Platform/ Hosts

A live inventory you can trust.

Every Linux host reports its kernel, packages, ports, vulnerabilities, compliance posture, and freshness. Search across the fleet, spot stale or missing systems, and open any host for the complete picture.

Start free trial Explore the live demo

347

hosts on one pane

586 pkgs

indexed per host

check-in interval

acme-prod / hosts

Monitor

Dashboard

Hosts347

Packages2,184

Ports4,218

CVEs189

Compliance

Exposure47

Scans

Manage

Enroll host

Organization

acme-prod › Hosts

Search hosts, packages, CVEs…⌘K

Hosts

Show retiredRefreshColumns

+os.family = rhel AND package = openssl/

Hostname	OS	Agent	CVEs	Ports	Compliance
ip-10-20-1-200us-east-2a	RHEL 10.1	online39s	332 crit	8	94%
ip-10-20-2-85us-east-2b	Rocky 8.9	stale3d	516 crit	12	78%
ip-10-20-3-181us-east-2c	Oracle 9.7	online4m	241 crit	6	88%
ip-10-20-2-206us-east-2b	Amazon 2023	online1m	11clean	4	—
ip-10-20-1-238us-east-2a	AlmaLinux 9.8	online46s	393 crit	9	65%
ip-10-20-0-31us-east-2c	RHEL 9.7	stale2d	241 crit	5	96%

Inventory is not a spreadsheet. oxharden keeps a live record of every host, its software, exposure, vulnerabilities, and compliance posture, so blind spots are visible before they become incidents.

01 · One pane for the fleet

Your Linux fleet, queryable at a glance.

Hostname, primary IP, distro, agent health, CVE breakdown, package state, and compliance posture on one row per host. Online, stale, and retired are explicit states, so the inventory tells you what is known, what changed, and what needs follow-up.

CVE counts split by severity: critical, high, medium, low

Agent health and last-seen timestamp on every row

Compliance score surfaced inline per host

acme-prod / hosts

Monitor

Dashboard

Hosts347

Packages2,184

Ports4,218

CVEs189

Compliance

Exposure47

Scans

Manage

Enroll host

Organization

acme-prod › Hosts

Search hosts, packages, CVEs…⌘K

Hosts

Show retiredRefreshColumns

+os.family = rhel AND package = openssl/

Hostname	OS	Agent	CVEs	Ports	Compliance
ip-10-20-1-200us-east-2a	RHEL 10.1	online39s	332 crit	8	94%
ip-10-20-2-85us-east-2b	Rocky 8.9	stale3d	516 crit	12	78%
ip-10-20-3-181us-east-2c	Oracle 9.7	online4m	241 crit	6	88%
ip-10-20-2-206us-east-2b	Amazon 2023	online1m	11clean	4	—
ip-10-20-1-238us-east-2a	AlmaLinux 9.8	online46s	393 crit	9	65%
ip-10-20-0-31us-east-2c	RHEL 9.7	stale2d	241 crit	5	96%

02 · Filter like a query

Slice the fleet by any property.

Filter by OS family, agent status, installed package, CVE, kernel version, open port, tag, or cloud account, then compose conditions with AND. Answer “which RHEL hosts still have a vulnerable OpenSSL package?” and act on exactly that set.

Filter on OS, kernel, package, port, CVE, tag, or cloud account

Compose conditions such as os.family = rhel AND pkg = openssl

Use the filtered set to scope scans, fixes, and review

FILTERtype a property, compose with AND

os.family = rhel ✕crit_cves > 0 ✕pkg = openssl ✕

4hosts match · narrowed from 347

ip-10-20-1-200.us-east-2…RHEL 10.1

ip-10-20-0-31.us-east-2…RHEL 9.7

ip-10-20-2-85.us-east-2…Rocky 8.9

ip-10-20-1-238.us-east-2…AlmaLinux 9.8

03 · The whole host, in one view

Open any host for the full picture.

