CIS Controls v8.1
CIS Controls v8.1 control mapping — LinuxGuard agent and console capabilities aligned to the 18 control families with explicit separation from CIS Benchmarks and Satisfies / Supports / Out of scope ti
Note: This page maps LinuxGuard against CIS Controls v8.1 (published 2024-06-01). Last verified against the framework on 2026-05-31. Canonical framework document: CIS Critical Security Controls v8.1 — Center for Internet Security. For the vocabulary contract used here, see Audit & Comply.
Important — Not the same as CIS Benchmarks: CIS Controls v8.1 are 18 strategic security control families addressing the what of organizational security (e.g., "Establish and Maintain an Inventory of Enterprise Assets"). CIS Benchmarks are OS-specific configuration hardening guides (e.g., "set
net.ipv4.tcp_syncookies=1in/etc/sysctl.conf" or "ensurePermitRootLogin noin/etc/ssh/sshd_config"). They are complementary, not interchangeable: Controls describe organizational program scope; Benchmarks describe per-host configuration settings. Citing the wrong one in an audit conversation or procurement RFP is a common error. See CIS Benchmarks for the Linux hardening configurations LinuxGuard's baseline detection complements.
Scope
This page maps LinuxGuard's agent and console capabilities against CIS Controls v8.1. The mapping is scoped to controls in audit log management (CIS Control 8), account management (CIS Control 5), access control management (CIS Control 6), secure configuration (CIS Control 4), enterprise asset inventory (CIS Control 1), continuous vulnerability management (CIS Control 7), and incident response (CIS Control 17) that LinuxGuard's telemetry, baselines, drift detection, and audit features address. Controls in data protection (CIS Control 3), email and browser protections (CIS Control 9), malware defenses (CIS Control 10), data recovery (CIS Control 11), network infrastructure and monitoring management (CIS Controls 12-13), security awareness training (CIS Control 14), service provider management (CIS Control 15), application software security (CIS Control 16), and penetration testing (CIS Control 18) are out of scope for this product and are listed in the mapping table as Out of scope rather than omitted. This mapping is informational and not a substitute for an independent audit by a qualified assessor.
Customers remain responsible for selecting the appropriate Implementation Group (IG1, IG2, or IG3) for their organization, conducting the broader security program that the technical controls support, and documenting the organizational policies and procedures that complement the agent's telemetry surface.
Shared responsibility
LinuxGuard is a security monitoring agent and console. Compliance with any framework requires customer-side controls in addition to LinuxGuard's capabilities. This mapping is informational and not a substitute for an independent audit by a qualified assessor.
The shared-responsibility framing for CIS Controls v8.1:
LinuxGuard responsibility. Produce continuous audit log generation, file integrity monitoring telemetry, configuration baselines and drift detection, account and group inventories, authorization audit, and behavioral signals on Linux systems within the customer's enterprise asset scope. Maintain the framework version pin and per-control evidence pointers.
Customer responsibility. Determine the applicable Implementation Group (IG1, IG2, or IG3) and assign sub-controls accordingly, operate the customer-side controls layered above LinuxGuard's telemetry (IAM platform, network monitoring, vulnerability scanning, malware defenses, backup management, training program), engage in the broader security program (data protection, email and browser protections, application security, penetration testing), and document the policies and procedures that complement the technical control surface.
Out-of-scope domains for this framework. Data protection (CIS Control 3), email and browser protections (CIS Control 9), malware defenses (CIS Control 10), data recovery (CIS Control 11), network infrastructure and monitoring management (CIS Controls 12-13), security awareness training (CIS Control 14), service provider management (CIS Control 15), application software security (CIS Control 16), and penetration testing (CIS Control 18).
Control mapping
The Tier column uses one of three labels and only those three: Satisfies, Supports, Out of scope. The Evidence column points to a row of the canonical Evidence Location table or to a specific console page. See Audit & Comply for the three-tier vocabulary contract.
CIS 1
Inventory and Control of Enterprise Assets — Actively manage all enterprise assets connected to the infrastructure
Supports
Console Infrastructure → server inventory; Agent enrollment record
LinuxGuard surfaces the per-server inventory of enrolled Linux hosts including hostname, architecture, distribution, agent version, and last-seen timestamp. Customer responsible for the broader enterprise asset inventory beyond LinuxGuard-monitored hosts (network devices, IoT, mobile, virtual).
CIS 2
Inventory and Control of Software Assets — Actively manage all software on the network
Out of scope
n/a
Software inventory and execution control are not addressed by LinuxGuard. Application allow-listing, software lifecycle tracking, and unauthorized-software detection are separate-product concerns.
CIS 3
Data Protection — Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data
Out of scope
n/a
Data classification, handling, retention, and disposal are not addressed by LinuxGuard.
