Skip to main content
Continuous compliance

Know your compliance posture before the auditor does.

oxharden scores Linux hosts against CIS and DISA STIG with expected-vs-actual evidence for every rule. See what passes, what drifted, and which hosts need work — before the audit becomes a fire drill.

See the live demo Start free trial
CIS · DISA STIG · PCI · Read-only collection · No big security team required.
acme-prod / compliance
Monitor
Dashboard
Hosts347
Packages2,184
Ports4,218
CVEs189
Compliance
Exposure47
Scans
Manage
Enroll host
Organization
acme-prod Compliance
Search hosts, packages, CVEs…⌘K
KM

Compliance posture

Org baseline · CIS RHEL 9 · Level 1 · 347 hosts · last scan 4m ago

EvidenceRe-scan
Severity-weighted score87.4%+2.3 / 30d
Pass
218
Fail
14
Not applicable
11
Rule resultsexpected vs actual · per rule
CAT IRHEL-09-671010FIPS boot argument requiredFAIL · 41 hosts
Expectedkernel command line contains fips=1
Actualfips=1 missing from /proc/cmdline
CAT IIRHEL-09-611045Passwords must be at least 15 characters329/347pass
CAT IRHEL-09-255045SSH daemon must not permit root logon347/347pass
CAT IIRHEL-09-213015kernel.dmesg_restrict must be set to 1274/347fail
CAT IIIRHEL-09-211015Display Standard Mandatory DoD banner311/347pass
The problem

Point-in-time compliance is a fire drill.

Most teams scramble before an audit: screenshotting configs, reconciling spreadsheets, and hoping nothing drifted since the last review. Then the fleet changes the next day. Compliance is not a date on the calendar — it is a state your systems are in or out of right now.

Manual evidence

Screenshots and spreadsheets go stale the moment they are saved.

Silent drift

A passing host can fail tomorrow after a config change, package update, or reboot.

No single source

Findings spread across tools rarely show the per-rule proof an auditor or engineer needs.

The solution

Every rule needs proof:
expected, actual, pass or fail.

Continuous scoring

Evaluate Linux hosts against CIS and DISA STIG baselines on schedule, on demand, and after policy changes. Your score reflects the fleet now, not last quarter.

Expected vs actual

For every rule, oxharden shows what the baseline requires, what the host actually reported, and why it passed or failed.

Trend over time

Watch posture improve, catch drift, and see score movement over time.

Per-host detail

Drill from a fleet score to the exact host, rule, evidence, and remediation guidance.

CAT IRHEL-09-671010FIPS mode boot argument requiredFail
Expected
# the baseline requires
kernel command line contains
 fips=1

What CIS RHEL 9 Level 1 requires for this rule to pass.

Actual
# what the host reported
$ cat /proc/cmdline
BOOT_IMAGE=… ro crashkernel=1G
 fips=1 — not present

Collected read-only from the host. fips=1 is missing, so the rule fails.

collected 4m ago · 41 / 347 hosts failing · evidence retained per scanCIS 1.11NIST SC-13FIPS 140
See the live demo Start free trial
Framework coverage

Built for the frameworks you are held to.

CIS Benchmarks

Continuous CIS Benchmark scoring across supported Linux distributions.

CIS · Level 1 / 2
DISA STIG

STIG rules evaluated with expected-vs-actual evidence, built for teams that need defensible Linux hardening posture.

DISA STIG · RHEL 9
PCI

Configuration and exposure evidence that supports PCI control workflows.

PCI-DSS v4.0

oxharden does not make you compliant by itself. It provides the Linux host evidence those programs ask for.

HIPAAPCICMMCFedRAMP-adjacentCISDISA STIG
One record

Compliance gaps, CVEs, and exposed services belong on the same host record.

oxharden collects host state once and uses it across compliance, vulnerability, and exposure views. A failed hardening rule, an exploited CVE, and an internet-reachable service should not live in three unrelated tools.

ip-10-20-2-107.us-east-2
RHEL 9.4 · kernel 5.14.0-427 · collected once
online
Compliance evidence
CIS · DISA STIG · PCI
3 CAT I fail
CVEs and fixability
ranked KEV → EPSS
4 KEV
Ports and exposure
listening sockets
2 exposed
Applied vs live state
patched ≠ running
restart due
Deployment & trust

Designed for regulated Linux environments.

Read-only

The agent evaluates and reports. It does not change your servers during assessment.

Least-privilege design

Collects the host state needed for inventory, vulnerability, exposure, and compliance evaluation.

Enterprise deployment

Enterprise deployment models can be scoped for offline, self-hosted, or regulated-environment requirements.

Fast rollout

Deploy with curl, dnf, or automation. First compliance posture appears in minutes after enrollment and scan.

Read-only collection. Evidence per rule. Built for RPM-based Linux fleets.
RHELRocky LinuxAlmaLinuxOracle LinuxAmazon Linux 2023CISDISA STIGPCI
Get started

See the gaps before your auditor does.

Explore the live demo to see continuous CIS and DISA STIG scoring with per-rule evidence. Then start a 14-day free trial on up to 30 of your own hosts.

See the live demo Start free trial
14-day free trial for up to 30 hosts. No card required.
See your compliance posture
Live demo · real fleet data
See the live demo