> For the complete documentation index, see [llms.txt](https://docs.linuxguard.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.linuxguard.io/audit-and-comply/audit-comply/cis-controls.md). # CIS Controls v8.1 > **Note**: This page maps LinuxGuard against **CIS Controls v8.1** (published 2024-06-01). Last verified against the framework on 2026-05-31. Canonical framework document: [CIS Critical Security Controls v8.1 — Center for Internet Security](https://www.cisecurity.org/controls/cis-controls-list). For the vocabulary contract used here, see [Audit & Comply](/audit-and-comply/audit-comply.md). > **Important — Not the same as CIS Benchmarks**: CIS Controls v8.1 are 18 strategic security control families addressing the *what* of organizational security (e.g., "Establish and Maintain an Inventory of Enterprise Assets"). CIS Benchmarks are OS-specific *configuration hardening guides* (e.g., "set `net.ipv4.tcp_syncookies=1` in `/etc/sysctl.conf`" or "ensure `PermitRootLogin no` in `/etc/ssh/sshd_config`"). They are complementary, not interchangeable: Controls describe organizational program scope; Benchmarks describe per-host configuration settings. Citing the wrong one in an audit conversation or procurement RFP is a common error. See [CIS Benchmarks](/audit-and-comply/audit-comply/cis-benchmarks.md) for the Linux hardening configurations LinuxGuard's baseline detection complements. ## Scope This page maps LinuxGuard's agent and console capabilities against CIS Controls v8.1. The mapping is scoped to controls in audit log management (CIS Control 8), account management (CIS Control 5), access control management (CIS Control 6), secure configuration (CIS Control 4), enterprise asset inventory (CIS Control 1), continuous vulnerability management (CIS Control 7), and incident response (CIS Control 17) that LinuxGuard's telemetry, baselines, drift detection, and audit features address. Controls in data protection (CIS Control 3), email and browser protections (CIS Control 9), malware defenses (CIS Control 10), data recovery (CIS Control 11), network infrastructure and monitoring management (CIS Controls 12-13), security awareness training (CIS Control 14), service provider management (CIS Control 15), application software security (CIS Control 16), and penetration testing (CIS Control 18) are out of scope for this product and are listed in the mapping table as `Out of scope` rather than omitted. This mapping is informational and not a substitute for an independent audit by a qualified assessor. Customers remain responsible for selecting the appropriate Implementation Group (IG1, IG2, or IG3) for their organization, conducting the broader security program that the technical controls support, and documenting the organizational policies and procedures that complement the agent's telemetry surface. ## Shared responsibility > LinuxGuard is a security monitoring agent and console. Compliance with any framework requires customer-side controls in addition to LinuxGuard's capabilities. This mapping is informational and not a substitute for an independent audit by a qualified assessor. The shared-responsibility framing for CIS Controls v8.1: * **LinuxGuard responsibility.** Produce continuous audit log generation, file integrity monitoring telemetry, configuration baselines and drift detection, account and group inventories, authorization audit, and behavioral signals on Linux systems within the customer's enterprise asset scope. Maintain the framework version pin and per-control evidence pointers. * **Customer responsibility.** Determine the applicable Implementation Group (IG1, IG2, or IG3) and assign sub-controls accordingly, operate the customer-side controls layered above LinuxGuard's telemetry (IAM platform, network monitoring, vulnerability scanning, malware defenses, backup management, training program), engage in the broader security program (data protection, email and browser protections, application security, penetration testing), and document the policies and procedures that complement the technical control surface. * **Out-of-scope domains for this framework.