Skip to main content

Harden every Linux host.
Continuously.

oxharden turns Linux host state into ranked fixes: exploited CVEs, compliance gaps, exposed services, and patches that have not taken effect. Know what matters, where it runs, and what to do next.

14-day free trial for up to 30 hostsAgent installs in 2 minutesNo card required
Built for enterprise Linux
RHELRockyAlmaLinuxOracle LinuxAmazon Linux 2023CISDISA STIG
One platform

Stop reconciling five different versions of the same host.

oxharden collects host state once, then turns CVEs, compliance gaps, exposed services, and stale running code into one prioritized view of what to fix next.

acme-prod / packages / scan
Monitor
Dashboard
Hosts347
Packages2,184
Ports4,218
CVEs189
Compliance
Exposure47
Scans
Manage
Enroll host
Organization
acme-prod Package risk
KM

Package risk

347 hosts · 2,184 packages assessed · 189 CVEs matched · 2m 11s

Re-scan
Ranking
KEV-first
exploit signals over CVSS
Reboot debt
Applied ≠ live
86 hosts still vulnerable
Coverage
5 Linux families
vendor advisories matched
86 hosts are "patched" by version but still running vulnerable code. Old libraries remain mapped into long-running services.Review
Top package fixesranked by exploit signals + fleet impact
PackageFixHostsKEVRisk retired
xz-libs5.2.5-7 5.2.5-842KEV86 CVEs
openssl3.0.7-27 3.0.7-31187.8 EPSS24 CVEs
kernel5.14.0-427 5.14.0-50331reboot19 CVEs
glibc2.34-83 2.34-10078KEV41 CVEs
polkit0.117-13 0.117-1596KEV12 CVEs
curl7.76.1-29 7.76.1-31248.2 EPSS9 CVEs
Why oxharden

Most scanners hand you a list.
oxharden shows the risk, the evidence, and the fix.

01 · Applied ≠ live

“Patched” by version. Still running the vulnerable code.

A kernel CVE is not closed until the host reboots. A library fix is not live until every service that mapped it restarts. oxharden tracks applied-vs-live state, so your dashboard reflects what is actually running, not just what the package manager reports.

oxharden tracks applied-vs-live state, so patched-but-still-running risk stays visible until the fix actually takes effect.

On disk
ON DISK · package layer
openssl-libs3.0.7-27.el9rpm db · fixed
patched build installed — the package manager reports it resolved
IN MEMORY · running processes
nginxpid 1841↳ libssl.so.3 · 3.0.7-18 (deleted)
postgrespid 2207↳ libssl.so.3 · 3.0.7-18 (deleted)
redis-serverpid 995↳ libssl.so.3 · 3.0.7-18 (deleted)
31 services still map the old inode — loaded before the upgrade, never re-exec'd
KERNEL · running image
uname -r5.14.0-427installed5.14.0-503reboot pending
fixed kernel staged on disk; the running image won't change until reboot
reconciling installed ↔ live…
1/4On disk
Run an upgrade and the package database flips to the fixed build. By version alone, openssl-libs 3.0.7-27 reads as patched — which is where most scanners stop.
02 · Exploited first

CVSS is not a work queue.

A list of 189 CVEs is noise if the exploited ones are buried halfway down. oxharden brings KEV and EPSS to the top, then uses CVSS for impact context, so teams fix the vulnerabilities attackers are most likely to use first.

Detected
189
CVEs detected · acme-prod fleet
46 score CVSS ≥ 7.0 — far too many to call any one of them "the priority"
4
CISA KEV — confirmed exploited
9
EPSS ≥ 0.50 — likely in 30 days
37
CVSS ≥ 7.0 — high impact
139
Tracked · lower priority
ranking by real-world exploitability…
1/4Detected
189 CVEs across the fleet. Sorting by CVSS alone leaves dozens tied at "high" — a flat list that says everything is urgent, so nothing is.
03 · Fix the work, not the row

One remediation can close many findings.

oxharden groups findings by the work required: package upgrade, service restart, reboot, or configuration change. Copy the Bash or Ansible guidance where available, then re-scan to verify the risk is gone.

Group
Findings → the actual unit of work
CVE-2023-0464CVE-2023-0465CVE-2022-4304+20
↓ grouped into one remediation
upgrade openssl-libs → 3.0.7-27.el9closes 23 CVEs
ranked by risk retired = CVEs × hosts closed
1/3Group
One upstream fix usually answers many CVEs. Findings are grouped into remediations — the real unit of work — and ranked by how much risk each one retires across the fleet.
<2 min
to first scan
5
Linux families supported
CIS + DISA
continuous baselines
KEV-first
vulnerability ranking
Get started

Launch your first scan in minutes.

Not ready to install? Click around the live demo with real fleet data first. Then start a 14-day free trial on up to 30 of your own hosts.

No signup, no agent, or book a guided demo with our team.
install.sh
curl -fsSL https://packages.oxharden.com/install.sh \
  | sudo EXPECTED_GPG_FINGERPRINT=9B23F83E487C46C97ADE6429E7A1D1965BB4621B bash
agent enrolled · ip-10-20-2-107
inventory synced · 410 packages · 4 ports
first scan complete · 12 critical · 19 vulnerable pkgs
FAQ

Questions, answered.

Deploy the lightweight agent with curl, dnf, or automation tooling like Ansible. It checks in periodically, captures package, port, and kernel posture, and evaluates compliance locally on each host. The agent is strictly read-only, so it reports findings without making changes.