SNAPSHOTOne command / one host / no daemon

See what one Linux host still needs before you call it fixed.

Run a read-only Patch Truth Snapshot and get a short report that says whether the host needs package updates, a restart or reboot, nothing, or a better scan.

Create 1-host report See live demo

One-time read-only scanNo persistent agentExits after report

Want to talk through it first?Book a guided demoand we will walk the live demo.

patch-truth-snapshot

Command is ready. Copy it, run it on one supported host, then keep this page open.

curl -fsSL https://get.executepath.dev/snapshot.sh | sudo sh

read-only snapshot / host redacted / no daemon installed

package inventory / 402 packages / rocky 9.8

package matching / 74 vulnerable findings

result / package update required

report ready/s/snapshot/snap_...

Read-onlyNo persistent agentExits after report

Patch Truth Snapshot

redacted host / rocky 9.8 / expires in 7 days

PDF

74 vulnerable package findings on this host.

Installed EVRs are below the vendor-fixed package versions.

vulnerable findings

packages scanned

402

critical / high

host identity

redacted

# next actionsudo dnf update kernel openssl-libs glibc # evidencekernel-core 5.14.0-427.el9 -> fixed in 5.14.0-570.el9 openssl-libs 3.0.7-18.el9 -> fixed in 3.0.7-27.el9

Built first for RHEL-family Linux

RHELRockyAlmaLinuxOracle LinuxAmazon Linux 2023

Patch truth

"Updated" and "fixed" are not always the same thing.

Sometimes the package really is behind. Sometimes the package is updated but a service still needs a restart. Sometimes the host is clean. The report should say which one happened instead of handing you another generic CVE pile.

Package manager says

openssl-libs is installed

installed EVR / 3.0.7-18.el9
fixed EVR / 3.0.7-27.el9

If the installed package is below the fixed version, the first answer is package update required.

Runtime reality

old code may still be live

nginx / pid 1182 -> libssl.so.3 deleted
on disk -> fixed / running -> restart required

If the package is fixed but runtime evidence is stale, the answer changes to restart or reboot required.

How it works

A quick scan, not a deployment project.

Run one command

A read-only snapshot collects the minimum package, OS, kernel, and runtime evidence needed for a host-level package-truth report.

Get the report

oxharden analyzes the snapshot, writes a shareable report URL, and shows the exact evidence behind the result.

Decide whether to expand

Use one host as the fast proof point, then move to the full fleet agent only when the signal is worth tracking continuously.

Report modes

The report has four honest outcomes.

The goal is not to dramatize every host. The goal is to give an operator a concrete next step, including when the data is not good enough to trust.

Package update required

The installed package is below the vendor-fixed EVR. This is the straightforward patch-now case.

Restart or reboot required

The package may be fixed on disk, but runtime evidence still points to old code, deleted libraries, or kernel debt.

Clean snapshot

No vulnerable or restart-required package findings were found in the point-in-time scan.

Incomplete or unsupported

The report refuses to pretend uncertainty is clean: unsupported distro, partial collection, or evidence gaps are called out.

Forwardable artifact

A report your team can actually use.

The output is designed for the messy handoff: ops sees commands and package evidence, security sees CVE context, and a manager gets a short summary without asking for a dashboard tour.

Patch Truth Snapshot

redacted host / rocky 9.8 / expires in 7 days

PDF

74 vulnerable package findings on this host.

Installed EVRs are below the vendor-fixed package versions.

vulnerable findings

packages scanned

402

critical / high

host identity

redacted

# next actionsudo dnf update kernel openssl-libs glibc # evidencekernel-core 5.14.0-427.el9 -> fixed in 5.14.0-570.el9 openssl-libs 3.0.7-18.el9 -> fixed in 3.0.7-27.el9

Same engine, different commitment

Start with one host. Expand only when the signal is real.

Snapshot mode is the low-friction proof. Fleet mode is the continuous product for package truth, exposure, compliance, and trend history across many hosts.

Snapshot Mode

curl / one host / report

Start here

One command

One host

One-time read-only scan

No daemon

Report-focused

Create 1-host report

Fleet Mode

agent / dashboard / trends

When ready

Many hosts

Continuous monitoring

Compliance dashboard

Exposure mapping

History and trends

See fleet demo

Trust & safety

Built for cautious production evaluation.

Read-only by design

The snapshot reads local state and does not change packages, services, or configs.

No persistent daemon

Snapshot mode exits after upload. Continuous fleet monitoring is a separate install decision.

Host identity redacted

The report is token-protected and designed for forwarding without exposing raw hostname detail.

Built for evidence

The artifact gives managers, security, and operators the same short summary and technical proof.

Start with one host

Get a package-truth report before the next patch meeting.

Run the one-command snapshot on a representative RHEL-family box and see whether the next step is update, restart, clean, or rerun.

Create 1-host report Book a guided demo

patch-truth-snapshot

Command is ready. Copy it, run it on one supported host, then keep this page open.

curl -fsSL https://get.executepath.dev/snapshot.sh | sudo sh

Read-onlyNo persistent agentExits after report

FAQ

Questions, answered.

It runs a one-time read-only collection on a single host, uploads the package and runtime evidence for analysis, generates a report, and exits.

No. Snapshot mode is the first-look diagnostic. Fleet mode is the persistent agent and dashboard for continuous monitoring across many hosts.

Package versions are necessary, but they do not always prove remediation is live. Some fixes require service restarts or host reboots before old code stops running.

The report calls that out as incomplete or unsupported instead of giving a false-clean result.