CIS 4
Secure Configuration of Enterprise Assets and Software — Establish and maintain the secure configuration of enterprise assets and software
Satisfies
Console Baselines → SSH config, SSHD config, SUDO aliases, SUDO defaults, SUDO rules, accounts, groups; Console Zero Trust Enforcement → Config Drift; Agent log (raw events)
Baselines capture the expected configuration state for SSH client, SSHD daemon, SUDO aliases, SUDO defaults, SUDO rules, accounts, and groups; drift detection surfaces deviations on each scan cycle. See Baselines. LinuxGuard's coverage applies to the OS layer; application-software configuration management is out of scope.
CIS 5
Account Management — Use processes and tools to assign and manage authorization to credentials for user accounts
Supports
Console Baselines → accounts, groups; Console Audit pillar → Authorizations audit; Agent log (raw events) with loginUID attribute
Account and group baselines surface unexpected account creation, deletion, and modification. Authorization audit and loginUID capture surviving sudo/su escalation contribute to credential management evidence. Customer responsible for the identity platform, account provisioning workflow, joiner-mover-leaver process, and credential issuance.
CIS 6
Access Control Management — Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software
Supports
Console Baselines → SUDO rules, SUDO aliases, SUDO defaults; Console Audit pillar → Authorizations audit; Console Identity Intelligence
SUDO rule baselines, SUDO defaults and aliases baselines, and authorization audit surface OS-layer access control evidence. Identity Intelligence surfaces per-identity posture. Customer responsible for the access control policy, role-based access model definition, application-layer authorization, and access review workflow.
CIS 7
Continuous Vulnerability Management — Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise's infrastructure
Supports
linuxguard-agent probe command; Console Compliance Expansion → History
The probe command tests kernel, BPF, fanotify, netlink, audit, and capability prerequisites supporting deployment-time verification. Compliance history surfaces ongoing posture evaluation. Customer responsible for the vulnerability scanning program (network scanners, host scanners, container scanners), prioritization workflow, and remediation tracking.
CIS 8
Audit Log Management — Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack
Satisfies
Agent log (raw events) at /var/log/linuxguard/agent.log; Support bundle; Console Compliance Expansion → History
The LinuxGuard agent generates structured audit logs continuously on every enrolled host with timestamps, event categories, identity attribution, and loginUID propagation across privilege escalation. Default retention: 50 MB per file, 14-day retention, 5 backups, gzip compression. See Log Management. This is the load-bearing control for LinuxGuard's audit logging pillar.
CIS 9
Email and Web Browser Protections — Improve protections and detections of threats from email and web vectors
Out of scope
n/a
Email and browser security are not addressed by LinuxGuard.
CIS 10
Malware Defenses — Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets
Out of scope
n/a
Anti-malware deployment and execution prevention are not addressed by LinuxGuard. LinuxGuard is a security monitoring agent, not an anti-malware product.
CIS 11
Data Recovery — Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state
Out of scope
n/a
Data recovery, backup management, and restoration testing are not addressed by LinuxGuard.
CIS 12
Network Infrastructure Management — Establish, implement, and actively manage network devices
Out of scope
n/a
Network device management is not addressed by LinuxGuard.
CIS 13
Network Monitoring and Defense — Operate processes and tooling to establish and maintain network monitoring and defense against security threats across the enterprise's network infrastructure and user base
Supports
Agent log (raw events); Console Zero Trust Enforcement → Signals
Behavioral telemetry at the OS layer surfaces network-related signals visible at the kernel layer. Customer responsible for network-layer monitoring (NDR, IDS/IPS, flow logs, perimeter defense) beyond OS-layer observability.
CIS 14
Security Awareness and Skills Training — Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise
Out of scope
n/a
Security awareness training is an organizational responsibility not addressed by LinuxGuard.
CIS 15
Service Provider Management — Develop a process to evaluate service providers who hold sensitive data, or are responsible for an enterprise's critical IT platforms or processes, to ensure these providers are protecting those platforms and data appropriately
Supports
Console Compliance Expansion → Reports; framework version pins; SHA-256 manifest on collected support bundles
LinuxGuard is one service provider in the customer's supplier chain. Framework version pins, per-control evidence pointers, and SHA-256 evidence chain integrity support the customer's supplier assessment workflow for LinuxGuard itself. Customer responsible for the broader service provider management program and assessments of other suppliers.
CIS 16
Application Software Security — Manage the security life cycle of in-house developed, hosted, or acquired software
Out of scope
n/a
Application software security (SDLC, secure coding, application testing) is not addressed by LinuxGuard.
CIS 17
Incident Response Management — Establish a program to develop and maintain an incident response capability to prepare, detect, and quickly respond to an attack
Supports
Agent log (raw events); Console Zero Trust Enforcement → Signals; Console Audit pillar → SUDO execution audit; Support bundle
LinuxGuard supplies telemetry-driven evidence supporting incident response — authentication events, drift events, signal records, SUDO execution audit, and support bundles. Customer responsible for the incident response plan, role assignments, communication workflow, and tabletop exercises.