OS, kernel, cloud metadata, agent health, packages, ports, CVEs, and compliance in one place. Drill from a host into the exact findings that affect it, then see the fixes ranked by what they retire.

Installed packages, ports, CVEs, and compliance in one host view

Findings tied back to the affected package, port, or rule

Remediation guidance grouped by the work required

acme-prod / hosts / ip-10-20-1-200

Monitor

Dashboard

Hosts347

Packages2,184

Ports4,218

CVEs189

Compliance

Exposure47

Scans

Manage

Enroll host

Organization

acme-prod › Hosts

Search hosts, packages, CVEs…⌘K

OverviewPackages586Ports2CVEs5.7kCompliance

Critical CVEs

213

of 5.6k total

Reboot required

kernel current

Services to restart

none

Pending updates

141785

Vulnerable pkgs

of 586 indexed

TOP REMEDIATIONS· grouped by package · ranked by fixability + exploitability

ACT NOW· upgrade available12

libsmbclientMINOR

2 critclears 2EPSS 0.00

4.22.4-121.el10_1 → 0:4.23.5-109.el10_2

samba-client-libsMINOR

2 critclears 2EPSS 0.00

4.22.4-121.el10_1 → 0:4.23.5-109.el10_2

libwbclientMINOR

2 critclears 2EPSS 0.00

4.22.4-121.el10_1 → 0:4.23.5-109.el10_2

samba-common-libsMINOR

2 critclears 2EPSS 0.00

4.22.4-121.el10_1 → 0:4.23.5-109.el10_2

unbound-libsMINOR

1 critclears 1EPSS 0.00

1.20.0-18.el10_1 → 0:1.24.2-7.el10_2.1

kernelPATCH

3 critclears 3EPSS 0.00

6.12.0-124.56.1.el10_1 → 0:6.12.0-211.18.1.el10_249 without fix

kernel-modulesPATCH

2 critclears 2EPSS 0.00

6.12.0-124.56.1.el10_1 → 0:6.12.0-211.18.1.el10_232 without fix

04 · Applied ≠ live

See what still needs a restart or reboot.

A package can be fixed on disk while vulnerable code keeps running in memory: a shared library updated while a long-lived process still maps the old copy, or a kernel update waiting for reboot. oxharden shows the host-level follow-up needed to make the fix active.

Detects processes still mapped to replaced shared libraries

Copyable systemctl restart commands for affected services

Compares running and installed kernels for reboot needs

acme-prod / hosts / ip-10-20-2-85

Monitor

Dashboard

Hosts347

Packages2,184

Ports4,218

CVEs189

Compliance

Exposure47

Scans

Manage

Enroll host

Organization

acme-prod › Hosts

Search hosts, packages, CVEs…⌘K

ip-10-20-2-85.us-east-2.compute.internalonline

Rocky Linux 8.9 · packages updated on disk · 8 still mapped into running services

Restart all

Processes pending restart · 8 packages · 14 processescopyable per service

systemd library3 procs · still map ld-linux-x86-64.so.2 +7$ sudo systemctl restart init.scope systemd-logind.service

dbus-broker library2 procs · still map ld-linux-x86-64.so.2 +4$ sudo systemctl restart dbus-broker.service

NetworkManager library2 procs · still map libnm-device-plugin-team.so +18$ sudo systemctl restart NetworkManager-dispatcher.service

gnupg2 library2 procs · still map ld-linux-x86-64.so.2 +1$ sudo systemctl restart session-1.scope

rsyslog library1 proc · still map ld-linux-x86-64.so.2 +2$ sudo systemctl restart rsyslog.service

Listening ports2 · traced to package

Port	Process	Package	State
:22	sshd	openssh-server 8.7p1	listening
:5432	postgres	postgresql-server 13.7	listening

How it works

From enrolled agent to live fleet record.

