Patch verification

Patched is not fixed until the vulnerable code stops running.

Package scanners usually close a finding when the fixed version lands on disk. That is not enough. Kernels still need reboots. Long-running services still map old libraries. oxharden keeps the finding open until applied and live state agree.

See the live demo Start free trial

No signup Read-only agent Installs in 2 minutes

acme-prod / hosts / ip-10-20-2-107 OPEN

On diskpackage db

openssl-libs3.0.7-27.el9fixed

kernel5.14.0-503.el9installed

Still runningprocess table

nginx → libssl.so.33.0.7-18.el9(deleted)

postgres → libssl.so.33.0.7-18.el9(deleted)

kernel running5.14.0-427.el9reboot pending

FINDING STAYS OPENPatched by version — the vulnerable code is still executing.applied ≠ live

The gap

The package database can say clean while the process table says vulnerable.

Run an upgrade and the package database flips to the fixed build. By version alone, the host reads as clean — which is exactly where most scanners stop. But the code that matters is the code still executing.

Libraries

A library fix is not live until every service that mapped it restarts. Long-running processes can keep the old code in memory, often visible as deleted inodes.

Kernels

A kernel CVE is not closed until the host reboots. The fixed image can sit staged on disk while the vulnerable kernel keeps running.

False green

hosts patched by version · still running old code

The package is fixed. The risk is not. Every one of these reads clean to a version-only scanner.

The proof mechanic

How oxharden tells applied from live.

01applied

On disk

The package manager reports the fixed build installed. Most scanners stop here.

openssl3.0.7-27

rpm -qfixed

02live

In memory

oxharden inspects running processes and maps which services still load old library objects — the code actually executing right now.

nginx3.0.7-18

postgres(deleted)

03kernel

Kernel

oxharden compares the running kernel against the installed kernel to surface reboot-pending risk.

installed503.el9

running427.el9

04verdict

Reconcile

A finding stays open until applied and live agree. Green means actually fixed.

applied = live

verdictfixed

See the live demo Start free trial

Next action, named

The next action is restart, reboot, or upgrade — not guesswork.

oxharden flags every host where applied and live state disagree and tells you the follow-up: restart these services, reboot this host, or upgrade this package. Where available, copy the Bash or Ansible guidance, apply it, and re-scan to prove the risk is retired.

Per-service restart guidance

Reboot-pending flags

Copyable Bash or Ansible

Re-scan to verify

acme-prod / remediation5 hosts disagree

Host	Why it's still open	Action	Scope
ip-10-20-2-107	3 services map stale libssl.so.3	restart	3 svc
ip-10-20-4-32	kernel 5.14.0-427 running, reboot pending	reboot	1 host
ip-10-20-7-15	openssl-libs below fixed-in version	upgrade	1 pkg

Bash · Ansible re-scan to verify

Read-only collection. Least-privilege design. Installs in 2 minutes.

RHELRocky LinuxAlmaLinuxOracle LinuxAmazon Linux 2023CISDISA STIGPCI

Verify runtime state

Stop trusting package state. Verify runtime state.

Explore the live demo and see how oxharden separates applied from live, then run it a 14-day free trial on up to 30 of your own hosts.

See the live demo Start free trial

14-day free trial for up to 30 hosts. No card required.

Patched ≠ fixedSee it proven on real fleet data.

See the live demo