Point-in-time forensic snapshot platform for Linux — built for analysts who operate where cloud connectivity is prohibited. Designed for air-gapped, offline, and forensically sensitive environments.
-blue){kind=icon}
Orin captures point-in-time snapshots of critical OS state, compares them against trusted baselines, identifies anomalous behaviour, and produces tamper-evident evidence bundles — all without any network access, telemetry, or cloud dependencies. Built for air-gapped networks, classified environments, and forensically sensitive systems.
- Why Orin?
- Quick Start
- Installation
- Usage
- Capabilities
- Configuration
- Threat Detection
- Testing
- Contributing
- Security
- Documentation
Most Linux security tools require a persistent daemon, a cloud backend, continuous network connectivity, or a large footprint of third-party packages — none of which are compatible with hardened, air-gapped, or forensically sensitive environments.
Orin requires none of these. It operates entirely from the Python standard library, reads directly from kernel interfaces (/proc, /sys, /var/log), and stores all evidence locally.
| Orin | Falco | osquery | Wazuh | |
|---|---|---|---|---|
| Runtime dependencies | stdlib (+ libbpf optional) | Kernel driver / eBPF | Standalone binary | Agent + manager |
| Network required | Never | Optional | Optional | Yes |
| Cloud dependencies | Zero | Optional | Optional | Required |
| Air-gap safe | ✅ Out-of-the-box | ❌ Requires manager | ||
| Multi-tenant hub | ✅ | ❌ | ❌ | |
| Offline threat intel | ✅ STIX / CSV / TAXII | ❌ | ❌ | ❌ |
| Forensic evidence signing | ✅ HMAC-SHA256 + AES-256-GCM | ❌ | ❌ | ❌ |
| Anti-forensics detection | ✅ wtmp / lastlog | ❌ | ❌ | ❌ |
| Real-time eBPF streaming | ✅ Ring-buffer consumer | ✅ Full IDS | ❌ |
Target use cases: Security engineers, forensic analysts, incident responders, and system administrators operating in air-gapped environments, SCIFs, classified networks, industrial control systems, and any infrastructure where data must remain strictly on-premises.
# One-time initialization — creates the vault and records trusted baselines
sudo orin init
# Core workflow
sudo orin collect # Capture a system state snapshot
sudo orin analyze # Evaluate against threat detection rules
sudo orin report # Generate a forensic briefing
# Automate collection every 10 minutes
sudo orin schedule --install
# Launch the local web dashboard (prints a one-time access token)
sudo orin serve
# Scan a remote host over SSH (stdlib-only agent; pure-Bash fallback available)
sudo orin scan --host 192.168.1.50 --user root --init
# Real-time eBPF telemetry streaming (requires libbpf)
sudo orin stream --verbose
# Prune old snapshots
sudo orin vault prune --older-than 30
# Centralized fleet hub for multi-tenant forensic management
sudo orin hub-serve 8000 --host 0.0.0.0 --cert /path/to/cert.pem --key /path/to/key.pemRequirements: Python ≥ 3.10 (only required for source installation). Optional: system
libbpffor real-time eBPF streaming.
Method A — Pre-compiled Offline Setup Bundle (Recommended)
For air-gapped systems or targets without a Python environment, download the orin-1.2.0-linux-x86_64.tar.gz standalone release tarball and run:
tar -xzf orin-1.2.0-linux-x86_64.tar.gz
cd orin-1.2.0-linux-x86_64
chmod +x install.sh && ./install.shThis securely deploys the pre-compiled orin binary, default configuration templates, and rules locally (under $HOME/.local/bin for user mode or /usr/local/bin for system mode) with zero internet dependencies.
Method B — Automated Installer from Source
If installing directly from the source directory:
chmod +x install.sh && ./install.shMethod C — System-wide (via pip)
sudo pip install . --break-system-packagesMethod C — Development mode
pip install -e .
PYTHONPATH=src python -m orin.main <subcommand>Optional: Enable eBPF real-time streaming
Runtime hosts only need the system libbpf shared library — no compiler or kernel headers required.
