Skip to main content
CMMC / defense contractors

Linux host evidence for defense teams that need proof, not screenshots.

oxharden helps defense contractors produce defensible Linux host evidence for vulnerability remediation, CIS / STIG posture, exposed services, and the gap between patched-on-disk and still-running code. It is not a CMMC platform or assessor; it is the Linux evidence layer underneath audit prep.

Supports CMMC / NIST 800-171 evidence workflows. Does not attest compliance.
Read-only collection Supports CMMC evidence workflows No remediation during scan
cui-prod / linux hosts / rhel-app-01rhel-app-01
CMMCNIST 800-171CISDISA STIG
47
critical / high vulnerability findings
6
running-code deltas (applied ≠ live)
12
failed STIG / CIS checks
3
exposed services requiring review
Evidence · kernel — CVE-2024-1086
kernel fixed on disk5.14.0-503.el9
running kernel still old5.14.0-427.el9
Action requiredReboot host
The problem

Audit prep gets messy when Linux evidence is scattered.

Defense contractors are often asked to prove that systems are patched, configured, and monitored. But the evidence usually lives across scanner exports, package managers, shell output, spreadsheets, and manual screenshots. That makes reviews slower and remediation harder to defend.

Patch evidence is incomplete

A package can be fixed on disk while vulnerable code is still running in memory.

Hardening evidence is manual

CIS and STIG checks often become screenshots, scripts, or spreadsheets that age quickly.

Scanner findings lack action

A CVE finding does not always say whether the host needs an update, restart, reboot, or review.

Exposed services need context

Open ports and listening services need to be tied back to host, owner, and remediation evidence.

How oxharden helps

Host evidence across patching, vulnerabilities, hardening, and exposure.

Four evidence pillars, collected once from the host and organized by report and date — so the proof is the same whether a security manager, IT lead, or assessor is asking.

Vulnerability remediation evidenceConfiguration / hardening evidenceChange verification after remediationExposed service review

Patch verification

Compare installed packages against vendor-fixed EVRs and identify where patched-on-disk does not mean fixed-live.

openssl-libsinstalled 3.0.7-18
vendor-fixed EVR3.0.7-28.el9_4

Vulnerability evidence

Tie CVEs to package versions, severity, fixed versions, affected services, and the next action.

CVE-2024-10869.8 · kernel
next actionreboot host

CIS / DISA STIG posture

Show expected-vs-actual evidence for every Linux hardening rule — pass or fail, per host.

RHEL-09-255010actual: pass
RHEL-09-671010actual: fail

Exposure context

Surface listening services and exposed ports alongside the host record they belong to.

22/tcp · sshdapproved
8443/tcp · unknownreview
Applied vs live

Patched is not fixed until vulnerable code stops running.

Defense teams cannot close a finding just because the package database changed. Long-running services can keep old libraries mapped after patching. Kernels can remain vulnerable until reboot. oxharden shows the gap so teams know what action is still required.

Key idea Package updated does not always mean vulnerable code stopped running.
rhel-app-01 · applied-vs-liveaction required
On disk package db
openssl-libs3.0.7-28.el9_4
kernel5.14.0-503 installed
Still running runtime
nginx maps libssl 3.0.7-25(deleted)
running kernel5.14.0-427.el9
VERDICTPackage db moved, but old code is still live.restart nginx · reboot host
Supports CMMC workflows

Evidence for the controls conversation.

oxharden does not make an organization CMMC compliant by itself. It helps produce Linux host evidence that supports vulnerability remediation, configuration management, system monitoring, and audit review workflows.

Vulnerability remediation

Show what is vulnerable, what fix is available, and whether the fix is actually live.

Configuration evidence

Record expected-vs-actual results for CIS and DISA STIG checks.

Change verification

Re-scan after patching or hardening work to show what changed.

Audit-ready artifacts

Produce clean reports a security manager, IT lead, assessor, or client can review.

CMMC scope, applicability, and control interpretation should be handled with your assessor or compliance advisor. oxharden provides Linux host evidence to support that process — it is not an attestation of compliance.
Report preview

A report you can hand to security, IT, or an assessor.

One host record, grouped by evidence type. Every row carries the proof and the one action left to close it — organized by host and report date.

Keep your GRC, scanner, and assessor workflow. oxharden supplies the Linux host facts those workflows depend on.
rhel-app-01 — Linux host evidencecui-prod · generated Jul 4, 2026
kernelCVE-2024-1086 · fixed kernel installed, running kernel oldReboot host
openssl-libsCVE-2022-3602 · fixed on disk, nginx still maps old libsslRestart service
expatCVE-2024-45492 · installed below vendor-fixed EVRUpdate package
host evidence · read-only collection re-scan to verify closure
Defense contractor workflow

From finding to evidence-backed closure.

oxharden slots into how your team already works — it collects and organizes the Linux host evidence; your existing patch and config workflows make the change.

01collect

Collect

Run a one-host snapshot or enroll approved Linux hosts.

02classify

Classify

Group findings by update, restart, reboot, review, or clean.

03remediate

Remediate

Use existing patching and configuration workflows to make the change.

04verify

Verify

Re-scan and keep the report as evidence for review.

Designed for cautious Linux environments.

RHELRocky LinuxAlmaLinuxOracle LinuxAmazon Linux 2023CISDISA STIGCMMCNIST 800-171

Host-level evidence for CIS, DISA STIG, CMMC & NIST 800-171 workflows — oxharden supplies the Linux proof, not the attestation.

Read-only collection
One-host snapshot available
No remediation during scan
RPM-based Linux support
Works with existing patch/config workflows
Evidence organized by host and report date
Before the scramble

See the Linux evidence before audit prep becomes a scramble.

Review a sample Patch Truth report or book a short walkthrough to see how oxharden supports defense-oriented Linux evidence workflows.

Read-only snapshot available for supported RPM-based Linux hosts — or book a 15-min report review.
Linux host evidenceDefensible proof for CMMC audit prep.
View sample report