File size: 10,098 Bytes
b91477d 496e53d 9cb16b8 b91477d 4e9366e b91477d 7fb215c b91477d 9cb16b8 d003071 4e9366e | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 | ---
title: Passive OSINT Control Panel
emoji: π°οΈ
colorFrom: gray
colorTo: indigo
sdk: gradio
sdk_version: 6.13.0
app_file: app.py
pinned: false
license: apache-2.0
short_description: Drift-aware, passive OSINT control system.
---
<p align="center">
<img src="https://img.shields.io/badge/Hugging%20Face-Space-yellow?logo=huggingface" alt="Hugging Face Space">
<img src="https://img.shields.io/badge/SDK-Gradio%206.13.0-orange?logo=gradio" alt="Gradio SDK">
<img src="https://img.shields.io/badge/Python-3.13-blue?logo=python" alt="Python">
<img src="https://img.shields.io/badge/License-Apache--2.0-green" alt="Apache 2.0 License">
<img src="https://img.shields.io/badge/OSINT-Passive%20by%20Default-indigo" alt="Passive OSINT">
<img src="https://img.shields.io/badge/Drift--Aware-Control%20Loop-purple" alt="Drift-Aware Control Loop">
<img src="https://img.shields.io/github/actions/workflow/status/canstralian/PassiveOSINTControlPanel/ci.yml?branch=main&label=CI&logo=github" alt="CI Status">
<img src="https://img.shields.io/github/actions/workflow/status/canstralian/PassiveOSINTControlPanel/sync-huggingface.yml?branch=main&label=Sync&logo=github" alt="HF Sync Status">
<img src="https://img.shields.io/github/last-commit/canstralian/PassiveOSINTControlPanel?logo=github" alt="Last Commit">
<img src="https://img.shields.io/github/issues/canstralian/PassiveOSINTControlPanel?logo=github" alt="Open Issues">
<img src="https://img.shields.io/github/license/canstralian/PassiveOSINTControlPanel" alt="License">
</p>
# Passive OSINT Control Panel (Hugging Face Space)
## Overview
The Passive OSINT Control Panel is a controlled, security-first environment for conducting open-source intelligence (OSINT) enrichment. It is designed to operate as a passive system by default, generating intelligence from publicly available data sources without interacting directly with third-party infrastructure unless explicitly authorized.
The system is structured as a layered pipeline:
text Input β Validation β Sanitisation β Normalisation β Hashing β Passive Enrichment β Caching β Reporting β Audit Logging
This architecture ensures that all inputs are treated as untrusted, all outputs are controlled, and all actions are traceable.
---
## Design Principles
1. Passive by Default
No active probing, scanning, or intrusive techniques are executed unless explicitly enabled and authorized.
2. Input is Hostile
All user input is validated, sanitised, normalized, and constrained before processing.
3. Privacy-Preserving
Indicators are hashed using salted HMAC before logging or persistence. Raw sensitive values are minimized.
4. Explicit Authorization Gates
Any module that may interact with external targets requires an explicit βauthorized targetβ confirmation.
5. Deterministic & Auditable
Every run is logged with reproducible inputs (hashed), module selections, and outputs.
6. Least Privilege Execution
Modules are isolated and constrained by scope, rate limits, and timeouts.
