Skip to main content
Linux patch management

Patch windows should end with proof, not hope.

oxharden turns Linux patch state into evidence: installed package versions, vendor-fixed EVRs, running-code deltas, reboot-pending kernels, and the next action needed to close the finding.

Read-only collection Works with existing patch tools No remediation during scan
or book a guided demo with our team.
acme-prod / patch-window / 2026-07-04 OPEN
$ dnf update completed · 3m 12s · 41 packages
Installed on diskpackage db
openssl-libs3.0.7-27.el9fixed
kernel5.14.0-503.el9installed
Still runningprocess table
nginx libssl.so.33.0.7-18.el9old map
postgres libssl.so.33.0.7-18.el9old map
kernel running5.14.0-427.el9reboot pending
RESTART / REBOOT REQUIREDPackages are on disk. The running code is still the old build.installed live
The problem

The package database is only half the story.

After a patch window, most teams still have open questions. Did the host actually receive the vendor fix? Did the service restart? Is the old shared library still mapped in memory? Did the kernel update require a reboot? Version-only checks do not answer all of that.

Package version drift

Some hosts never received the fixed EVR, even though the patch window is marked complete.

Restart debt

Long-running services can keep old libraries mapped after the package has been updated on disk.

Reboot debt

A fixed kernel image can be installed while the vulnerable kernel is still running.

Scanner noise

Security scanners keep findings open, but rarely explain the operational step needed to clear them.

The proof mechanic

Applied is not the same as live.

Four checks turn a package update into a verdict. A finding does not close until the installed version, the vendor fix, and the running code all agree.

01installed

Installed package

Read the package database and record the installed EVR for every affected package.

openssl-libs3.0.7-27
rpm -qpresent
02vendor

Vendor fix

Compare installed versions against distro / vendor security advisory data to find the fixed EVR.

fixed-in3.0.7-27
advisoryRHSA matched
03running

Running code

Inspect running processes, mapped libraries, deleted objects, and running kernel state.

nginxold map
kernel427 ≠ 503
04verdict

Action

Classify the finding: update, restart, reboot, review, or clean — the exact next step.

web-01restart
db-02reboot
Patch window summary

Turn a patch window into a closeout report.

Every affected host and package, side by side: installed version, vendor-fixed version, the runtime evidence that decides the verdict, and the one action left to close it.

acme-prod / patch-window / closeout4 hosts · 3 still open
HostPackageInstalledFixedRuntime evidenceStatusAction
Host web-01Package openssl-libsInstalled 3.0.7-27.el9Fixed 3.0.7-27.el9Evidence old libssl mapped by nginxStatus Restart requiredAction restart 3 services
Host db-02Package kernelInstalled 5.14.0-503.el9Fixed 5.14.0-503.el9Evidence old kernel 427 runningStatus Reboot pendingAction reboot host
Host app-03Package expatInstalled 2.5.0-1.el9Fixed 2.5.0-3.el9Evidence no runtime evidenceStatus Package update requiredAction install fixed EVR
Host api-04Package curlInstalled 7.76.1-31.el9Fixed 7.76.1-31.el9Evidence no stale mapsStatus CleanAction none
Status:Package update requiredRestart requiredReboot pendingRunning-code deltaNeeds reviewClean re-scan to verify
Operational workflow

Designed for the patching loop teams already run.

01before

Before the window

Identify affected packages and hosts.

02during

During the window

Apply updates through your existing patch tooling.

03oxharden

After the window

Run oxharden to verify package state, runtime state, and reboot status.

04close

Close the loop

Export evidence, restart / reboot what remains, then re-scan to prove closure.

oxharden does not deploy patches. It verifies and prioritizes the outcome of the tools you already run.
What teams get

Clear actions instead of another CVE list.

Vendor-aware package evidence

Installed EVR compared against vendor-fixed EVR for supported Linux distributions.

Running-code detection

Find services still mapping old libraries after the package update landed.

Kernel reboot detection

Compare installed and running kernel state to identify reboot debt.

Remediation grouping

Group findings by update, restart, reboot, review, or no action.

Verification after remediation

Re-scan after changes to prove the finding is actually closed.

Reportable evidence

Give security, management, or auditors a clean artifact showing what happened.

Built for enterprise Linux patching.

RHELRocky LinuxAlmaLinuxOracle LinuxAmazon Linux 2023CISDISA STIG
Read-only collection
One-host snapshot available
Works with existing patch tools
Evidence-first reports
No remediation performed during scan
See what your patch window actually fixed

See what your patch window actually fixed.

Run a one-host snapshot or review a sample report to see how oxharden separates package updates from running-code reality. Run the snapshot, remediate with your existing tools, then re-scan to prove closure.

Read-only snapshot available for supported RPM-based Linux hosts — or book a guided demo.
Installed ≠ liveSee what your patch window actually fixed.
Run a snapshot