NIST CSF 2.0

GV.OC

Organizational Context — the circumstances surrounding the organization's cybersecurity risk management decisions are understood

Out of scope

n/a

Organizational context characterization is a governance responsibility not addressed by LinuxGuard.

GV.RM

Risk Management Strategy — the organization's priorities, constraints, risk tolerance, and risk appetite are established and used to support operational risk decisions

Out of scope

n/a

Risk management strategy is a governance responsibility not addressed by LinuxGuard.

GV.RR

Roles, Responsibilities, and Authorities — cybersecurity roles, responsibilities, and authorities are established and communicated

Out of scope

n/a

Role and responsibility assignment is a governance responsibility not addressed by LinuxGuard.

ID.AM-01

Inventories of hardware managed by the organization are maintained

Supports

Console Infrastructure → server inventory; Console Compliance Expansion → control detail

LinuxGuard surfaces the per-server inventory of enrolled hosts including hostname, architecture, distribution, and agent version. Customer responsible for the organizational hardware asset register beyond LinuxGuard-monitored hosts.

ID.AM-02

Inventories of software, services, and systems managed by the organization are maintained

Supports

Console Infrastructure; Console Baselines → accounts and groups

LinuxGuard surfaces account and group inventories per host. Customer responsible for the application software inventory and the broader system inventory beyond OS-layer accounts.

PR.AA-01

Identities and credentials for authorized users, services, and hardware are managed by the organization

Supports

Console Audit pillar → Authorizations audit; Console Baselines → accounts and groups; Agent log (raw events) with loginUID attribute

LinuxGuard observes account and group inventories, authorization changes, and authentication events with loginUID capture surviving sudo/su escalation. Customer responsible for the identity platform, credential issuance, and identity lifecycle workflow.

PR.AA-03

Users, services, and hardware are authenticated

Supports

Agent log (raw events) with auth.event attribute; Console Identity Intelligence

LinuxGuard captures authentication events including user, source IP, method (password, publickey, keyboard-interactive), and outcome. Customer responsible for the authentication platform, MFA enforcement, and password policy administration.

PR.AA-05

Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed

Supports

Console Audit pillar → Authorizations audit; Console Baselines → SUDO rules, SSH config, SSHD config; Console Zero Trust Enforcement → Config Drift

SUDO rule baselines, SSH/SSHD baselines, authorization audit, and config drift surface OS-layer entitlement evidence. Customer responsible for the access policy text, role definition, and access review workflow.

PR.DS-01

The confidentiality, integrity, and availability of data-at-rest are protected

Supports

Agent log (raw events); Console Zero Trust Enforcement → Config Drift

File integrity monitoring on sensitive paths (sudoers, sshd_config, passwd, shadow, authorized_keys, operator-configured paths) contributes to integrity assurance for OS-layer data-at-rest. Customer responsible for application-layer data-at-rest controls and encryption-at-rest.

PR.PS-01

Configuration management practices are established and applied

Satisfies

Console Baselines → SSH config, SSHD config, SUDO aliases, SUDO defaults, SUDO rules; Console Zero Trust Enforcement → Config Drift; Agent log (raw events)

Baselines capture the expected configuration state for SSH client, SSHD daemon, SUDO aliases, SUDO defaults, SUDO rules, accounts, and groups; drift detection surfaces deviations on each scan cycle. See Baselines.

PR.PS-04

Log records are generated and made available for continuous monitoring

Satisfies

Agent log (raw events) at /var/log/linuxguard/agent.log; Support bundle

The LinuxGuard agent generates structured audit logs continuously on every enrolled host. Default retention: 50 MB per file, 14-day retention, 5 backups, gzip compression. See Log Management.

PR.PS-05

Installation and execution of unauthorized software are prevented

Out of scope

n/a

Application allow-listing and execution prevention are not addressed by LinuxGuard. LinuxGuard observes and reports but does not enforce execution policy.

DE.CM-01

Networks and network services are monitored to find potentially adverse events

Supports

Agent log (raw events); Console Zero Trust Enforcement → Signals

Behavioral telemetry surfaces network-related signals (e.g., suspicious connection attempts visible at the kernel layer). Customer responsible for network-layer monitoring (NDR, IDS/IPS, flow logs) beyond OS-layer observability.

