Harden every Linux host.
Continuously.
oxharden turns Linux host state into ranked fixes: exploited CVEs, compliance gaps, exposed services, and patches that have not taken effect. Know what matters, where it runs, and what to do next.
Stop reconciling five different versions of the same host.
oxharden collects host state once, then turns CVEs, compliance gaps, exposed services, and stale running code into one prioritized view of what to fix next.
Package risk
347 hosts · 2,184 packages assessed · 189 CVEs matched · 2m 11s
| Package | Fix | Hosts | KEV | Risk retired |
|---|---|---|---|---|
| xz-libs | 5.2.5-7 → 5.2.5-8 | 42 | KEV | 86 CVEs |
| openssl | 3.0.7-27 → 3.0.7-31 | 18 | 7.8 EPSS | 24 CVEs |
| kernel | 5.14.0-427 → 5.14.0-503 | 31 | reboot | 19 CVEs |
| glibc | 2.34-83 → 2.34-100 | 78 | KEV | 41 CVEs |
| polkit | 0.117-13 → 0.117-15 | 96 | KEV | 12 CVEs |
| curl | 7.76.1-29 → 7.76.1-31 | 24 | 8.2 EPSS | 9 CVEs |
Most scanners hand you a list.
oxharden shows the risk, the evidence, and the fix.
“Patched” by version. Still running the vulnerable code.
A kernel CVE is not closed until the host reboots. A library fix is not live until every service that mapped it restarts. oxharden tracks applied-vs-live state, so your dashboard reflects what is actually running, not just what the package manager reports.
oxharden tracks applied-vs-live state, so patched-but-still-running risk stays visible until the fix actually takes effect.
CVSS is not a work queue.
A list of 189 CVEs is noise if the exploited ones are buried halfway down. oxharden brings KEV and EPSS to the top, then uses CVSS for impact context, so teams fix the vulnerabilities attackers are most likely to use first.
One remediation can close many findings.
oxharden groups findings by the work required: package upgrade, service restart, reboot, or configuration change. Copy the Bash or Ansible guidance where available, then re-scan to verify the risk is gone.
Five views. One source of truth.
Inventory, package risk, CVEs, compliance, and exposure all come from the same host record, so teams can move from finding to affected system without context switching.
Launch your first scan in minutes.
Not ready to install? Click around the live demo with real fleet data first. Then start a 14-day free trial on up to 30 of your own hosts.
curl -fsSL https://packages.oxharden.com/install.sh \ | sudo EXPECTED_GPG_FINGERPRINT=9B23F83E487C46C97ADE6429E7A1D1965BB4621B bash
✓ inventory synced · 410 packages · 4 ports
✓ first scan complete · 12 critical · 19 vulnerable pkgs
Questions, answered.
Deploy the lightweight agent with curl, dnf, or automation tooling like Ansible. It checks in periodically, captures package, port, and kernel posture, and evaluates compliance locally on each host. The agent is strictly read-only, so it reports findings without making changes.