██╗   ██╗███╗   ███╗███████╗███████╗ ██████╗
██║   ██║████╗ ████║██╔════╝██╔════╝██╔════╝
██║   ██║██╔████╔██║███████╗█████╗  ██║
╚██╗ ██╔╝██║╚██╔╝██║╚════██║██╔══╝  ██║
 ╚████╔╝ ██║ ╚═╝ ██║███████║███████╗╚██████╗
  ╚═══╝  ╚═╝     ╚═╝╚══════╝╚══════╝ ╚═════╝

vmsec is a fully open-source, automated security scanning and remediation tool built specifically for Kali Linux virtual machines.

It integrates 10 scanner modules powered by industry-standard open-source tools (ClamAV, rkhunter, chkrootkit, Lynis, AIDE, auditd, and more) into one unified workflow that:

1. Scans your VM for viruses, trojans, malware, rootkits, keyloggers, spyware, backdoors, C2 connections, suspicious processes, insecure configurations, and more
2. Generates a comprehensive, sorted report (plain text + interactive HTML) — findings sorted CRITICAL → LOW, suggestions sorted MUST-DO → OPTIONAL
3. Remediates — auto-fix or manually fix findings, then auto-apply or manually apply suggestions

Note: vmsec is designed for Kali Linux VMs. Many Kali tools (Metasploit, Aircrack-ng, etc.) will trigger false positives in antivirus scanners. vmsec accounts for this — its auto-remediator only touches files in safe locations (/tmp, /var/tmp, ~/Downloads) and never blindly deletes system binaries.

# 1. Clone the repository
git clone https://github.com/arif-offsec/vmsec.git
cd vmsec

# 2. Run the installer
sudo bash install.sh

# 3. Install all security tools
sudo vmsec install

# 4. Run your first full scan
sudo vmsec scan

That's it. vmsec will scan, report, and walk you through fixing anything it finds.

sudo vmsec install              # Install all security tools
sudo vmsec update               # Update all tools + definitions

sudo vmsec scan                 # Full scan (all 10 modules)
sudo vmsec scan --quick         # Quick scan (ClamAV, rkhunter, processes, network)
sudo vmsec scan --module NAME   # Run one specific module

vmsec report                    # Print last report to terminal
vmsec report --html             # Open HTML report in browser

sudo vmsec fix --auto           # Auto-fix all findings (CRITICAL first)
sudo vmsec fix --manual         # Review and fix findings one by one

sudo vmsec suggest --auto       # Auto-apply all MUST-DO suggestions
sudo vmsec suggest --manual     # Review suggestions one by one

vmsec list-modules              # List all scanner modules
vmsec version                   # Show version
man vmsec                       # Full manual page

All tools are free, open-source, and installed from Kali's official apt repository.

After a scan, vmsec generates two report files:

Text report (reports/vmsec_report_YYYY-MM-DD_HH-MM-SS.txt):

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
  FINDINGS  (CRITICAL → HIGH → MEDIUM → LOW)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  ── CRITICAL ────────────────────────

  [001] [CRITICAL] Module: clamav
        Description : ClamAV detected: Trojan.Agent-12345
        Location    : /tmp/payload.elf
        Fixable     : yes
        Fix command : shred -u -z '/tmp/payload.elf'

  ── HIGH ────────────────────────────

  [002] [HIGH] Module: network
        Description : Dangerous port 4444 is OPEN — known Metasploit listener
        Location    : port:4444
        Fixable     : yes
        Fix command : fuser -k 4444/tcp

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
  SUGGESTIONS  (MUST → SHOULD → OPTIONAL)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  [001] [MUST] Module: network
        Suggestion : Enable UFW firewall
        Command    : ufw default deny incoming && ufw --force enable

HTML report — a dark-theme interactive page with color-coded severity badges, viewable in any browser.

sudo vmsec scan
       │
       ▼
  Report generated
  (txt + HTML)
       │
       ▼
┌──────────────────────────┐
│  FINDINGS REMEDIATION    │
│  [1] Auto (CRITICAL first│
│  [2] Manual (one by one) │
│  [3] Skip                │
└──────────────────────────┘
       │
       ▼
┌──────────────────────────┐
│  SUGGESTIONS             │
│  [1] Auto (MUST-DO only) │
│  [2] Manual (one by one) │
│  [3] Skip                │
└──────────────────────────┘

