Hardened HCI hypervisor
for the European Union

98.08% OpenSCAP compliance, publicly verifiable.
Built on SUSE Virtualization and the Harvester project.
Aligned with GDPR, NIS2, RGS.

98,08%
Adjusted OpenSCAP
153/156 applicable rules
Download Technical documentation

Results

153
CIS/STIG rules
validated (PASS)
3
residual FAILs
all related to RPM macros (WIP)
30
documented
tailoring exceptions
65+
STIG controls
applied at build time

Methodology — the two numbers in the report

The attached OpenSCAP report shows 92.17% at the top of the page. Our communication highlights 98.08%. This is not a contradiction — it's the choice of denominator.

ScoreFormulaValue
Raw OpenSCAP score (shown in the report) PASS / (PASS + FAIL + NOTCHECKED)
153 / (153 + 3 + 10) = 153 / 166		 92,17 %
Adjusted score (applicable rules only) PASS / (PASS + FAIL)
153 / (153 + 3) = 153 / 156		 98,08 %

Why exclude the 10 "notchecked" rules? These are rules whose status OpenSCAP cannot evaluate because a technical prerequisite is missing on our platform (e.g. Postfix package absent on headless HCI, pam_lastlog2 tools not packaged in SL Micro 6.2, audit-audispd-plugins not in repos). They are outside the evaluable technical scope — they measure neither success nor failure. Audit methodologies (DISA, CIS, ANSSI) traditionally exclude this type of rule from the denominator in compliance reports.

The 30 "notselected" rules are tailoring exclusions documented in reports/stig-exceptions.md (FIPS not available, smartcard N/A on headless HCI, partitions fixed by Elemental, etc.). They are legitimately out of scope and, by convention, count neither in the numerator nor the denominator.

Full transparency: the raw report is published below. Anyone can redo the calculation.

Positioning vs. competition

Product Score Scan report published Context MAC / SELinux
Hardpipe 98,08 % ✅ public HTML, replayable with oscap EU (GDPR / NIS2 / RGS) SELinux permissive (policies loaded, full audit)
VMware vSphere (STIG) 95 % ❌ STIG checklist public, vendor scan report not published US / DoD Proprietary hypervisor, no SELinux
Nutanix AHV 90 % ❌ STIG checklist public, vendor scan report not published US / Gov Cloud Rocky Linux 8 base (community RHEL rebuild, AOS ≥ 6.8) / CentOS 7 legacy, SELinux permissive by default
Proxmox VE ❌ no compliance claimed EU (Austria, community) Debian base, optional AppArmor

Methodology note: the DISA STIG checklists for Nutanix Acropolis (NCP #1325, 03/2026) and VMware vSphere are public. Those are the rule sets. Neither Nutanix nor VMware, however, publishes a scan report against the STIG: their marketing scores (90%, 95%) are not auditable. Hardpipe publishes the full HTML OpenSCAP report — rule by rule, replayable with oscap.

SELinux note: like VMware (no SELinux) and Nutanix AHV (permissive by default), Hardpipe runs SELinux in permissive mode. Policies are loaded; all violations are audited in /var/log/audit. Full enforcing on the KubeVirt/Longhorn stack is ongoing pioneering upstream work (no vendor offers it today).

Underlying OS: enterprise vs community. According to Nutanix's official KB (KB-16977), AOS and Prism Central before version 6.8 run on CentOS 7 (EOL June 30, 2024); AOS 6.8+, AOS 6.10 LTS and PC 2024.1+ migrate to Rocky Linux 8. Both are community rebuilds of RHEL — no vendor support contract on the OS itself. Hardpipe, by contrast, runs on SL Micro 6.2, a SUSE enterprise distribution (European vendor) with commercial support available.

Technical stack

Workloads (KubeVirt VMs + containers)
KubeVirt · Longhorn · CDI · Multus
RKE2 (K8s) — cis profile
containerd · runc · SELinux enforcing
Hardened SL Micro 6.2 + OpenSCAP slmicro6_hardened + AIDE + auditd

Why Hardpipe

🇪🇺 Native EU context

Zero US-DoD references. Banners, documentation and regulatory mapping aligned with GDPR, NIS2, RGS. No dependency on a non-European vendor for hardening.

🔍 Verifiable, not announced

Our 98.08% is reproducible by any auditor with oscap. The full HTML report is available for inspection — no "trust us". Competitor DISA STIGs (Nutanix, VMware) publish the checklist, but no vendor scan report is publicly released for these products.

🔧 Reproducible, not opaque

Built via Dapper (upstream Harvester), hardening via hardening/files/ layer. Open-source hardening code, no proprietary binary blob.

📜 Documented, not magical

Every tailoring exception is justified (stig-exceptions.md). Every residual FAIL is analyzed. No rule is disabled without technical reason.

Audit evidence

The full OpenSCAP report, generated by upstream oscap, is available online:

📊
OpenSCAP report
Interactive HTML · 2 MB
💿
Hardpipe ISO v1.7.1
8.4 GB · authenticated access · SHA512 provided

Access to the evaluation ISO image is provided on request: contact@rgeu.eu.

Documentation

Executive summary

One-page view — key figures, positioning, target.

FAQ

Why not VMware? Why Harvester? How to qualify for ANSSI? How to contribute upstream?

Target audience