> For the complete documentation index, see [llms.txt](https://docs.linuxguard.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.linuxguard.io/readme.md).

# Introduction

LinuxGuard is a Linux-native security monitoring and response platform. It runs an agent on every monitored server, ships telemetry to a multi-tenant console, and provides identity-centric posture, drift detection, vulnerability management, compliance evidence, and active containment response.

This documentation set is organized around the operator lifecycle — from first install through day-2 operations, fleet rollout, response, and audit evidence. Reference and Concepts sit alongside the lifecycle groups for lookup and background reading.

## Who this is for

LinuxGuard is built for the operators who run Linux fleets day-to-day and the auditors and procurement reviewers who evaluate them:

* **Security and platform engineers** running the agent on bare-metal, virtual machine, and container hosts.
* **SRE and infrastructure teams** managing fleet rollout, configuration, and lifecycle across distributions.
* **SecOps and incident responders** routing signals to ticketing, chat, and SIEM tools, then driving active containment.
* **Compliance officers and internal auditors** assembling per-framework evidence and reviewing the vocabulary contract.

## Agent capabilities

The LinuxGuard agent is a single Go binary that runs as the unprivileged `linuxguard` user once installed, collects host telemetry, and ships it to the control plane.

* **eBPF kernel monitoring.** Process execution, network connections, file access, and authentication events captured via eBPF probes, with graceful fallback to auditd and `/proc` sources where eBPF is unavailable.
* **Non-root runtime.** The agent runs as the unprivileged `linuxguard` user. Root is required only during install to drop capabilities and register the service. See [Security Architecture](/concepts/concepts/security-architecture.md).
* **LoginUID identity capture.** Original login identity is preserved across `sudo` and `su` so privileged actions remain attributable across privilege escalation.
* **Authentication event collection.** Syslog, journald, and `utmp`/`wtmp`/`btmp` events fused with eBPF-derived login and SSH session events.
* **Configuration inventory with drift tracking.** Field-level snapshots of SSHD configuration, accounts, groups, sudo policies, and SSH keys with a per-object drift state machine.
* **Container and OCI runtime awareness.** Cgroup-based container identification with containerd CRI enrichment, Docker socket queries, and Kubelet pod-resources integration for workload attribution.
* **WebSocket real-time transport.** Bidirectional agent-to-console transport over mTLS with TOTP-based enrollment; HTTP polling remains as a fallback during gradual rollout.
* **Runtime log-level control and log lifecycle.** Verbosity switches between `trace`, `debug`, `info`, `warn`, and `error` without a restart, with built-in log rotation, retention, and `SIGHUP` reload.
* **Support-bundle collection.** Redacted, size-capped bundles with a redaction manifest and presigned upload, produced by the `support-bundle` command.

## Console and operations

The console is a multi-tenant administrative surface organized around operator workflows.

* **Dashboard.** Identity risk score, fleet posture snapshot, critical findings feed, and 7-day / 30-day / 90-day time-range tabs.
* **Identity Intelligence.** Cross-server identity profiles, risk scoring with detractors and mitigators, non-human identity inventory with a three-tier classification (System Default / Application Service / Custom Service), and SSH key strength and age analysis.
* **Access patterns and graph.** Behavioural baseline learning across observation, shadow, and active modes, with activity heatmaps, per-rule server edges, and click-to-highlight path traversal.
* **Zero Trust Enforcement.** MITRE-mapped signals, the drift state machine (New → Active → Investigating → Acknowledged → Resolved / Suppressed), sudo policy analysis, and file-monitoring alerts.
* **Baselines.** Known-good snapshots of accounts, groups, SSHD and SSH client configuration, and sudo policies, with per-object baseline creation and drift detection.
* **Efficiency.** CPU and memory rightsizing classification, fleet waste assessment, storage growth forecasting, and network I/O analysis.
* **Audit.** Authorizations audit (account, group, sudo, SSH key baselines) and SUDO execution audit with fleet-wide command history and multi-dimensional filtering.
* **Posture.** Cross-cutting Compliance, Configuration, and Health scoring with per-server ranking and 127-factor security posture recalculation.
* **Zero Trust Expansion.** Playbooks, active-response history, sudo policies and executions, SELinux visibility, and a policy-violation ledger.
* **Integrations and Notifications.** Jira, Microsoft Teams, Slack, Syslog, and generic webhooks; notification rules with severity filters, throttle windows, quiet hours, and suppression management.