# Debian / Ubuntu
sudo apt-get install libbpf1
# RHEL / Rocky / Alma
sudo dnf install libbpfTo modify and recompile the eBPF source itself:
sudo ./scripts/setup_ebpf.sh --buildSee EBPF_TROUBLESHOOTING.md for kernel/BTF prerequisites and common errors.
All subcommands that read privileged files (/proc/kallsyms, /var/log/auth.log, etc.) produce richer output when run as root.
init → collect → analyze → report
↓
delta / diff / export / verify / serve / schedule / stream
Tip: Use
orin schedule --installto automate thecollect → analyzecycle. Useorin streamfor real-time eBPF telemetry (requireslibbpf).
Create the SQLite vault and record immutable baselines for trusted kernel modules, user accounts, and SUID/SGID binaries.
sudo orin initHarvest a full system state snapshot and persist it to the vault.
sudo orin collect
sudo orin collect --parallel --workers 4 # Concurrent collection (~15× faster)See PARALLEL_COLLECTION_FEATURE.md.
Evaluate the latest snapshot against all threat detection rules and produce a severity-tiered risk score (0–100).
sudo orin analyzeCompile a forensic briefing from the latest snapshot and unresolved alerts.
sudo orin report --format html --output /tmp/orin_report.html
sudo orin report --format markdown --output /tmp/orin_report.mdLaunch the eBPF real-time telemetry consumer. Streams execve, connect, and openat events via the kernel ring buffer into SQLite.
sudo orin stream --verboseStart a local forensic web console on 127.0.0.1:8000. A one-time session token is printed to the terminal on each start.
sudo orin serve
sudo orin serve --port 9090
sudo orin serve --no-auth # Trusted networks onlyAgentless remote scan over SSH. Uses a stdlib-only Python agent with a pure-Bash fallback for Python-less systems.
sudo orin scan --host 192.168.1.50 --user root --key ~/.ssh/id_ed25519
sudo orin scan --host 192.168.1.50 --user root --init # Initialize baselineSee SSH_GUIDE.md.
Install or remove the automated collect → analyze cron job.
sudo orin schedule --install --interval 10
sudo orin schedule --status
sudo orin schedule --removeManage snapshot lifecycle.
sudo orin vault stats
sudo orin vault prune --older-than 30 --dry-run
sudo orin vault prune --keep-last 10 --execute
sudo orin vault prune --keep-last 10 --no-preserve-critical --executesudo orin delta --base 1 --target 3
orin diff /backups/orin_day1.db /var/lib/orin/orin_vault.db
sudo orin export --snapshot 2 --secret "passphrase"
orin verify --file orin_export_snap_2.json --secret "passphrase"Orin implements 57 forensic capabilities across 8 functional domains. See CAPABILITIES.md for the full annotated reference.
Collection modules: Process Tree Harvester · Network Socket Auditor · Kernel Module & Symbol Auditor · User & SSH Key Inventory · File Integrity Monitor · Auth Log Parser & Sigma Engine · In-Memory Executable Recovery · Promiscuous Mode Auditor · Binary Session Auditor · Hidden Process Detector · Package Integrity Engine · Scheduled Task Harvester · eBPF & File Descriptor Auditor · DNS Forensics & Tunneling Detection · Triggered PCAP Capture · Privilege & Identity Tracker
Analysis & detection: Threat Detection Rules Engine · Forensic Alert Auto-Resolution · YARA Engine · Sigma Rule Evaluator · MITRE ATT&CK Mapper · Snapshot Comparator · Timeline Delta Calculator · AI Forensic Triage (Ollama)
Evidence handling: Cryptographic Export (HMAC-SHA256) · Encrypted Vault (AES-256-GCM) · Offline Threat Intel Importer
Operations: Local Web Dashboard · Fleet Hub · Agentless SSH Scanner · Automated Scheduler · Parallel Collection Engine · Vault Lifecycle Management · Agent Self-Defense Hardening · Health & Readiness Probes
Performance notes:
- Stat-based FIM cache:
os.stat()metadata (mtime,ctime,size) is compared before any SHA-256 hash is computed; unchanged files are never read. - Lazy SHA-256 in package integrity: MD5 is checked first; SHA-256 is computed only on confirmed mismatch, eliminating redundant hashing on clean systems.