Enroll

Install the read-only agent on each Linux host. It registers to your workspace, receives scan policy, and reports over an outbound connection. No inbound access or stored host credentials required.

rpmcloud-initoutbound only

Inventory

The agent collects the state that matters: packages, kernel, listening ports, running processes, cloud metadata, and compliance evidence. Each check-in refreshes the host record.

rpmdb/procsskernel

Assess & Rank

oxharden turns host state into ranked work: exploitable CVEs, reachable services, compliance gaps, and the fixes that retire the most risk.

KEVEPSSCISDISA STIG

Under the hood

Exactly what the agent records.

No black box. Here's what each host reports, how freshness is tracked, and how the fleet becomes searchable.

Inventory captured

OS and kernel, installed packages, listening ports, running processes, mapped libraries, cloud metadata, and compliance evidence.

Per-host indexing

Packages, ports, CVEs, compliance findings, and host metadata are indexed per host and matched to that host's exact distro and version.

Filterable properties

os.familykernelpackageportcvecomplianceagent.statuscloud.accounttag

Check-in cadence

Agents report on schedule, with full inventory refreshed on schedule or on demand. Stale agents are flagged, never silently trusted.

Applied vs live detection

Mapped libraries are detected through open file handles; running kernel is compared with the installed kernel per host.

Agent footprint

Read-only collection, outbound-only communication, small binary footprint. Evaluation does not change host configuration.

Supported distros

RHEL 8 / 9 / 10RockyAlmaLinuxOracle LinuxAmazon Linux 2023

Export / API

JSON, CSV, and a read-only API.

The rest of the platform

One agent. One fleet record. Every risk view.

Get started

Launch your first scan in minutes.

Not ready to install? Click around the live demo with real fleet data first. Then start a 14-day free trial on up to 30 of your own hosts.

Explore the live demo Start free

No signup, no agent, or book a guided demo with our team.

install.sh

curl -fsSL https://packages.executepath.dev/install.sh \
  | sudo EXPECTED_GPG_FINGERPRINT=13094D5AB037E6CD79CDFA3A51687EAC6B931A09 bash

✓ agent enrolled · ip-10-20-2-107
✓ inventory synced · 410 packages · 4 ports
✓ first scan complete · 12 critical · 19 vulnerable pkgs

FAQ

Host inventory, answered.

OS and kernel, installed packages with full NEVRA, listening ports and their owning processes, mapped shared libraries, cloud metadata, and compliance evidence. Collection is read-only: the agent reads local state and checks in over an outbound connection.

Agents check in on schedule and refresh inventory on schedule or on demand. The fleet table shows last-seen status per host, and agents that stop reporting are flagged as stale instead of being shown as healthy.

Captured host properties such as OS family, kernel version, installed package, listening port, CVE, compliance status, agent status, cloud account, or tag. Conditions compose with AND, so you can isolate questions like \u201cRHEL hosts with a critical OpenSSL CVE\u201d in one line.

Findings are grouped by the work required: package upgrade, service restart, reboot, or compliance remediation. Where version data is available, oxharden shows the target package version and the risk retired by that fix. Findings without an available fix stay visible instead of being hidden.

No. The agent does not require inbound access, domain membership, or host credentials. It works over outbound check-in and can inventory cloud or on-prem Linux hosts.

It becomes stale. oxharden keeps the last known inventory for context, but stale hosts are called out explicitly so old data is not mistaken for current posture.

Host history and change timelines are a natural next step: packages added or removed, new ports opened, CVEs introduced or fixed, and compliance drift.

Yes. Filtered host sets can be used to focus review and decide where to run scans or apply fixes, so teams work on the exact systems affected instead of the whole fleet.

Your Linux fleet, queryable at a glance.

Slice the fleet by any property.

Open any host for the full picture.

See what still needs a restart or reboot.

From enrolled agent to live fleet record.

Enroll

Inventory

Assess & Rank

Exactly what the agent records.

One agent. One fleet record. Every risk view.

Vulnerability Scanning

Compliance & STIG

Attack-Surface Exposure

Launch your first scan in minutes.

Host inventory, answered.