Auto-remediation safety rules:

• Files are only auto-deleted from: /tmp, /var/tmp, ~/Downloads, ~/Desktop, ~/.cache
• System files, binaries, and config files are never auto-deleted
• All actions are logged to a timestamped log file
• Kali's built-in pentesting tools are never flagged as auto-removable

git clone https://github.com/arif-offsec/vmsec.git
cd vmsec
sudo bash install.sh

curl -fsSL https://raw.githubusercontent.com/arif-offsec/vmsec/main/install.sh | sudo bash

• Copies files to /opt/vmsec/
• Creates /usr/local/bin/vmsec symlink (so you can run vmsec from anywhere)
• Installs the man page (man vmsec)
• Copies config to /etc/vmsec/vmsec.conf
• Creates /var/log/vmsec.log
• Optionally runs vmsec install to install all security tools

sudo bash uninstall.sh

Edit /etc/vmsec/vmsec.conf (system-wide) or conf/vmsec.conf (local):

# Update definitions before each scan (yes/no)
VMSEC_AUTO_UPDATE_DEFS="yes"

# Report format: txt | html | both
VMSEC_REPORT_FORMAT="both"

# Days to consider a system binary "recently modified"
VMSEC_RECENT_DAYS="7"

• OS: Kali Linux (2022+), Parrot OS, or any Debian/Ubuntu-based distro
• Privileges: root (sudo) for scanning and remediation
• Internet: Required for first-time tool installation and definition updates
• VM Software: VMware Workstation Pro, VirtualBox, QEMU/KVM, or any hypervisor

Running vmsec inside your VM is only half the protection. Make sure your VMware settings are locked down first:

Also add these lines to your .vmx file:

isolation.tools.copy.disable = "TRUE"
isolation.tools.paste.disable = "TRUE"
isolation.tools.dnd.disable = "TRUE"
isolation.tools.hgfs.disable = "TRUE"

Contributions are welcome! See CONTRIBUTING.md for guidelines.

To add a new scanner module:

1. Create scanners/scan_yourmodule.sh
2. Use record_finding and record_suggestion functions from lib/utils.sh
3. Register it in the ALL_MODULES array in vmsec main script
4. Submit a pull request

vmsec/
├── vmsec                    ← Main executable (entry point)
├── install.sh               ← One-command installer
├── uninstall.sh             ← Uninstaller
├── README.md
├── LICENSE                  ← GPL v3
├── CHANGELOG.md
├── lib/
│   ├── utils.sh             ← Colors, logging, record_finding(), record_suggestion()
│   ├── config.sh            ← Configuration loader
│   ├── installer.sh         ← apt tool installation + post-install setup
│   ├── reporter.sh          ← Text + HTML report generation
│   ├── remediator.sh        ← Auto and manual remediation engine
│   └── suggester.sh         ← Auto and manual suggestion engine
├── scanners/
│   ├── scan_clamav.sh       ← ClamAV virus/malware scan
│   ├── scan_rkhunter.sh     ← rkhunter rootkit scan
│   ├── scan_chkrootkit.sh   ← chkrootkit rootkit scan
│   ├── scan_lynis.sh        ← Lynis system audit
│   ├── scan_processes.sh    ← Suspicious processes + keyloggers
│   ├── scan_network.sh      ← Network + C2 + firewall
│   ├── scan_crontabs.sh     ← Malicious cron jobs
│   ├── scan_filesystem.sh   ← SUID/AIDE/filesystem integrity
│   ├── scan_users.sh        ← User accounts + SSH + sudo
│   └── scan_services.sh     ← Dangerous/unnecessary services
├── conf/
│   └── vmsec.conf           ← Default configuration
├── man/
│   └── vmsec.1              ← Man page source
└── reports/                 ← Generated reports saved here

GPL v3 — Free and open-source forever. See LICENSE for the full text.

vmsec is provided as-is for educational and defensive security purposes. It does not guarantee detection of all threats. Security scanning results may include false positives, especially on Kali Linux which ships many offensive security tools. Always review findings before applying remediation. The authors are not responsible for any system damage caused by misuse of the auto-remediation feature.