Know your compliance posture before the audit does.
Choose CIS or DISA STIG as your baseline, and oxharden continuously evaluates every applicable rule across your Linux fleet. The same evidence can be scored against PCI, HIPAA, and NIST on demand, giving teams a clear view of gaps, drift, and remediation priority.
A passed audit is a snapshot. Drift starts the next day. A host changes, a new server joins unbaselined, and yesterday's compliance score is already stale. oxharden continuously evaluates your fleet against its baseline and lets you rescore the same evidence against PCI, HIPAA, NIST, CIS, or DISA STIG on demand.
Compliance that does not go stale.
Your audit result is only true until the fleet changes. oxharden runs your baseline continuously, catches drift from sysctls, services, file permissions, and boot settings, and shows how each change affects your compliance score over time.
Collect once. Prove more than one standard.
oxharden turns one host-state collection into evidence for multiple compliance views. Run CIS or DISA STIG continuously, then rescore applicable systems against PCI-DSS, HIPAA, and NIST-aligned profiles whenever the business asks.
Fix the rule, close the evidence gap.
Every finding shows what failed, what the system has now, and the safest available next step. Apply copyable Bash or Ansible remediation where available, document exceptions when policy differs, and reduce repeated work when the same control appears across multiple frameworks.
- name: CIS 5.2.1 — disable root SSH logon
ansible.builtin.copy:
dest: /etc/ssh/sshd_config.d/50-cis.conf
content: "PermitRootLogin no\n"
notify: reload sshd
tags: [cis_l1, stig, rollback]Evidence an auditor can actually use.
Every rule keeps the check result, expected configuration, observed configuration, and scan timestamp. Findings show what was evaluated, what passed, what failed, and which hosts still need assessment. Unassessed hosts are called out explicitly, never quietly counted as compliant. Exports for OSCAL, STIG checklists, CSV, and PDF evidence packages are planned.
From host state to defensible score.
Collect
The agent reads local configuration state: sysctl, file modes, PAM and password policy, systemd services, auditd rules, mount options, and more. Read-only, no remote credentials.
Evaluate
oxharden checks that state against your org baseline and applicable on-demand benchmarks using SCAP/OVAL definitions, curated CIS and DISA content, and policy overrides.
Report & Remediate
Findings roll up into a severity-weighted score with per-rule evidence, expected vs. observed configuration, and copyable remediation for hosts that fail.
The technical details, up front.
No black box. Here's what the agent inspects, which content it evaluates against, and how compliance is scored.
Compliance is only one use of the agent.
Launch your first scan in minutes.
Not ready to install? Click around the live demo with real fleet data first. Then start a 14-day free trial on up to 30 of your own hosts.
curl -fsSL https://packages.executepath.dev/install.sh \ | sudo EXPECTED_GPG_FINGERPRINT=13094D5AB037E6CD79CDFA3A51687EAC6B931A09 bash
✓ inventory synced · 410 packages · 4 ports
✓ first scan complete · 12 critical · 19 vulnerable pkgs
Compliance Scanning, Answered
A benchmark tool gives you a score for the moment it runs. oxharden evaluates your baseline continuously, so when a host drifts after an audit, a sysctl changes, a service is re-enabled, or a new server joins unbaselined, the gap shows up before the next assessment.
The agent collects host configuration state once. oxharden evaluates that evidence against your org baseline (CIS or DISA STIG) and can rescore applicable hosts against PCI-DSS, HIPAA, and NIST-aligned profiles on demand. You can compare frameworks without reinstalling agents or recollecting the same host state.
The baseline is the standard oxharden evaluates on schedule and uses for your primary compliance score. Most teams choose CIS Level 1 for a practical hardening baseline or DISA STIG for regulated/DoD-aligned environments. Other applicable frameworks can be run on demand for comparison.
Evaluation is read-only — the agent inspects local configuration and does not modify the host. Remediation is opt-in: findings can include copyable Bash or Ansible examples where a safe fix is available, and your team decides when and how to apply them.
Each rule keeps the result, expected configuration, observed configuration, benchmark version, host identity, and scan timestamp. Unassessed hosts are called out explicitly instead of being counted as compliant. Formal export packages such as OSCAL, CKL, CSV, or PDF are planned post-MVP.
oxharden focuses on Linux hosts, including RHEL-compatible distributions and Amazon Linux 2023. Benchmark availability depends on the OS and version; Scan Now only shows frameworks that apply to the selected workspace or system.
Yes. Teams can document exceptions for controls that are not applicable or intentionally handled another way. Exceptions should preserve the audit trail so reviewers can see what was excluded, why, and at what scope.
No. The agent runs locally on the host and reports collected state back to oxharden. It does not need SSH keys, shared admin credentials, or remote command execution from the control plane.