Platform/ Features

Stop guessing which Linux risk matters first.

oxharden collects host state once, then ranks CVEs, exposed services, compliance gaps, stale running code, and package fixes in one place. No scanner pileup. No spreadsheet triage. Just the hosts and fixes that move risk down.

Start free trial Explore the live demo

Read-only Linux agentRHEL · Rocky · Alma · Oracle · Amazon LinuxScheduled + ad-hoc scans

oxharden agent · read-only host state

CollectOne agentCorrelate

packages

running processes

listening ports

kernel

sysctl · PAM · files

cloud metadata

oxharden

read-only host state

CVEs ranked

KEV → EPSS → CVSS

Exposed ports

reachability + owning process

Compliance

expected vs found

Applied ≠ live

restart / reboot gaps

Fleet inventory

search every host

one path

openssl packageCVE-2023-0464443 exposedone package fix

Collect once. Correlate everywhere. Rank by real risk.

Scans Fleet inventory Applied ≠ live Attack-surface exposure Compliance & STIG Linux coverage

The surfaces

Four ways to find the same truth.

One agent collects the state. Every surface reads from it: scans, inventory, exposure, and compliance all point back to the same hosts, packages, ports, CVEs, and fixes.

acme-prod / scans

Monitor

Dashboard

Hosts347

Packages2,184

Ports4,218

CVEs189

Compliance

Exposure47

Scans

Manage

Enroll host

Organization

acme-prod › Scans

Search hosts, packages, CVEs…⌘K

Scans

Ad-hoc and scheduled assessments · last run 6 min ago

Run ad-hocNew schedule

Active schedules

1 paused

Next run

1h 40m

exposure · 54 hosts

Coverage

97%

336 / 347 fresh

Runs / 24h

22 scheduled · 9 ad-hoc

Schedulescadence · scope

CVE

Vulnerability scan

Daily · 02:00 UTC · All hosts · 347

in 4h 12m

STIG

DISA STIG · RHEL 9

Weekly · Sun 03:00 · tag: production

in 2d 6h

STIG

CIS Benchmark · L2

Weekly · Sat 04:00 · PCI scope · 118

in 1d 9h

PORTS

Exposure / port scan

Every 6h · internet-facing · 54

in 1h 40m

PORTS

Certificate expiry

Daily · 06:00 UTC · All hosts · 347

paused

Recent runstrigger · result

Scan	Trigger	Hosts	Took	Result
Vulnerability scan	scheduled	347	2m 11s	12 crit
STIG · RHEL 9 V2R3	ad-hoc	142	4m 03s	38 fail
Exposure scan	scheduled	336	1m 47s	47 exposed
Re-scan · ip-10-20-2-107	ad-hoc	1	0m 08s	clean
CIS Benchmark · L2	scheduled	118	3m 22s	21 fail

Features by surface

What each surface actually does.

01 · Ad-hoc + scheduled

Scan on a schedule — or the moment you need to.

Set daily vulnerability sweeps, weekly STIG/CIS runs, and frequent exposure checks, each scoped to the hosts that matter. When something changes, re-scan one host, one system, or the whole workspace on demand.

Per-scan cadence scoped by workspace, system, host

Ad-hoc re-scan for one host or the whole fleet

Every run logged with trigger, duration, result, and exportable evidence

acme-prod / scans

Monitor

Dashboard

Hosts347

Packages2,184

Ports4,218

CVEs189

Compliance

Exposure47

Scans

Manage

Enroll host

Organization

acme-prod › Scans

Search hosts, packages, CVEs…⌘K

Scans

Ad-hoc and scheduled assessments · last run 6 min ago

Run ad-hocNew schedule

Active schedules

1 paused

Next run

1h 40m

exposure · 54 hosts

Coverage

97%

336 / 347 fresh

Runs / 24h

22 scheduled · 9 ad-hoc

Schedulescadence · scope

CVE

Vulnerability scan

Daily · 02:00 UTC · All hosts · 347

in 4h 12m

STIG

DISA STIG · RHEL 9

Weekly · Sun 03:00 · tag: production

in 2d 6h

STIG

CIS Benchmark · L2

Weekly · Sat 04:00 · PCI scope · 118

in 1d 9h

PORTS

Exposure / port scan

Every 6h · internet-facing · 54

in 1h 40m

PORTS

Certificate expiry

Daily · 06:00 UTC · All hosts · 347

paused

Recent runstrigger · result

Scan	Trigger	Hosts	Took	Result
Vulnerability scan	scheduled	347	2m 11s	12 crit
STIG · RHEL 9 V2R3	ad-hoc	142	4m 03s	38 fail
Exposure scan	scheduled	336	1m 47s	47 exposed
Re-scan · ip-10-20-2-107	ad-hoc	1	0m 08s	clean
CIS Benchmark · L2	scheduled	118	3m 22s	21 fail

02 · Applied ≠ live

“Patched” by version. Still running the vulnerable code.