** Data protection (CIS Control 3), email and browser protections (CIS Control 9), malware defenses (CIS Control 10), data recovery (CIS Control 11), network infrastructure and monitoring management (CIS Controls 12-13), security awareness training (CIS Control 14), service provider management (CIS Control 15), application software security (CIS Control 16), and penetration testing (CIS Control 18). ## Control mapping The Tier column uses one of three labels and only those three: `Satisfies`, `Supports`, `Out of scope`. The Evidence column points to a row of the canonical [Evidence Location](/concepts/concepts/console/compliance-expansion.md#evidence-location) table or to a specific console page. See [Audit & Comply](/audit-and-comply/audit-comply.md) for the three-tier vocabulary contract. | Control ID | Description | Tier | Evidence | Notes | | ---------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `CIS 1` | Inventory and Control of Enterprise Assets — Actively manage all enterprise assets connected to the infrastructure | `Supports` | Console Infrastructure → server inventory; Agent enrollment record | LinuxGuard surfaces the per-server inventory of enrolled Linux hosts including hostname, architecture, distribution, agent version, and last-seen timestamp. Customer responsible for the broader enterprise asset inventory beyond LinuxGuard-monitored hosts (network devices, IoT, mobile, virtual). | | `CIS 2` | Inventory and Control of Software Assets — Actively manage all software on the network | `Out of scope` | n/a | Software inventory and execution control are not addressed by LinuxGuard. Application allow-listing, software lifecycle tracking, and unauthorized-software detection are separate-product concerns. | | `CIS 3` | Data Protection — Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data | `Out of scope` | n/a | Data classification, handling, retention, and disposal are not addressed by LinuxGuard. | | `CIS 4` | Secure Configuration of Enterprise Assets and Software — Establish and maintain the secure configuration of enterprise assets and software | `Satisfies` | Console Baselines → SSH config, SSHD config, SUDO aliases, SUDO defaults, SUDO rules, accounts, groups; Console Zero Trust Enforcement → Config Drift; Agent log (raw events) | Baselines capture the expected configuration state for SSH client, SSHD daemon, SUDO aliases, SUDO defaults, SUDO rules, accounts, and groups; drift detection surfaces deviations on each scan cycle. See [Baselines](/concepts/concepts/console/baselines.md). LinuxGuard's coverage applies to the OS layer; application-software configuration management is out of scope. | | `CIS 5` | Account Management — Use processes and tools to assign and manage authorization to credentials for user accounts | `Supports` | Console Baselines → accounts, groups; Console Audit pillar → Authorizations audit; Agent log (raw events) with `loginUID` attribute | Account and group baselines surface unexpected account creation, deletion, and modification. Authorization audit and `loginUID` capture surviving sudo/su escalation contribute to credential management evidence. Customer responsible for the identity platform, account provisioning workflow, joiner-mover-leaver process, and credential issuance. | | `CIS 6` | Access Control Management — Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software | `Supports` | Console Baselines → SUDO rules, SUDO aliases, SUDO defaults; Console Audit pillar → Authorizations audit; Console Identity Intelligence | SUDO rule baselines, SUDO defaults and aliases baselines, and authorization audit surface OS-layer access control evidence. Identity Intelligence surfaces per-identity posture. Customer responsible for the access control policy, role-based access model definition, application-layer authorization, and access review workflow. | | `CIS 7` | Continuous Vulnerability Management — Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise's infrastructure | `Supports` | `linuxguard-agent probe` command; Console Compliance Expansion → History | The probe command tests kernel, BPF, fanotify, netlink, audit, and capability prerequisites supporting deployment-time verification. Compliance history surfaces ongoing posture evaluation. Customer responsible for the vulnerability scanning program (network scanners, host scanners, container scanners), prioritization workflow, and remediation tracking. | | `CIS 8` | Audit Log Management — Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack | `Satisfies` | Agent log (raw events) at `/var/log/linuxguard/agent.log`; Support bundle; Console Compliance Expansion → History | The LinuxGuard agent generates structured audit logs continuously on every enrolled host with timestamps, event categories, identity attribution, and `loginUID` propagation across privilege escalation. Default retention: 50 MB per file, 14-day retention, 5 backups, gzip compression. See [Log Management](/operate/operate/log-management.md). This is the load-bearing control for LinuxGuard's audit logging pillar. | | `CIS 