Skip to main content
For Security Auditors

Your audit passed Friday.
The fleet drifted by Monday.

A point-in-time assessment is stale the moment a host drifts. oxharden continuously evaluates your CIS or DISA STIG baseline across the Linux fleet — so posture means right now, not last quarter.

Running a regulated or large fleet? Talk to sales →
Compliance evidenceDISA STIG · RHEL 9 V2R3current
Scope
347 hosts
Coverage
continuous
Score
87.4%
Generated
8.1s
…255045SSH daemon must not permit root logonPASS · 347
…671010OS must implement FIPS-validated encryptionFAIL · 41
…611045Passwords must be ≥ 15 charactersPASS · 347
…213015kernel.dmesg_restrict must be set to 1WAIVED · 12
…654040Audit system must record privileged commandsPASS · 335
scan: 2026-06-14 · expected vs actualExport
Built for enterprise Linux
RHELRockyAlmaLinuxOracle LinuxAmazon Linux 2023CISDISA STIG
Why auditors switch

Audits should not be archaeology.
Keep the evidence current.

01 · Point-in-time expires

Compliant Friday. Drifted by Monday.

An assessment is stale the moment a sysadmin edits a config or a package update reverts a setting. oxharden re-evaluates the active baseline as hosts report in, so your posture is a live number — not a quarterly snapshot you hope still holds.

81.2%▼ 6.4 since sign-offlast 90 days
audit · sign-off
within tolerancedrifted outcaught on each check-in
02 · Evidence on demand

Expected vs actual, without the fire drill.

Stop the pre-assessment scramble for screenshots and spreadsheets. Every compliance result carries the rule, expected configuration, current configuration, evidence summary, host scope and scan timestamp — exportable as CSV/JSON, with CKL for host-level STIG review.

stig-rhel9-checklist.ckl
host checklist
CKL
compliance-current.json
current state
JSON
control-results.csv
workspace export
CSV
generated from latest compliance statevs ~3 weeks of screenshots
03 · No hidden assumptions

Unknown never counts as compliant.

Unassessed hosts, missing policy coverage and manual-review checks stay visible. oxharden does not quietly count gaps as passes, which makes the posture easier to defend when someone asks what was actually evaluated.

Exception approved · RHEL-09-213015
K. Mehta · CISO2026-05-02 · expires in 90d
Remediation staged · RHEL-09-255045
automation2026-05-04 · 142 hosts
Waiver expired → control re-opened
system2026-06-01 · auto
Evidence exported · DISA STIG checklist
J. Okafor · auditor2026-06-05 · CSV / CKL
From enrolment to evidence

Current-state evidence, without the scramble.

No appliance and no checklist spreadsheet. Enroll a host and oxharden starts evaluating applicable controls from the same local state it uses for packages, ports and CVEs.

STEP 01
Choose the baseline
Set CIS or DISA STIG as the active baseline and oxharden evaluates the applicable rules across the fleet — no manual checklist to maintain.
STEP 02
Watch posture, live
Per-rule pass, fail, not applicable and manual-review states per host. Drill from a score down to the exact failing box and the evidence behind it.
STEP 03
Export the evidence
Generate CSV or JSON from the current posture, or a CKL checklist for host-level STIG review, scoped to the workspace, scan batch or host.
What auditors get

Built for the people who sign the report.

Continuous baseline evaluation
Your active CIS or DISA STIG baseline is re-evaluated as hosts report. "Compliant" means now — not at last quarter's snapshot.
Expected vs actual evidence
Each result keeps the required configuration, current configuration, evidence summary and scan timestamp, so findings explain themselves.
Manual review is explicit
Rules that need a human decision are marked as manual review and never disappear into a pass/fail average.
Coverage gaps stay visible
Unassessed hosts, stale agents and missing policy coverage are called out as gaps, not treated as clean systems.
Framework views on demand
Score the same collected evidence against CIS, DISA STIG and regulatory profiles where policy content exists, without collecting host state again.
Exportable review packages
Export CSV or JSON for workspace and scan review, plus CKL checklists for host-level STIG workflows where applicable.
One evaluation, many catalogs

The frameworks you report against.

The agent collects host state once. The platform can score that evidence against the active baseline and other available profiles without asking the host to collect the same facts again.

DISA STIG
Per-rule CAT I–III evaluation for RHEL 8–10 and the RPM family, kept current with each release.
RHEL 9 V2R3
CIS Benchmarks
Level 1 & 2 benchmark checks mapped to the same continuous evaluation engine.
v2.0.0
NIST 800-53
Profile scoring can reuse the same host evidence where NIST-aligned policy content is loaded.
mapped
PCI-DSS · HIPAA · CUI
Run regulatory views on demand where the benchmark profile is available for the host OS.
on demand
current
posture by rule
CSV+JSON
workspace exports
CKL
host STIG checklist
0
screenshots required
Start free trial

Walk into your next audit with current evidence, not stale screenshots.

Enroll one host, choose a baseline, and see expected vs actual rule evidence start filling in. 14-day free trial for up to 30 hosts — no card.

Assessing a regulated or large estate? Talk to sales →
FAQ

The questions auditors ask first.

Every compliance result includes the benchmark, rule, host scope, status, expected configuration, current configuration, evidence summary and scan timestamp. It is stronger than a screenshot because it shows what was checked and what the system reported at scan time.

DISA STIG and CIS Benchmarks are the primary continuous baselines. Regulatory profiles such as PCI-DSS, HIPAA, NIST and CUI can be evaluated where the matching benchmark profile exists for the host OS.

Yes. The compliance views and exports are scoped by workspace, scan batch and host, so you can show the systems in scope without mixing them with unrelated fleet data. The agent itself is read-only during evaluation.

They stay visible. Manual-review rules are marked clearly, and unassessed hosts or missing policy coverage are treated as gaps in posture, not silently counted as passing.

The product has been designed around local collection and feed-driven evaluation so that self-hosted or offline enterprise deployments are a clean requirements path. If that is a hard requirement, it belongs in the Enterprise conversation.

CSV and JSON for current posture and scan-batch findings, plus CKL for host-level STIG checklist review where applicable. Additional auditor formats can be scoped with Enterprise reporting requirements.