orin/
├── orin_config.json # User configuration (optional)
├── install.sh # Automated installer
├── pyproject.toml # Packaging metadata
├── src/orin/
│ ├── main.py # CLI entry point & subcommand router
│ ├── core/
│ │ ├── agent_signing.py # HMAC-SHA256 remote agent signing & verification
│ │ ├── config.py # JSON config loader with deep-copy defaults
│ │ ├── credentials.py # Secure credential handling
│ │ ├── crypto.py # HMAC-SHA256 signing, AES-256-GCM vault encryption
│ │ ├── database.py # SQLite ORM, connection pool, WAL mode
│ │ ├── health.py # /health, /ready, /api/metrics endpoints
│ │ ├── hub_server.py # Fleet hub server (orin hub-serve)
│ │ ├── logging.py # JSON structured logging with rotation
│ │ ├── notifier.py # Alert forwarding: webhooks, syslog, retry
│ │ ├── rate_limiter.py # SSH rate limiting with exponential backoff
│ │ ├── scanner.py # SSH agentless scanner orchestrator
│ │ ├── scheduler.py # Cron automation (orin schedule)
│ │ ├── self_defense.py # AppArmor / SELinux / Seccomp hardening
│ │ ├── self_verify.py # Runtime self-integrity check
│ │ ├── server.py # HTTP server + REST API + auto-token auth
│ │ ├── validators.py # Input validation & sanitization
│ │ └── dashboard.html # Single-page forensic console
│ ├── collectors/
│ │ ├── connections.py # /proc/net TCP/UDP socket parser
│ │ ├── crontabs.py # Cron job harvester & anomaly detector
│ │ ├── deleted_binaries.py # In-memory deleted executable recovery
│ │ ├── dns_forensics.py # DNS tunneling & DGA detection
│ │ ├── ebpf.py # eBPF program, pinned map & ld.so.preload auditor
│ │ ├── integrity.py # SHA-256 FIM with stat-cache acceleration
│ │ ├── kernel.py # LKM enumeration & kallsyms rootkit analysis
│ │ ├── logs.py # Auth log & journald collection
│ │ ├── parallel.py # ThreadPoolExecutor parallel collection engine
│ │ ├── persistence.py # Persistence mechanism detection
│ │ ├── pkg_integrity.py # dpkg md5sums verification
│ │ ├── privilege_audit.py # PAM / eBPF privilege escalation & credential tracking
│ │ ├── processes.py # /proc process tree harvester
│ │ ├── promisc.py # IFF_PROMISC flag auditor
│ │ ├── remote_agent.py # Stdlib-only remote collection agent (Python)
│ │ ├── remote_agent.sh # Pure-Bash fallback remote agent
│ │ ├── session_audit.py # wtmp / lastlog parser & anti-forensics detector
│ │ ├── suid.py # SUID/SGID discovery & baselining
│ │ ├── triggered_pcap.py # PCAP capture on forensic triggers
│ │ └── users.py # /etc/passwd & SSH authorized_keys inventory
│ └── analysis/
│ ├── diff.py # Snapshot comparator
│ ├── engine.py # Threat detection rules engine
│ ├── reporter.py # Markdown & HTML report generator
│ ├── timeline.py # Timeline delta calculator
│ └── unhide.py # Hidden process detector
└── tests/ # See docs/TESTING.md
Orin searches for orin_config.json in ./ then /etc/orin/, falling back to built-in defaults. The keys below cover the most commonly tuned options. For a complete reference — all config keys, environment variables, and CLI credential flags — see CONFIGURATION.md.
{
"expected_ports": [22, 80, 443, 631, 3306, 5432, 6379, 8080, 8443],
"whitelisted_processes": ["code", "chrome", "language_server"],
"critical_paths": ["/etc/passwd", "/etc/shadow", "/etc/ssh/sshd_config", "/etc/sudoers", "/etc/crontab"],
"critical_dirs": ["/etc/cron.d", "/etc/systemd/system"]
}export ORIN_VAULT_PASSPHRASE="your-strong-passphrase"
sudo orin init
sudo orin collectAll snapshot data is encrypted before SQLite storage using AES-256-GCM with PBKDF2-HMAC-SHA256 key derivation (600,000 iterations). Without a passphrase, the vault operates in unencrypted mode with full backward compatibility.