9` | Email and Web Browser Protections — Improve protections and detections of threats from email and web vectors | `Out of scope` | n/a | Email and browser security are not addressed by LinuxGuard. | | `CIS 10` | Malware Defenses — Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets | `Out of scope` | n/a | Anti-malware deployment and execution prevention are not addressed by LinuxGuard. LinuxGuard is a security monitoring agent, not an anti-malware product. | | `CIS 11` | Data Recovery — Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state | `Out of scope` | n/a | Data recovery, backup management, and restoration testing are not addressed by LinuxGuard. | | `CIS 12` | Network Infrastructure Management — Establish, implement, and actively manage network devices | `Out of scope` | n/a | Network device management is not addressed by LinuxGuard. | | `CIS 13` | Network Monitoring and Defense — Operate processes and tooling to establish and maintain network monitoring and defense against security threats across the enterprise's network infrastructure and user base | `Supports` | Agent log (raw events); Console Zero Trust Enforcement → Signals | Behavioral telemetry at the OS layer surfaces network-related signals visible at the kernel layer. Customer responsible for network-layer monitoring (NDR, IDS/IPS, flow logs, perimeter defense) beyond OS-layer observability. | | `CIS 14` | Security Awareness and Skills Training — Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise | `Out of scope` | n/a | Security awareness training is an organizational responsibility not addressed by LinuxGuard. | | `CIS 15` | Service Provider Management — Develop a process to evaluate service providers who hold sensitive data, or are responsible for an enterprise's critical IT platforms or processes, to ensure these providers are protecting those platforms and data appropriately | `Supports` | Console Compliance Expansion → Reports; framework version pins; SHA-256 manifest on collected support bundles | LinuxGuard is one service provider in the customer's supplier chain. Framework version pins, per-control evidence pointers, and SHA-256 evidence chain integrity support the customer's supplier assessment workflow for LinuxGuard itself. Customer responsible for the broader service provider management program and assessments of other suppliers. | | `CIS 16` | Application Software Security — Manage the security life cycle of in-house developed, hosted, or acquired software | `Out of scope` | n/a | Application software security (SDLC, secure coding, application testing) is not addressed by LinuxGuard. | | `CIS 17` | Incident Response Management — Establish a program to develop and maintain an incident response capability to prepare, detect, and quickly respond to an attack | `Supports` | Agent log (raw events); Console Zero Trust Enforcement → Signals; Console Audit pillar → SUDO execution audit; Support bundle | LinuxGuard supplies telemetry-driven evidence supporting incident response — authentication events, drift events, signal records, SUDO execution audit, and support bundles. Customer responsible for the incident response plan, role assignments, communication workflow, and tabletop exercises. | | `CIS 18` | Penetration Testing — Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (people, processes, and technology), and simulating the objectives and actions of an attacker | `Out of scope` | n/a | Penetration testing is a third-party assessment activity not addressed by LinuxGuard. | > **Important**: Every Satisfies claim cites a specific agent feature and a specific evidence pointer. Every Supports claim states what the customer must implement to achieve full satisfaction. Every Out-of-scope row carries a one-line note explaining why — silence is interpreted as an implicit Satisfies claim. ## Implementation Group considerations CIS Controls v8.1 organizes sub-controls (called Safeguards) into three Implementation Groups (IGs). Customers select the IG that matches their organization's risk profile, expertise, and resource availability. The IG selection determines which Safeguards apply. * **Implementation Group 1 (IG1) — Essential cyber hygiene.** Smaller organizations with limited IT and cybersecurity expertise. 56 Safeguards covering the most basic protections every organization should implement. * **Implementation Group 2 (IG2) — Risk-based cyber defense.** Organizations with moderate resources and greater risk exposure than IG1 organizations. Includes all IG1 Safeguards plus 74 additional Safeguards (130 total). * **Implementation Group 3 (IG3) — Advanced cyber defense.