Patch windows should end with proof, not hope.
oxharden turns Linux patch state into evidence: installed package versions, vendor-fixed EVRs, running-code deltas, reboot-pending kernels, and the next action needed to close the finding.
The package database is only half the story.
After a patch window, most teams still have open questions. Did the host actually receive the vendor fix? Did the service restart? Is the old shared library still mapped in memory? Did the kernel update require a reboot? Version-only checks do not answer all of that.
Package version drift
Some hosts never received the fixed EVR, even though the patch window is marked complete.
Restart debt
Long-running services can keep old libraries mapped after the package has been updated on disk.
Reboot debt
A fixed kernel image can be installed while the vulnerable kernel is still running.
Scanner noise
Security scanners keep findings open, but rarely explain the operational step needed to clear them.
Applied is not the same as live.
Four checks turn a package update into a verdict. A finding does not close until the installed version, the vendor fix, and the running code all agree.
Installed package
Read the package database and record the installed EVR for every affected package.
Vendor fix
Compare installed versions against distro / vendor security advisory data to find the fixed EVR.
Running code
Inspect running processes, mapped libraries, deleted objects, and running kernel state.
Action
Classify the finding: update, restart, reboot, review, or clean — the exact next step.
Turn a patch window into a closeout report.
Every affected host and package, side by side: installed version, vendor-fixed version, the runtime evidence that decides the verdict, and the one action left to close it.
| Host | Package | Installed | Fixed | Runtime evidence | Status | Action |
|---|---|---|---|---|---|---|
| Host web-01 | Package openssl-libs | Installed 3.0.7-27.el9 | Fixed 3.0.7-27.el9 | Evidence old libssl mapped by nginx | Status Restart required | Action restart 3 services |
| Host db-02 | Package kernel | Installed 5.14.0-503.el9 | Fixed 5.14.0-503.el9 | Evidence old kernel 427 running | Status Reboot pending | Action reboot host |
| Host app-03 | Package expat | Installed 2.5.0-1.el9 | Fixed 2.5.0-3.el9 | Evidence no runtime evidence | Status Package update required | Action install fixed EVR |
| Host api-04 | Package curl | Installed 7.76.1-31.el9 | Fixed 7.76.1-31.el9 | Evidence no stale maps | Status Clean | Action none |
Designed for the patching loop teams already run.
Before the window
Identify affected packages and hosts.
During the window
Apply updates through your existing patch tooling.
After the window
Run oxharden to verify package state, runtime state, and reboot status.
Close the loop
Export evidence, restart / reboot what remains, then re-scan to prove closure.
Clear actions instead of another CVE list.
Vendor-aware package evidence
Installed EVR compared against vendor-fixed EVR for supported Linux distributions.
Running-code detection
Find services still mapping old libraries after the package update landed.
Kernel reboot detection
Compare installed and running kernel state to identify reboot debt.
Remediation grouping
Group findings by update, restart, reboot, review, or no action.
Verification after remediation
Re-scan after changes to prove the finding is actually closed.
Reportable evidence
Give security, management, or auditors a clean artifact showing what happened.
Built for enterprise Linux patching.
See what your patch window actually fixed.
Run a one-host snapshot or review a sample report to see how oxharden separates package updates from running-code reality. Run the snapshot, remediate with your existing tools, then re-scan to prove closure.