A package upgraded on disk is not fixed until the services using it restart. A kernel update is not fixed until the host reboots. oxharden tracks applied-vs-live state, so a finding only closes when the vulnerable code is no longer running.

Finds processes still mapped to replaced shared libraries

Flags exposed ports backed by stale packages

Compares running vs installed kernel per host

acme-prod / hosts / detail

Monitor

Dashboard

Hosts347

Packages2,184

Ports4,218

CVEs189

Compliance

Exposure47

Scans

Manage

Enroll host

Organization

acme-prod › Hosts

Search hosts, packages, CVEs…⌘K

ip-10-20-2-107.us-east-2.compute.internalonline

OverviewPackages410Ports4CVEs5.6kCompliance

Critical CVEs

of 3.2k total

Reboot required

kernel current

Services to restart

systemd-logind…

Pending updates

372

Vulnerable pkgs

of 410 indexed

Processes pending restart · 8 packages · 14 processesRestart all

systemd library3 procs · still map ld-linux-x86-64.so.2 +7$ sudo systemctl restart init.scope systemd-logind.service

dbus-broker library2 procs · still map ld-linux-x86-64.so.2 +4$ sudo systemctl restart dbus-broker.service

gnupg2 library2 procs · still map ld-linux-x86-64.so.2 +1$ sudo systemctl restart session-1.scope

NetworkManager library2 procs · still map libnm-device-plugin-team.so +18$ sudo systemctl restart NetworkManager-dispatcher.service

rsyslog library1 proc · still map ld-linux-x86-64.so.2 +2$ sudo systemctl restart rsyslog.service

03 · Fleet query

Ask the fleet a question. Drill into the answer.

Filter across hosts, packages, ports, CVEs, and compliance results with stacked conditions: distro, severity, exploit status, internet exposure, package name, kernel version, or benchmark. Every result opens into the exact detail page behind it.

Stack filters across hosts, packages, ports, CVEs, and compliance

Drill into host, package, CVE, port, or compliance detail

No duplicate inventories or conflicting scanner views

acme-prod / packages

Monitor

Dashboard

Hosts347

Packages2,184

Ports4,218

CVEs189

Compliance

Exposure47

Scans

Manage

Enroll host

Organization

acme-prod › Packages

Search hosts, packages, CVEs…⌘K

Inventory

Search and filter across 347 hosts · 2,184 packages · 4,218 ports · 189 CVEs

Export view

Hosts347Packages2,184CVEs189Ports4,218

name, CVE, host…distro: RHEL 9×severity: ≥ high×exploited: KEV×add filter214 of 2,184 match

Packagesclick a row → detail

Package	Version	Hosts	CVEs	Top exploit	Used by
openssl	3.0.7-27	184	6	KEV	nginx
glibc	2.34-83	312	3	KEV	many
kernel	5.14.0-427	142	4	9.4	reboot
curl	7.76.1-29	247	2	8.2	cron
xz-libs	5.2.5-7	4	1	KEV	sshd
systemd	252-32	347	1	5.5	pid 1

04 · Ports & exposure

Open is not the same as exposed.

A listener on localhost is not your attack surface. A datastore reachable from the internet is. oxharden maps every socket to its service, TLS posture, certificate state, and real reachability so exposed services rise to the top.

Internet-exposed vs internal, inferred per socket

Cleartext and no-TLS services surfaced explicitly

Expiring and expired certificates flagged per listener

acme-prod / ports

Monitor

Dashboard

Hosts347

Packages2,184

Ports4,218

CVEs189

Compliance

Exposure47

Scans

Manage

Enroll host

Organization

acme-prod › Ports

Search hosts, packages, CVEs…⌘K

Ports

4,218 listening sockets across 347 hosts · last scan 6 min ago

Export scan

Internet-exposed

142

54 hosts

TCP / UDP

3.9k / 318

listening

Cleartext / no TLS

31 hosts

Expiring certs

≤ 30d · 3 expired

Coverage

97%

336 / 347

Listening socketsexposure · TLS · cert

Port	Proto	Service	TLS	Exposure	Cert	Hosts
5432	tcp	postgresql	none	internet	—	9
443	tcp	nginx	tls 1.3	internet	in 12d	142
22	tcp	sshd	n/a	internet	—	51
6379	tcp	redis	none	internal	—	23
161	udp	snmp	none	internet	—	14
8443	tcp	kube-api	tls 1.2	internal	expired	12

Compliance

Every benchmark, every host — continuously evaluated.