** Organizations with substantial IT and cybersecurity expertise managing significant risk. Includes all IG1 and IG2 Safeguards plus 23 additional Safeguards (153 total). LinuxGuard does not select an IG for the customer. The mapping above identifies which Controls LinuxGuard addresses at the family level; per-Safeguard coverage depends on the customer's selected IG and the specific Safeguard text. Customers documenting LinuxGuard in their CIS Controls implementation tracker reference the family-level mapping and add per-Safeguard notes as needed. ## v8 vs v7.1 CIS Controls v8 (and v8.1) consolidated v7.1's 20 Controls into 18 Controls, reorganized the Sub-Controls into Safeguards, and introduced the Implementation Groups model. Customers cross-referencing legacy CIS Controls v7.1 documentation should treat v7.1 Control numbers as deprecated. The Center for Internet Security publishes a v7.1-to-v8 mapping crosswalk separately. Notable consolidations from v7.1 to v8: * v7.1 CIS 3 (Continuous Vulnerability Management) and v7.1 CIS 4 (Controlled Use of Administrative Privileges) merge content into v8 CIS 7 (Continuous Vulnerability Management) and v8 CIS 5/6 (Account Management / Access Control Management). * v7.1 CIS 6 (Maintenance, Monitoring and Analysis of Audit Logs) becomes v8 CIS 8 (Audit Log Management). * v7.1 CIS 16 (Account Monitoring and Control) merges with v7.1 CIS 5 into v8 CIS 5 (Account Management). This mapping uses v8.1 numbering only. Customers maintaining historical v7.1 documentation should crosswalk per the CIS-published table. ## How to share with auditor Three export paths are available, depending on the auditor's evidence preference: * **Console Compliance Expansion reports.** Console pillar → Compliance Expansion → Reports produces dated, signed, auditor-shareable evidence packages (PDF / CSV / JSON) per [Compliance Expansion](/concepts/concepts/console/compliance-expansion.md#reports). Each report includes the framework version (CIS Controls v8.1), last-verified date, per-Control coverage, per-server pass / fail breakdown, suppressions in effect, and a manifest with SHA-256 verification. * **Support bundles for host-level evidence.** `support-bundle collect` on each host produces a tar.zst archive with agent logs, redacted configuration, and a bundle manifest — see [Support Bundles](/operate/operate/support-bundles.md). Bundles are useful when the auditor wants raw host-level telemetry rather than a console-rendered report. * **Console CSV / JSON export per Control.** Compliance Expansion → CIS Controls v8.1 → Control detail → Evidence tab exports per-Control evidence in machine-readable form for auditors who want to ingest evidence into their own GRC tooling. > **Security Note**: Support bundles include the raw `agent.log` and rotated segments. Attribute-key redaction (api\_key / \*\_token / \*\_secret) is applied; PII (hostnames, IPs, usernames, paths, command args) is NOT additionally redacted. Review every evidence package before sharing externally. See [Support Bundles](/operate/operate/support-bundles.md) for the per-file redaction status table. ## Cross-references * [**CIS Benchmarks**](/audit-and-comply/audit-comply/cis-benchmarks.md) — distinct from CIS Controls: OS-specific configuration hardening guides referenced by LinuxGuard's baseline detection. See the callout at the top of this page for the separation rationale. * [**Audit & Comply**](/audit-and-comply/audit-comply.md) — vocabulary contract, framework version pin reference, forbidden-words list, scope statement template. * [**Compliance Expansion**](/concepts/concepts/console/compliance-expansion.md) — console pillar; canonical Evidence Location pointer set. * [**Audit**](/concepts/concepts/console/audit.md) — authorizations and SUDO execution audit feeding compliance evidence. * [**Baselines**](/concepts/concepts/console/baselines.md) — configuration baselines and drift detection that CIS 4 satisfies. * [**Support Bundles**](/operate/operate/support-bundles.md) — per-file redaction status table; pre-share PII warning. * [**Log Management**](/operate/operate/log-management.md) — log retention and rotation relevant to CIS 8 audit log management. * [**Glossary**](/reference/reference/glossary.md) — framework acronyms and compliance vocabulary definitions. *** *Last reviewed: 2026-05-31 against CIS Controls v8.1 published 2024-06-01.* --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.linuxguard.io/audit-and-comply/audit-comply/cis-controls.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.