Introduction

LinuxGuard is a Linux-native security monitoring and response platform. It runs an agent on every monitored server, ships telemetry to a multi-tenant console, and provides identity-centric posture, drift detection, vulnerability management, compliance evidence, and active containment response.

This documentation set is organized around the operator lifecycle — from first install through day-2 operations, fleet rollout, response, and audit evidence. Reference and Concepts sit alongside the lifecycle groups for lookup and background reading.

Who this is for

LinuxGuard is built for the operators who run Linux fleets day-to-day and the auditors and procurement reviewers who evaluate them:

• Security and platform engineers running the agent on bare-metal, virtual machine, and container hosts.

• SRE and infrastructure teams managing fleet rollout, configuration, and lifecycle across distributions.

• SecOps and incident responders routing signals to ticketing, chat, and SIEM tools, then driving active containment.

• Compliance officers and internal auditors assembling per-framework evidence and reviewing the vocabulary contract.

Agent capabilities

The LinuxGuard agent is a single Go binary that runs as the unprivileged linuxguard user once installed, collects host telemetry, and ships it to the control plane.

• eBPF kernel monitoring. Process execution, network connections, file access, and authentication events captured via eBPF probes, with graceful fallback to auditd and /proc sources where eBPF is unavailable.

• Non-root runtime. The agent runs as the unprivileged linuxguard user. Root is required only during install to drop capabilities and register the service. See Security Architecture.

• LoginUID identity capture. Original login identity is preserved across sudo and su so privileged actions remain attributable across privilege escalation.

• Authentication event collection. Syslog, journald, and utmp/wtmp/btmp events fused with eBPF-derived login and SSH session events.

• Configuration inventory with drift tracking. Field-level snapshots of SSHD configuration, accounts, groups, sudo policies, and SSH keys with a per-object drift state machine.

• Container and OCI runtime awareness. Cgroup-based container identification with containerd CRI enrichment, Docker socket queries, and Kubelet pod-resources integration for workload attribution.

• WebSocket real-time transport. Bidirectional agent-to-console transport over mTLS with TOTP-based enrollment; HTTP polling remains as a fallback during gradual rollout.

• Runtime log-level control and log lifecycle. Verbosity switches between trace, debug, info, warn, and error without a restart, with built-in log rotation, retention, and SIGHUP reload.

• Support-bundle collection. Redacted, size-capped bundles with a redaction manifest and presigned upload, produced by the support-bundle command.

Console and operations

The console is a multi-tenant administrative surface organized around operator workflows.

• Dashboard. Identity risk score, fleet posture snapshot, critical findings feed, and 7-day / 30-day / 90-day time-range tabs.

• Identity Intelligence. Cross-server identity profiles, risk scoring with detractors and mitigators, non-human identity inventory with a three-tier classification (System Default / Application Service / Custom Service), and SSH key strength and age analysis.

• Access patterns and graph. Behavioural baseline learning across observation, shadow, and active modes, with activity heatmaps, per-rule server edges, and click-to-highlight path traversal.

• Zero Trust Enforcement. MITRE-mapped signals, the drift state machine (New → Active → Investigating → Acknowledged → Resolved / Suppressed), sudo policy analysis, and file-monitoring alerts.

• Baselines. Known-good snapshots of accounts, groups, SSHD and SSH client configuration, and sudo policies, with per-object baseline creation and drift detection.

• Efficiency. CPU and memory rightsizing classification, fleet waste assessment, storage growth forecasting, and network I/O analysis.

• Audit. Authorizations audit (account, group, sudo, SSH key baselines) and SUDO execution audit with fleet-wide command history and multi-dimensional filtering.

• Posture. Cross-cutting Compliance, Configuration, and Health scoring with per-server ranking and 127-factor security posture recalculation.

• Zero Trust Expansion. Playbooks, active-response history, sudo policies and executions, SELinux visibility, and a policy-violation ledger.

• Integrations and Notifications. Jira, Microsoft Teams, Slack, Syslog, and generic webhooks; notification rules with severity filters, throttle windows, quiet hours, and suppression management.

Detection, response, and compliance

• MITRE-mapped signals. 100+ signal types covering execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, and exfiltration.

• Behavioural anomaly detection. Statistical baseline learning for login patterns (time, location, frequency) with GeoIP enrichment, plus sliding-window brute-force detection for repeated failed logins.

• Vulnerability lifecycle. NVD, OSV, and OVAL feed ingestion with distribution-aware version matching, plus on-demand live verification probes that return an is_vulnerable boolean and drive lifecycle transitions through relevant, verified, not-relevant, remediated, and ignored states.

• Active response with triple opt-in. Containment requires playbook enabled, trigger configured, and server-group scope, with four containment actions: lock account, kill sessions, disable SSH key, and revoke sudo. Blast-radius controls cap commands per server per hour, servers per execution, and concurrent commands per tenant, with automatic rollback on a configurable timeout and a chain-hashed immutable playbook audit trail.

• 13 per-framework compliance mappings. PCI-DSS v4.0.1, HIPAA, SOC 2, GDPR, NIS2, DORA, EU AI Act, FedRAMP / StateRAMP, HITRUST / FFIEC, NIST CSF 2.0, ISO/IEC 27001:2022, CIS Controls v8.1, and CIS Benchmarks.

• Three-tier vocabulary contract. Every per-framework mapping uses Satisfies, Supports, or Out of scope with per-control evidence pointers and a canonical shared-responsibility statement.

• Compliance reports and posture scoring. PDF export with evidence appendix, scoped to an audit period, plus per-object-type composite scores recalculated daily with snapshot history.

Supported distributions

LinuxGuard supports the following Linux distribution families:

• Debian-based systems (Debian, Ubuntu)

• RedHat-based systems (RHEL, CentOS, Fedora)

• SUSE-based systems (openSUSE, SLES)

• Alpine Linux

Available as native binaries for amd64 and arm64, with ARMv7 Degraded and riscv64 best-effort builds.

For detailed information about supported distributions, see the Supported Distributions page.

Find what you need

Choose the section that matches what you are trying to accomplish:

• Get Started — Five-minute quick start, prerequisites, and the choose-your-deployment decision guide.

• Install — Per-distribution and container install guides with the unified installer and repository setup.

• Configure — Enroll the agent to your tenant, set environment and tags, manage log levels.

• Operate — Day-2 SRE operations: service management, log inspection, signal handling, support bundles, uninstall.

• Deploy at Scale — Fleet automation across Ansible, Chef, Puppet, AWS, GCP, and Azure with idempotent enrollment.

• Respond — Notification rules and SecOps integration: webhook delivery, syslog forwarding, Splunk HEC.

• Audit & Comply — 13 per-framework compliance mappings with the Satisfies / Supports / Out-of-scope vocabulary contract.

• Reference — Cross-cutting lookups: agent commands, CLI per-command pages, supported distributions, glossary.

• Concepts — Background: security architecture, active response, alerting, and the console pillars.

For support, contact [email protected].

Related: Changelog | What Changed in the Console | Concepts