Secure credential input alternatives:
--secret-file /path/to/pass.txt # File with mode 0600
--secret-prompt # Interactive masked prompt
--secret-env-var MY_VAR # Custom environment variable namePush critical alerts to analysts without polling the dashboard. Supports Slack Block Kit, Microsoft Teams Adaptive Cards, generic JSON webhooks, and syslog — all via Python stdlib (urllib.request).
{
"notifications": {
"enabled": true,
"min_severity": "high",
"syslog": { "enabled": true, "facility": "LOG_LOCAL0", "tag": "orin-alert" },
"webhooks": [
{
"name": "ops-slack",
"url": "http://192.168.1.10:8080/slack-webhook",
"format": "slack",
"min_severity": "critical",
"timeout_seconds": 10,
"enabled": true
}
],
"retry": { "max_attempts": 3, "backoff_seconds": 5 },
"audit_log": "/var/log/orin/notification_audit.log"
}
}Forwarding runs automatically after every orin analyze. Failed deliveries retry with exponential backoff and are recorded in the JSONL audit log; they never abort the analysis cycle.
See THREAT_DETECTION.md for the complete rule catalogue, covering:
- Process & execution anomalies (kernel thread masquerade, reverse shells, volatile-path execution)
- Kernel & rootkit indicators (suspicious
kallsymsentries, eBPF program anomalies) - Persistence mechanisms (SSH key drift, unauthorized accounts, cron job changes)
- Network & communications (promiscuous mode, DNS tunneling, DGA detection, C2 beaconing)
- File integrity & tampering (FIM violations, package integrity, YARA signature matches)
- Identity & privilege escalation (PAM brute force, sudo abuse, credential access)
ORIN_TEST_FAST=1 pytest --cov=orin --cov-report=term-missingThe CI pipeline enforces an 85% minimum coverage gate. See TESTING.md for environment setup, test modes, and contributor guidelines.
Contributions are welcome. Before opening a pull request:
- Run
ORIN_TEST_FAST=1 pytestand confirm the 85% coverage gate passes. - New test files belong in
tests/, prefixedtest_*.py. - Review ROADMAP.md for current priorities to avoid duplicate effort.
- Keep collectors stdlib-only where possible — Orin's zero-dependency posture is a core design requirement.
To report a vulnerability, do not open a public issue. Use GitHub's private security advisory workflow or contact the maintainer directly. See SECURITY.md for the disclosure process and response timelines.
| Document | Description |
|---|---|
| DOCUMENTATION.md | Full practitioner's guide — architecture, workflows, module internals |
| CAPABILITIES.md | Complete annotated capability reference (57 modules) |
| CONFIGURATION.md | All config keys, environment variables, and CLI flags |
| THREAT_DETECTION.md | Complete threat detection rule catalogue |
| DASHBOARD_GUIDE.md | Dashboard architecture, API reference, and JavaScript function reference |
| SSH_GUIDE.md | Remote scanning, host key verification, and rate limiting |
| AGENT_SIGNING_GUIDE.md | HMAC-SHA256 agent signing for remote deployments |
| DATABASE_INTERNALS.md | Connection pool, PRAGMAs, and encrypted storage internals |
| PARALLEL_COLLECTION_FEATURE.md | Concurrent collection via ThreadPoolExecutor |
| EBPF_TROUBLESHOOTING.md | eBPF streaming setup, kernel prerequisites, error reference |
| SCHEMA.md | SQLite database schema reference |
| STATUS.md | Platform support matrix, deployment assumptions, known limitations |
| ROADMAP.md | Project direction and phased development plan |
| TESTING.md | Test setup, coverage requirements, and contributor guidelines |
| SECURITY.md | Vulnerability reporting and security design notes |
GNU AGPLv3 — see LICENSE for details.