Stop treating hardening as a quarterly audit. oxharden evaluates every host against CIS, DISA STIG, and PCI on schedule, scores results by severity, and shows expected vs actual evidence for every rule.

05 · STIG · CIS · PCI

A live posture score, not a stale PDF.

Each rule is evaluated per host, so you know what is passing, what is failing, and exactly which systems need attention first. Severity-weighted scoring surfaces CAT I failures ahead of cosmetic gaps, with remediation guidance attached to the finding.

DISA STIG, CIS, and PCI-DSS evaluated continuously

Per-rule pass/fail with CAT I-III severity weighting

Expected vs actual evidence for every rule

Copyable Bash or Ansible remediation where available

Export evidence to CSV, JSON, or host-level CKL

Compliance scanning

acme-prod / compliance

Monitor

Dashboard

Hosts347

Packages2,184

Ports4,218

CVEs189

Compliance

Exposure47

Scans

Manage

Enroll host

Organization

acme-prod › Compliance

Search hosts, packages, CVEs…⌘K

Compliance findings

Every rule in DISA STIG · RHEL 9 V2R3 evaluated across 347 hosts.

Export evidenceRe-scan

Severity-weighted

87.4%

+2.3 / 30d

Pass

142

Fail

Not applicable

Open by cat

I·2II·4III·5

Open findingsCAT I → III · failures on top

Sev	STIG ID	Rule	Hosts failing	Fix
CAT I	RHEL-09-255045	SSH daemon must not permit root logon	142/347	ansible
CAT I	RHEL-09-671010	OS must implement DoD-approved encryption (FIPS)	41/347	manual
CAT II	RHEL-09-611045	Passwords must be ≥ 15 characters	118/347	ansible
CAT II	RHEL-09-213015	kernel.dmesg_restrict must be set to 1	73/347	ansible
CAT II	RHEL-09-211015	Must display Standard Mandatory DoD banner	36/347	ansible
CAT III	RHEL-09-654040	Audit system must record privileged commands	12/347	ansible

Supported OS

Built for enterprise Linux fleets.

Full enterprise-distro coverage across major versions, matched against per-distro vendor advisories instead of guessed from CPE strings.

Distribution

RHELRed Hat Enterprise Linux

Rocky Linuxrocky

AlmaLinuxalmalinux

Oracle Linuxoraclelinux

Amazon Linux amazonlinux

2023

A distro with no vulnerability feed loaded is treated as a blind spot, never as “clean.”Debian / Ubuntu — roadmap

Feature catalog

Everything the agent makes possible.

One read-only agent collects the host state behind inventory, vulnerabilities, exposure, compliance, and remediation guidance.

Ad-hoc & scheduled scans

Run an assessment when you need an answer, or schedule recurring vulnerability, compliance, and exposure scans. Every run records trigger, duration, status, and scope.

on-demandscheduledauditable

Applied ≠ live detection

Find patched packages that are still running vulnerable code: stale shared libraries, kernels awaiting reboot, and exposed services backed by outdated processes.

restartrebootexclusive

Fleet-wide search & filters

Stack filters across hosts, packages, ports, CVEs, and compliance results.

Host detail pages

Packages, ports, CVEs, compliance, and pending restarts per host.

Package detail pages

Installed versions, affected hosts, related CVEs, and the upgrade that closes them.

CVE detail pages

KEV, EPSS, CVSS, affected hosts, fixed-in versions, and distro advisories.

Port & socket inventory

TCP/UDP listener, owning service, TLS state, and internet exposure per socket.

Certificate tracking

Expiring and expired certificates flagged on listening TLS services.

Compliance scans

DISA STIG, CIS, and PCI evaluated per host with expected vs actual evidence.

Roles & access

Scoped roles for who can scan, view findings, manage exceptions, and export evidence.

User audit log

Every important action attributed: who did what, when, and where.

Evidence export

CSV and JSON exports, plus host-level DISA checklist .ckl for compliance evidence.

Get started

Launch your first scan in minutes.

Not ready to install? Click around the live demo with real fleet data first. Then start a 14-day free trial on up to 30 of your own hosts.

Explore the live demo Start free

No signup, no agent, or book a guided demo with our team.

install.sh

curl -fsSL https://packages.executepath.dev/install.sh \
  | sudo EXPECTED_GPG_FINGERPRINT=13094D5AB037E6CD79CDFA3A51687EAC6B931A09 bash

✓ agent enrolled · ip-10-20-2-107
✓ inventory synced · 410 packages · 4 ports
✓ first scan complete · 12 critical · 19 vulnerable pkgs