Documentation
Everything in ARXOS, from the kernel scheduler to the dock.
A citadel, armed. Offensive and defensive security on a system that was actually designed.
Overview
ARXOS is a heavily-modified Arch system for offensive & defensive security, focused on speed and performance. It pairs a complete security arsenal (2840+ tools under the Weapons menu) with a refined, cohesive desktop, a graphical Calamares installer, and a native tool suite.
- Default user: arxos · password: root (passwordless sudo via wheel)
- Kernel: linux-arxos, a source-built BORE + ThinLTO kernel, pinned; switch to rolling linux-arxos-zen anytime from the Control Center
- Desktop: a refined, cohesive environment on XFCE 4.20
- Shell: zsh + starship · prompt arxos@admin (user)
- Runs on: bare metal, QEMU/KVM, VirtualBox and VMware
Install
Write the ISO to a USB drive, boot the live desktop, then launch the installer.
On bare metal it ships firmware + CPU microcode and the full driver set; in a VM it auto-detects the hypervisor and resizes to fit.
The Desktop
A desktop ARXOS makes its own: a top menubar with the Weapons app menu, a centered dock, fluid window controls and a host-matched font stack.
- App menu → the arsenal lives under a dedicated Weapons menu (red Arch icon).
- Sensible shortcuts, a themed terminal, and a curated wallpaper slideshow.
arx, the package manager
A quiet TUI over pacman. It suppresses every repo/sync log, shows a clean phase spinner, and collapses errors into one accurate line. All friendly aliases route through it.
| Packages | Does |
|---|---|
| arx update | Upgrade system + every ARXOS tool, one unified pass |
| arx tools | Sync just the ARXOS tools |
| arx weapons [grp] | Browse / install the arsenal (see below) |
| arx install <pkg> | Install package(s) — arx <pkg> works too |
| arx install <file> | Install a .deb / .rpm / .tar.* / .pkg.tar.* / .AppImage / .zip |
| arx pip install <pkg> | Python packages, with the system-package override |
| arx aur <pkg> | Install from the AUR |
| arx remove <pkg> | Remove package(s) + unused deps |
| arx downgrade <pkg> | Roll a package back to an earlier version |
| Query | |
| arx search <term> | Search the repositories |
| arx info <pkg> | Package details |
| arx list [filter] | Installed packages |
| arx outdated | List available updates (no install) |
| arx owns <file> | Which package owns a file |
| arx files <pkg> | List a package's files |
| arx provides <file> | Which repo package provides a file |
| Maintenance | |
| arx mirrors | Rank the fastest mirrors |
| arx keys | Repair the keyring / signatures |
| arx fix | Repair lock, keys, mirrors and the database in one go |
| arx clean | Trim the package cache |
| arx orphans | Remove orphaned deps |
Add -y / --yes to assume yes on any command.
Aliases & shortcuts
The default zsh ships loaded with quality-of-life aliases and functions, tuned for security work. A useful cross-section:
Files & system
Git
Offensive shortcuts
Package aliases route through arx: yayup = arx update, yayi = arx aur, yayrm = arx remove. Edit them in ~/.zshrc and run reload.
arxctl, the Control Center
ARXOS' own Control Center, a real-time GTK GUI (a clean TUI is still a terminal away via arxctl). Launch from the dock, or with arxctl-gui. Every option is a live card, no terminal pops up.
- Update (system + tools) · Kernels · Performance (CPU governor) · Privacy (Tor)
- Snapshots · Services · Wallpaper · System info, each refreshing in real time
Self-update, one unified updater
Every ARXOS tool is its own GitHub repo under thearxos. A single arx update upgrades the system and pulls + reinstalls every ARXOS tool, one command, one clean loader. A systemd timer keeps it current automatically.
The manifest lives at /etc/arxos/repos.list and points only at thearxos/* repos.