---
## Features
### Passive OSINT Modules
- WHOIS lookup
- DNS resolution (A, MX, TXT, NS)
- Certificate Transparency (e.g., crt.sh links)
- Username footprint link generation
- Metadata extraction (user-uploaded files only)
- Robots.txt retrieval (authorized targets only)
- HTTP header inspection (authorized targets only)
### Core Capabilities
- Indicator normalization (domains, usernames, emails)
- Sanitisation and injection protection
- Salted HMAC hashing for all stored indicators
- Structured audit logging
- Markdown/JSON report generation
- Cached enrichment results
- Rate-limited execution
---
## System Architecture
text ββββββββββββββββββββββ β UI Layer β β (Gradio / Streamlit) βββββββββββ¬βββββββββββ β βββββββββββΌβββββββββββ β Input Validation β β & Sanitisation β βββββββββββ¬βββββββββββ β βββββββββββΌβββββββββββ β Normalisation β β (domain/user/email) β βββββββββββ¬βββββββββββ β βββββββββββΌβββββββββββ β Hashing Layer β β (HMAC + Salt) β βββββββββββ¬βββββββββββ β βββββββββββΌβββββββββββ β Enrichment Engine β β (Passive Modules) β βββββββββββ¬βββββββββββ β βββββββββββΌβββββββββββ β Reporting Engine β βββββββββββ¬βββββββββββ β βββββββββββΌβββββββββββ β Audit Log + Cache β ββββββββββββββββββββββ
---
## Security Controls
### Input Handling
- Length constraints
- Character whitelisting
- HTML escaping
- Control character removal
- Strict format validation (domains, usernames)
### Hashing Strategy
- HMAC-SHA256 with environment-provided salt
- Case-normalized inputs prior to hashing
- No storage of raw indicators unless required
### Secrets Management
- All secrets stored via Hugging Face Space Secrets
- No credentials committed to repository
### Execution Guardrails
- Rate limiting per request
- Per-module timeout enforcement
- Module allowlisting
- Authorization gating for external interaction
---
## Authorization Model
Modules are categorized by risk level:
text LOW RISK (Passive Only) - DNS - WHOIS - Certificate transparency - Link generation CONDITIONAL (Requires Authorization) - HTTP headers - robots.txt retrieval - webpage screenshotting
Authorization flow:
text User Input β Validation β Authorization Checkbox β Risk Disclosure β Module Execution (if approved) β Logged Outcome
---
## Repository Structure
text . βββ app.py βββ requirements.txt βββ README.md βββ Dockerfile βββ data/ β βββ sources.yaml βββ osint_core/ β βββ validators.py β βββ sanitize.py β βββ hashing.py β βββ enrichment.py β βββ reports.py β βββ audit.py β βββ policy.py βββ tests/ β βββ test_validators.py β βββ test_sanitize.py β βββ test_hashing.py β βββ test_enrichment.py
---
## Installation & Deployment
### Local Development
bash git clone <repo> cd osint-control-panel pip install -r requirements.txt export OSINT_HASH_SALT="your-secure-random-salt" python app.py
### Hugging Face Space Deployment
1. Create a new Space (Gradio SDK recommended)
2. Push repository
3. Configure Secrets:
- OSINT_HASH_SALT
- Any API tokens (optional)
4. Select hardware tier (CPU sufficient for passive mode)
---
## Testing & Assurance
### Test Stack
bash pytest bandit -r osint_core/ ruff check . pip-audit
### Coverage Areas
- Input validation rejection cases
- Sanitisation correctness
- Hash consistency and salt variation
- Module output structure
- Authorization enforcement
---
## Logging & Audit
Each run produces a structured record:
json { "timestamp": "ISO8601", "run_id": "unique_case_id", "input_type": "domain|username|email", "indicator_hash": "HMAC_SHA256", "modules": ["dns", "whois"], "mode": "passive|authorized", "authorized_target": false, "duration_ms": 320 }
Logs are designed for:
- Reproducibility
- Forensic traceability
- Compliance review
---
## Reporting
Outputs can be exported as:
- Markdown reports
- JSON structured data
- CSV summaries
Report sections:
- Input summary (hashed)
- Enrichment findings
- Source links
- Timeline (if applicable)
- Notes
---
## Phase 2: Docker Module Expansion
Docker-based modules enable controlled extension of capabilities under strict authorization.
### Additional Controls
- Container isolation
- Network egress restriction
- Execution sandboxing
- Resource quotas (CPU/memory)
- Explicit module activation
### Allowed Extensions
- Metadata extraction pipelines
- Screenshot rendering
- Technology fingerprinting (authorized targets only)
- Graph analysis
### Explicitly Excluded
- Port scanning (e.g., nmap)
- Mass scanning (e.g., masscan)
- Brute force tools
- Exploitation frameworks
---
## Compliance & Usage Policy
This system is intended strictly for:
- Lawful OSINT research
- Defensive security analysis
- Educational purposes
Users are responsible for:
- Ensuring authorization before interacting with targets
- Complying with applicable laws and policies
- Avoiding misuse of generated intelligence
---
## Roadmap
text v1.0 - Passive control panel - Core enrichment modules - Hashing + audit system v1.1 - Graph visualization - Case persistence v2.0 - Docker modules - Authorization workflow - Advanced reporting v2.1 - API interface - MCP integration
---
## License
Specify appropriate license (e.g., MIT, Apache 2.0)
---
## Final Notes
This system is intentionally constrained. Its purpose is not to maximize data extraction, but to maximize signal integrity, safety, and reproducibility.
Treat it as an intelligence circuit:
inputs are normalized, processed through bounded modules, and emitted as structured insightβwithout uncontrolled side effects. |