection state arxguard test # detection self-test arxguard check -- '<cmd>' # screen a command by hand ARXGUARD=0 <cmd> # bypass once

A minimal, self-owned reimplementation of the threat model from tirith, ARXOS keeps an upstream watch (arxguard upstream-check) instead of vendoring the dependency.

Hardware & VMs

ARXOS runs on real hardware and in any hypervisor. It ships linux-firmware, Intel/AMD microcode, NVIDIA (dkms), mesa/vulkan, and the RTL8812AU Wi-Fi driver. On login it detects the environment and starts the right resize/guest agent, QEMU/KVM (spice-vdagent), VirtualBox (VBoxClient), VMware (open-vm-tools), or nothing extra on bare metal.

FAQ

Login credentials?

User arxos, password root. Root password is also root. Sudo is passwordless.

How do I update everything?

One command: arx update upgrades system packages and every ARXOS tool in a single pass. To do just the tools, arx tools. A systemd timer also keeps it current automatically.

Does it run on bare metal?

Yes, firmware, microcode and the full driver set are included; the VM-only agents simply stay idle.

© 2026 ARXOS 0.0.1 · oxborn3.com · github.com/thearxos