GRCWatch
Sign inStart free trial

CIS Controls 8.8: Collect Command-Line Audit Logs

Command-line activity is a prime attack vector for lateral movement and privilege escalation. CIS Control 8.8 requires you to capture and retain audit logs from all administrative command-line interfaces—PowerShell, BASH, and remote terminals—to detect suspicious behavior and maintain forensic evidence.

What this means

This control mandates the collection and monitoring of command-line audit logs across your infrastructure. Command-line interfaces (PowerShell on Windows, BASH on Linux/macOS, SSH sessions, and remote administrative tools) must generate detailed logs that capture who executed what commands, when, and from where. These logs serve as your detective control and forensic record for investigating incidents and proving compliance.

How to comply

  1. 1.Enable PowerShell transcription and module logging on all Windows systems via Group Policy or registry settings
  2. 2.Configure BASH audit logging through auditd or syslog on Linux/macOS endpoints
  3. 3.Enable SSH command logging and session recording for remote administrative access
  4. 4.Centralize all command-line logs to a SIEM or log aggregation platform for retention and analysis
  5. 5.Set retention policies to keep logs for a minimum of 90 days (or per your compliance requirements)
  6. 6.Establish alerting rules for suspicious command patterns (e.g., credential dumping, privilege escalation attempts)
  7. 7.Document your logging configuration and validate collection is functioning monthly

Evidence auditors look for

  • PowerShell transcription logs showing command execution history with timestamps
  • Auditd syscall logs capturing bash command execution
  • SSH audit logs from /var/log/auth.log or centralized logging system
  • SIEM dashboard showing aggregated command-line activity with search and filtering capabilities
  • Log retention policy documentation confirming minimum 90-day storage
  • Alert rule configuration targeting known attack patterns (e.g., 'whoami', 'net localgroup', 'reg query HKLM')
  • Monthly audit report validating log collection across all endpoints

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates PowerShell and BASH log collection across your infrastructure, aggregates them in a compliance-ready dashboard, and flags suspicious command patterns in real-time—eliminating manual log review for CIS 8.8 evidence.

See how GRCWatch handles this control automatically

Start free trial

Related controls

CIS Controls 8.1 — Establish and Maintain a Data InventoryCIS Controls 8.5 — Configure Detailed LoggingCIS Controls 8.9 — Collect Account Logon LogsNIST 800-53 AU-2 — Audit EventsNIST 800-171 3.3.1 — Information System Monitoring