DE.CM-03

Personnel activity and technology usage are monitored to find potentially adverse events

Satisfies

Agent log (raw events) with loginUID attribute; Console Audit pillar → SUDO execution audit; Console Identity Intelligence

Authentication event capture, SUDO execution audit, and loginUID propagation across privilege escalation produce continuous personnel-activity monitoring on enrolled hosts.

DE.CM-09

Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events

Satisfies

Agent log (raw events); Console Zero Trust Enforcement → Config Drift; Console Zero Trust Enforcement → Signals

eBPF-based behavioral telemetry, file integrity monitoring on critical paths, configuration drift on baselines, and signal records constitute continuous monitoring of the runtime environment. See Security Architecture.

DE.AE-02

Potentially adverse events are analyzed to better understand associated activities

Supports

Console Zero Trust Enforcement → Signals; Agent log (raw events); Support bundle

Signal records, agent logs, and support bundles supply the source material for adverse event analysis. Customer responsible for the analyst workflow, triage process, and decision criteria.

DE.AE-03

Information is correlated from multiple sources

Supports

Console Zero Trust Enforcement → Signals; Console Audit pillar; Console Baselines

Console surfaces correlate authentication events, drift events, SUDO execution audit, and behavioral signals per server and per identity. Customer responsible for cross-source correlation with non-LinuxGuard telemetry (network logs, application logs, identity provider logs).

DE.AE-06

Information on adverse events is provided to authorized staff and tools

Supports

Console Notifications; Console Compliance Expansion → Reports

Console notifications and reports route adverse-event information to operators. Customer responsible for the notification routing configuration, on-call rotation, and integration with the broader operations stack.

RS.MA-01

The incident response plan is executed in coordination with relevant third parties once an incident is declared

Supports

Agent log (raw events); Console Zero Trust Enforcement → Signals; Support bundle

LinuxGuard supplies telemetry-driven evidence supporting incident response plan execution. Customer responsible for the incident response plan, declaration criteria, and coordination with third parties.

RS.MA-03

Incidents are categorized and prioritized

Supports

Console Zero Trust Enforcement → Signals (severity); Console Notifications

Signal severity tagging informs the customer's categorization and prioritization workflow. Customer responsible for the incident categorization scheme and prioritization criteria.

RS.AN-03

Analysis is performed to establish what has taken place during an incident and the root cause of the incident

Supports

Agent log (raw events); Console Zero Trust Enforcement → Signals; Console Audit pillar → SUDO execution audit; Support bundle

Agent logs, signal timelines, SUDO execution audit, and support bundles provide forensic source material. Customer responsible for the analyst workflow, root cause analysis, and incident reconstruction narrative.

RS.AN-06

Actions performed during an investigation are recorded, and the records' integrity and provenance are preserved

Supports

Console Compliance Expansion → History annotations; Support bundle BUNDLE-MANIFEST.json with SHA-256 verification

Compliance history annotations and bundle manifest integrity verification support investigation recordkeeping. Customer responsible for the investigation workflow, case management, and chain of custody.

RC.RP-01

The recovery portion of the incident response plan is executed once initiated from the incident response process

Out of scope

n/a

Recovery plan execution is a customer process not addressed by LinuxGuard. LinuxGuard is a security monitoring agent, not a recovery or restoration product.

RC.CO-03

Recovery activities and progress in restoring operational capabilities are communicated to designated internal and external stakeholders

Out of scope

n/a

Recovery communications are an organizational responsibility not addressed by LinuxGuard.

GOVERN (GV)

Out of scope — governance, risk strategy, roles, policy, and oversight are organizational responsibilities.

IDENTIFY (ID)

Partial Supports — asset inventory (ID.AM) at the per-host level only; broader IDENTIFY subcategories (risk assessment, supply chain) are out of scope.

PROTECT (PR)

Partial — configuration management (PR.PS-01) and log generation (PR.PS-04) are Satisfies; identity management (PR.AA) and data security (PR.DS) are Supports.

DETECT (DE)

Substantial — personnel and technology monitoring (DE.CM-03) and runtime environment monitoring (DE.CM-09) are Satisfies; event analysis subcategories are Supports.

RESPOND (RS)

Supports across incident management (RS.MA) and incident analysis (RS.AN); response execution remains customer-side.

RECOVER (RC)

Out of scope — recovery planning, execution, and communications are customer-side.