CIS 18
Penetration Testing — Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (people, processes, and technology), and simulating the objectives and actions of an attacker
Out of scope
n/a
Penetration testing is a third-party assessment activity not addressed by LinuxGuard.
Important: Every Satisfies claim cites a specific agent feature and a specific evidence pointer. Every Supports claim states what the customer must implement to achieve full satisfaction. Every Out-of-scope row carries a one-line note explaining why — silence is interpreted as an implicit Satisfies claim.
Implementation Group considerations
CIS Controls v8.1 organizes sub-controls (called Safeguards) into three Implementation Groups (IGs). Customers select the IG that matches their organization's risk profile, expertise, and resource availability. The IG selection determines which Safeguards apply.
Implementation Group 1 (IG1) — Essential cyber hygiene. Smaller organizations with limited IT and cybersecurity expertise. 56 Safeguards covering the most basic protections every organization should implement.
Implementation Group 2 (IG2) — Risk-based cyber defense. Organizations with moderate resources and greater risk exposure than IG1 organizations. Includes all IG1 Safeguards plus 74 additional Safeguards (130 total).
Implementation Group 3 (IG3) — Advanced cyber defense. Organizations with substantial IT and cybersecurity expertise managing significant risk. Includes all IG1 and IG2 Safeguards plus 23 additional Safeguards (153 total).
LinuxGuard does not select an IG for the customer. The mapping above identifies which Controls LinuxGuard addresses at the family level; per-Safeguard coverage depends on the customer's selected IG and the specific Safeguard text. Customers documenting LinuxGuard in their CIS Controls implementation tracker reference the family-level mapping and add per-Safeguard notes as needed.
v8 vs v7.1
CIS Controls v8 (and v8.1) consolidated v7.1's 20 Controls into 18 Controls, reorganized the Sub-Controls into Safeguards, and introduced the Implementation Groups model. Customers cross-referencing legacy CIS Controls v7.1 documentation should treat v7.1 Control numbers as deprecated. The Center for Internet Security publishes a v7.1-to-v8 mapping crosswalk separately.
Notable consolidations from v7.1 to v8:
v7.1 CIS 3 (Continuous Vulnerability Management) and v7.1 CIS 4 (Controlled Use of Administrative Privileges) merge content into v8 CIS 7 (Continuous Vulnerability Management) and v8 CIS 5/6 (Account Management / Access Control Management).
v7.1 CIS 6 (Maintenance, Monitoring and Analysis of Audit Logs) becomes v8 CIS 8 (Audit Log Management).
v7.1 CIS 16 (Account Monitoring and Control) merges with v7.1 CIS 5 into v8 CIS 5 (Account Management).
This mapping uses v8.1 numbering only. Customers maintaining historical v7.1 documentation should crosswalk per the CIS-published table.
How to share with auditor
Three export paths are available, depending on the auditor's evidence preference:
Console Compliance Expansion reports. Console pillar → Compliance Expansion → Reports produces dated, signed, auditor-shareable evidence packages (PDF / CSV / JSON) per Compliance Expansion. Each report includes the framework version (CIS Controls v8.1), last-verified date, per-Control coverage, per-server pass / fail breakdown, suppressions in effect, and a manifest with SHA-256 verification.
Support bundles for host-level evidence.
support-bundle collecton each host produces a tar.zst archive with agent logs, redacted configuration, and a bundle manifest — see Support Bundles. Bundles are useful when the auditor wants raw host-level telemetry rather than a console-rendered report.Console CSV / JSON export per Control. Compliance Expansion → CIS Controls v8.1 → Control detail → Evidence tab exports per-Control evidence in machine-readable form for auditors who want to ingest evidence into their own GRC tooling.
Security Note: Support bundles include the raw
agent.logand rotated segments. Attribute-key redaction (api_key / *_token / *_secret) is applied; PII (hostnames, IPs, usernames, paths, command args) is NOT additionally redacted. Review every evidence package before sharing externally. See Support Bundles for the per-file redaction status table.
Cross-references
CIS Benchmarks — distinct from CIS Controls: OS-specific configuration hardening guides referenced by LinuxGuard's baseline detection. See the callout at the top of this page for the separation rationale.
Audit & Comply — vocabulary contract, framework version pin reference, forbidden-words list, scope statement template.
Compliance Expansion — console pillar; canonical Evidence Location pointer set.
Audit — authorizations and SUDO execution audit feeding compliance evidence.
Baselines — configuration baselines and drift detection that CIS 4 satisfies.
Support Bundles — per-file redaction status table; pre-share PII warning.
Log Management — log retention and rotation relevant to CIS 8 audit log management.
Glossary — framework acronyms and compliance vocabulary definitions.
Last reviewed: 2026-05-31 against CIS Controls v8.1 published 2024-06-01.
Last updated
Was this helpful?