## Detection, response, and compliance

* **MITRE-mapped signals.** 100+ signal types covering execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, and exfiltration.
* **Behavioural anomaly detection.** Statistical baseline learning for login patterns (time, location, frequency) with GeoIP enrichment, plus sliding-window brute-force detection for repeated failed logins.
* **Vulnerability lifecycle.** NVD, OSV, and OVAL feed ingestion with distribution-aware version matching, plus on-demand live verification probes that return an `is_vulnerable` boolean and drive lifecycle transitions through relevant, verified, not-relevant, remediated, and ignored states.
* **Active response with triple opt-in.** Containment requires playbook enabled, trigger configured, and server-group scope, with four containment actions: lock account, kill sessions, disable SSH key, and revoke sudo. Blast-radius controls cap commands per server per hour, servers per execution, and concurrent commands per tenant, with automatic rollback on a configurable timeout and a chain-hashed immutable playbook audit trail.
* **13 per-framework compliance mappings.** PCI-DSS v4.0.1, HIPAA, SOC 2, GDPR, NIS2, DORA, EU AI Act, FedRAMP / StateRAMP, HITRUST / FFIEC, NIST CSF 2.0, ISO/IEC 27001:2022, CIS Controls v8.1, and CIS Benchmarks.
* **Three-tier vocabulary contract.** Every per-framework mapping uses `Satisfies`, `Supports`, or `Out of scope` with per-control evidence pointers and a canonical shared-responsibility statement.
* **Compliance reports and posture scoring.** PDF export with evidence appendix, scoped to an audit period, plus per-object-type composite scores recalculated daily with snapshot history.

## Supported distributions

LinuxGuard supports the following Linux distribution families:

* **Debian-based systems** (Debian, Ubuntu)
* **RedHat-based systems** (RHEL, CentOS, Fedora)
* **SUSE-based systems** (openSUSE, SLES)
* **Alpine Linux**

Available as native binaries for amd64 and arm64, with ARMv7 Degraded and riscv64 best-effort builds.

For detailed information about supported distributions, see the [Supported Distributions](/reference/reference/supported-distributions.md) page.

## Find what you need

Choose the section that matches what you are trying to accomplish:

* [**Get Started**](/get-started/get-started.md) — Five-minute quick start, prerequisites, and the choose-your-deployment decision guide.
* [**Install**](/install/install.md) — Per-distribution and container install guides with the unified installer and repository setup.
* [**Configure**](/configure/configure.md) — Enroll the agent to your tenant, set environment and tags, manage log levels.
* [**Operate**](/operate/operate.md) — Day-2 SRE operations: service management, log inspection, signal handling, support bundles, uninstall.
* [**Deploy at Scale**](/deploy-at-scale/deploy-at-scale.md) — Fleet automation across Ansible, Chef, Puppet, AWS, GCP, and Azure with idempotent enrollment.
* [**Respond**](/respond/respond.md) — Notification rules and SecOps integration: webhook delivery, syslog forwarding, Splunk HEC.
* [**Audit & Comply**](/audit-and-comply/audit-comply.md) — 13 per-framework compliance mappings with the Satisfies / Supports / Out-of-scope vocabulary contract.
* [**Reference**](/reference/reference.md) — Cross-cutting lookups: agent commands, CLI per-command pages, supported distributions, glossary.
* [**Concepts**](/concepts/concepts.md) — Background: security architecture, active response, alerting, and the console pillars.

***

For support, contact <support@linuxguard.io>.

**Related**: [Changelog](/changelog.md) | [What Changed in the Console](/concepts/concepts/console/whats-changed.md) | [Concepts](/concepts/concepts.md)
