OpenWatch documentation
- Quickstart guideGo from a freshly installed package to your first host under automatic compliance monitoring. This guide assumes OpenWatch is already installed and running. If it is…
- OpenWatch install guide (native packages)This guide takes an administrator from a fresh Linux host to a running, logged-in OpenWatch: install the package, point it at PostgreSQL, create the first admin user,…
- Host Management and RemediationThis guide covers adding and managing hosts, organizing them into groups, understanding server intelligence data, and using automated remediation to fix compliance…
- Scanning and ComplianceThis guide covers how OpenWatch performs compliance scanning, how to read results and posture scores, and how to use drift detection, alerts, and audit exports. Most of…
- Compliance Control MappingThis document maps OpenWatch's security controls to industry frameworks, providing evidence for compliance audits.
- User roles and permissionsThis guide describes the role-based access control (RBAC) system in the Go-era OpenWatch. It covers the five built-in roles, the permissions they grant, and how you…
- OpenWatch monitoring and operations guideThis guide describes how you monitor a running OpenWatch deployment and how you respond to common operational incidents. OpenWatch ships as a single Go binary…
- Production deployment guideThis guide covers running OpenWatch in production: a single Go binary that serves the REST API and the embedded React UI over HTTPS, backed by PostgreSQL, managed by…
- Scaling guideThis guide covers how OpenWatch behaves as you add hosts, run more scans, and push more concurrent API traffic, and what you can tune today. It describes the current…
- OpenWatch security hardening guideThis guide covers the security controls you operate when you deploy OpenWatch as a native package: one Go binary (/usr/bin/openwatch) that serves the REST API and the…
- Secret rotation proceduresThis guide describes how to rotate each secret used by OpenWatch on the current single-binary stack: one /usr/bin/openwatch process that serves the REST API and embedded…
- Backup and recoveryThis guide covers backup, restore, and disaster recovery for an OpenWatch deployment. OpenWatch is a single Go binary (/usr/bin/openwatch) that serves the REST API and…
- Upgrade procedureThis guide covers upgrading an OpenWatch deployment to a newer version. OpenWatch ships as a single Go binary (/usr/bin/openwatch) that serves both the REST API and the…
- Database migration guideThis guide covers how OpenWatch's PostgreSQL schema is versioned, how migrations are applied in production, and how to add a new migration. OpenWatch is a single Go…
- Linux Distribution Support Matrix- Compliance scanning works on RHEL 8 / 9 / 10 and its binary-compatible rebuilds (Rocky, AlmaLinux, CentOS Stream, Oracle Linux). Every bundled rule declares platforms:…
- Configuration and environment referenceThis document is the field reference for how you configure the OpenWatch Go binary: the TOML file, the environment-variable overrides, and the on-disk paths that the…
- API guideMost operators use the web UI for daily work — managing hosts, viewing fleet health, reading compliance state, and triaging alerts. This guide is for automation:…
- Release notesNotable user-visible changes to OpenWatch, by release — added, changed, fixed, and security updates.