Kernels
ARXOS boots linux-arxos, a source-built BORE + ThinLTO kernel pinned to a known-good version. Switch, update or roll back from arxctl → Kernels:
- linux-arxos, the pinned default: BORE scheduler, Clang ThinLTO, 1000 Hz, BBRv3, built for x86-64-v3
- linux-arxos-zen, rolling and performance first: BORE + full Clang LTO, always the freshest base
- Every build is a versioned release, so you update to the newest or roll back to any earlier kernel in one click, and pick which one boots
- Self-sufficient: it provides the base kernel and headers, so DKMS and every tool build against it and no stock kernel is needed
Weapons, the arsenal
ARXOS curates 2860+ tools across four menus. Nothing is preloaded on Scout, so browse with arx weapons and install a whole category by its code, or the lot, on demand:
Offensive · 824 tools
exp exploitation (181) · pwd passwords (161) · win Windows/AD (158) · wire wireless (69) · se social-eng (60) · c2 C2 (52) · dos DoS (27) · bt Bluetooth (26) · voip VoIP (22) · tun tunneling (18) · spoof spoofing (18) · steg stego (13) · wl wordlists (5) · drone drones (4) · auto automation (4) · key keyloggers (3) · eva evasion (2) · nfc NFC (1)
Bug Bounty · 1339 tools
web web apps (319) · scan scanning (310) · recon recon (257) · net network (146) · auto automation (109) · fuzz fuzzing (85) · mob mobile (46) · prox proxies (31) · fp fingerprinting (30) · db databases (5) · ids IDS (1)
Defensive · 290 tools
for forensics (126) · blue blue-team (44) · sniff sniffing (39) · mal malware analysis (32) · audit auditing (30) · honey honeypots (16) · af anti-forensics (2) · threat threat intel (1)
Research · 413 tools
misc misc (148) · crypt crypto (80) · bin binary (63) · rev reversing (33) · sdr SDR (30) · dec decompilers (18) · dis disassembly (17) · dbg debugging (10) · hw hardware (5) · ai AI/ML (5) · fw firmware (4)
Privacy & AnonKit
Firefox ships arkenfox-level hardened (fingerprint resistance, HTTPS-only, encrypted DNS, zero telemetry) and Brave comes debloated. ArxOS AnonKit then routes the whole system through Tor from one place:
Hide Tor from your ISP
Chain a VPN in front of Tor so your ISP only ever sees the VPN, never Tor, that is the correct order:
Or use the GUI
Launch anonkit-gui from the dock: Start/Stop Tor, New Identity, Safety Test, MAC spoof + vendor, obfs4 / Snowflake bridges and live status, all passwordless via a scoped polkit rule. Control Center → Privacy shows the same toggle and your current exit IP.
AnonKit is honest about the limits: the leak test tells you exactly what is and isn't covered, and stopping it puts your original MAC, DNS and firewall back. No tool makes you invisible, this makes your posture verifiable.
arxguard, zero-trust command guard
Every command is screened before it runs. On bash, CRITICAL findings are blocked; MEDIUM findings warn and continue. Zero overhead on clean input, a pure-shell scan, no per-command process.
- Blocked: homograph / IDN URLs (a hidden Cyrillic і), bidi / invisible characters, base64 → bash, pipe-to-root-shell, fork bombs, rm -rf /, dd/mkfs to a disk
- Warned: curl … | sh, chmod 777, credential-file exfiltration, raw-IP fetches
A minimal, self-owned reimplementation of the threat model from tirith, ARXOS keeps an upstream watch (arxguard upstream-check) instead of vendoring the dependency.
Hardware & VMs
ARXOS runs on real hardware and in any hypervisor. It ships linux-firmware, Intel/AMD microcode, NVIDIA (dkms), mesa/vulkan, and the RTL8812AU Wi-Fi driver. On login it detects the environment and starts the right resize/guest agent, QEMU/KVM (spice-vdagent), VirtualBox (VBoxClient), VMware (open-vm-tools), or nothing extra on bare metal.
FAQ
Login credentials?
User arxos, password root. Root password is also root. Sudo is passwordless.
How do I update everything?
One command: arx update upgrades system packages and every ARXOS tool in a single pass. To do just the tools, arx tools. A systemd timer also keeps it current automatically.
Does it run on bare metal?
Yes, firmware, microcode and the full driver set are included; the VM-only agents simply stay idle.