Skip to main content
Snapshot startLive demoBook a guided demo
Ready to runPatch Truth Snapshotusually under a minute after upload

Create a one-host Patch Truth report.

Copy the command, run it on one supported Linux host, and watch for the upload. Once the snapshot lands, oxharden builds a token-protected report that says whether this host needs a package update, restart/reboot, no action, or a cleaner scan.

modeone hostscopepackage truthdistroRHEL-familyinstallno daemonoutputsecure report URL
One-time read-only scan.No package changesNo config writesExits after upload
01

Run the snapshot

copy / run / upload
Command
patch-truth-snapshot

Generate a command for this report.

This creates a short-lived snapshot ID and token, then this page waits for that exact host upload.

expires in 30 min ยท single use
Read-onlyNo persistent agentExits after report

After the command is created, copy it to one supported host. This page will track that same snapshot ID and open the report when processing finishes.

waiting for snapshot

Create the command, run it, then keep this page open.

The progress state mirrors the enrollment flow: upload accepted, packages matched, report written, secure link ready.

Snapshot uploadqueued
Package matchingqueued
Report generationqueued
Secure report linkqueued
No snapshot session has been created in this tab yet.
02

Supported hosts

V1 scope

Start with a RHEL-family host.

Snapshot matching is intentionally scoped to distros where the CVE pipeline has vendor advisory coverage. Unsupported hosts should fail clearly instead of producing a false-clean report.

RHEL 8/9/10Rocky Linux 8/9/10AlmaLinux 8/9/10Oracle Linux 8/9/10Amazon Linux 2023
03

What it collects

minimum evidence

Package inventory

Package name, epoch/version/release, architecture, vendor, and install state needed for CVE matching.

Host basics

Redacted host label, distro, distro version, kernel release, and agent version for report context.

Runtime evidence

Signals used to separate package update debt from restart or reboot debt when runtime data is available.

Timing and status

Collector duration, record counts, unsupported distro status, and incomplete evidence flags.

04

Report preview

four outcomes
Patch Truth Snapshot
redacted host / rocky 9.8 / expires in 7 days
PDF
74 vulnerable package findings on this host.

Installed EVRs are below the vendor-fixed package versions.

vulnerable findings
74
packages scanned
402
critical / high
12
host identity
redacted
# next actionsudo dnf update kernel openssl-libs glibc # evidencekernel-core 5.14.0-427.el9 -> fixed in 5.14.0-570.el9 openssl-libs 3.0.7-18.el9 -> fixed in 3.0.7-27.el9