Skip to main content
For MSSPs

Turn Linux patch status into client-ready evidence.

oxharden helps MSSPs produce defensible Linux evidence across client environments: vulnerable packages, fixed versions, running-code deltas, restart/reboot guidance, and compliance context in one report.

or run a one-host snapshot on a supported RPM-based host.
oxharden — client portfolio3 clients
Clients
Acme Health
acme-health · patch-truth · 2026-07-02
Patch Truth
74
vulnerable package findings
47
critical / high
6
running-code deltas
3
reboot / restart actions
openssl-libs fixed on diskDISK ✓
nginx still mapping old libsslLIVE ✗
Action restart nginx to load the patched libraryrestart
Attach Linux host evidence to the frameworks your clients report against
CIS BenchmarksDISA STIGPCI-DSSHIPAACMMCNIST 800-53
RHEL 8–10Rocky 9AlmaLinux 9Oracle Linux 9Amazon Linux 2023
RHEL-family Linux · CIS · DISA STIG · CMMC evidence workflows
The MSSP problem

Client evidence should not be a spreadsheet chase.

Most Linux assessments turn into a messy back-and-forth: scanner exports, package versions, screenshots, reboot questions, and unclear proof that remediation actually landed. That slows delivery and makes reports harder to defend.

Scanner noise
A CVE list rarely explains whether the fix is installed, live, or waiting on a restart. Clients get a wall of findings with no verdict.
Client friction
Clients do not always know which host was patched, rebooted, or still needs a service restart. Every report becomes a back-and-forth.
Weak handoff
A finding without package, runtime, and remediation evidence is hard to hand to a manager, auditor, or client — so it gets questioned.
The report artifact

A report your client can actually act on.

Every finding carries the package, the installed and fixed versions, what the runtime is actually doing, a verdict, and the one action that closes it — organized by client and host.

Organized by client, environment, host, and report date
patch-truth-report · client-readyevidence report
5 findings·2 running-code deltas·1 reboot·3 clientsCopyExport PDF
Client / hostPackageInstalledFixedRunning evidenceVerdictAction
client-prod-01Acme Healthopenssl-libs3.0.7-18.el93.0.7-27.el9nginx maps old libsslrunning-code deltasystemctl restart nginx
client-db-02Acme Healthkernel5.14.0-503.el95.14.0-503.el9running 5.14.0-427.el9reboot pendingreboot host
client-app-04Vector Federalcurlbelow fixed EVR7.76.1-31.el9no runtime mappingpackage updatednf update curl
client-web-07Vector Federalglibc2.34-83.el92.34-100.el918 procs map old libcrunning-code deltarestart affected services
client-app-02Northstar Financeopenssl3.0.7-27.el93.0.7-27.el9fixed & services restartedverified cleanno action
openssl-libs
client-prod-01 · Acme Health
running-code delta
installed3.0.7-18.el9
fixed3.0.7-27.el9
runningnginx maps old libssl
systemctl restart nginx
kernel
client-db-02 · Acme Health
reboot pending
installed5.14.0-503.el9
fixed5.14.0-503.el9
runningrunning 5.14.0-427.el9
reboot host
curl
client-app-04 · Vector Federal
package update
installedbelow fixed EVR
fixed7.76.1-31.el9
runningno runtime mapping
dnf update curl
glibc
client-web-07 · Vector Federal
running-code delta
installed2.34-83.el9
fixed2.34-100.el9
running18 procs map old libc
restart affected services
openssl
client-app-02 · Northstar Finance
verified clean
installed3.0.7-27.el9
fixed3.0.7-27.el9
runningfixed & services restarted
no action needed

Every row separates patched-on-disk from vulnerable-code-still-running — the delta clients can't see with a scanner alone.

MSSP workflow

From assessment to remediation proof.

1
Collect
Run a read-only snapshot or deploy the agent across approved client hosts.
read-only by default
2
Explain
Separate package updates from runtime deltas, reboot debt, and clean findings.
applied vs live
3
Report
Give clients a clean artifact with severity, evidence, and recommended action.
per-host evidence
4
Verify
Re-scan after remediation to prove the finding is actually closed.
restart / reboot proof
What MSSPs can offer

Turn Linux patch truth into a service line.

oxharden does not make clients compliant — it provides the Linux host evidence that supports the compliance and remediation work you already deliver.

Patch validation assessments
Show where patched-by-version does not match what is still running in memory.
Client remediation reports
Give clients a prioritized list of package updates, restarts, reboots, and review items — with the action for each.
Compliance evidence support
Attach Linux host evidence to CIS, DISA STIG, PCI, HIPAA, CMMC, and audit workflows.
Post-remediation verification
Run the report again after client action to show the risk was retired — with restart/reboot proof, not a promise.
Deployment & trust

Built for client environments that need proof and caution.

Read-only collection
Collects host state for assessment. It does not remediate during a scan — nothing changes on a client host without you.
Short-lived snapshot option
Start with a one-host report before a broader rollout. A snapshot expires; the evidence stays.
Client-scoped reporting
Keep evidence organized by client, environment, host, and report date — so every artifact is traceable.
Enterprise Linux focus
Built around RPM-based fleets: RHEL, Rocky, AlmaLinux, Oracle Linux, Amazon Linux 2023.
Get started

See the report before asking a client to run anything.

Review a sample Patch Truth report, then decide whether a one-host snapshot or a larger client assessment makes sense.

Read-only snapshot available for supported RPM-based Linux hosts.
Keep reading

Related evidence workflows.

Patch Truth report — evidence across client hostsView sample