Hardpipe โ Hardened HCI Hypervisor (European Union edition)
At a glance
Hardpipe is a hardened derivative of SUSE Virtualization (Harvester v1.8) designed for EU regulated environments (GDPR, NIS2, RGS). It targets the functional equivalent of "Harvester Government US" โ without DoD/US references, with banners and documentation aligned with the EU context.
Key results
| Metric | Value |
|---|---|
| Adjusted OpenSCAP score | 98.08% (153/156 applicable rules) |
| Raw OpenSCAP score (report) | 92.17% (153/166 โ denominator includes 10 notchecked) |
| Profile used | slmicro6_hardened (upstream SSG) |
| Report | reports/oscap-v29-final.xml (audit-ready, HTML available) |
| Base OS | SL Micro 6.2 (hardened kernel, immutable rootfs) |
| K8s orchestration | RKE2 cis profile + service-account-extend-token-expiration=false |
| SELinux | permissive (policies loaded, full audit) |
The two numbers in the report
The OpenSCAP report shows 92.17% at the top of the page; we communicate 98.08%. This is not a hidden discrepancy โ it's the choice of denominator:
- 92.17% = PASS / (PASS + FAIL + NOTCHECKED) = 153 / 166 โ raw oscap score
- 98.08% = PASS / (PASS + FAIL) = 153 / 156 โ score adjusted to applicable rules
The 10 "notchecked" rules are outside the evaluable scope (package missing, tools not packaged in SL Micro 6.2, etc.). This is standard in DISA / CIS / ANSSI compliance reports: a rule we cannot evaluate counts neither as success nor failure.
Both numbers are accurate. The full report is published so anyone can redo the math.
Positioning vs. competition
| Product | Announced score | Scan report published |
|---|---|---|
| Hardpipe v29 | 98.08% | โ public HTML, oscap replayable |
| VMware vSphere | 95 % | โ |
| Nutanix AHV | 90 % | โ |
The percentages announced by VMware and Nutanix are marketing figures: neither vendor publishes its actual scan report. Hardpipe publishes ours โ rule by rule, replayable with oscap. Our 98.08% is the only auditable score in this comparison.
What's been done
- Reproducible build chain: Dapper + hardening layer injected into
package/harvester-os/Dockerfileโ no upstream fork. - CIS OS: 60+ STIG controls applied at build (login.defs, sshd, PAM, pwquality, auditd, sysctl, AIDE, issue/motd, postfix, etc.).
- CIS RKE2: generic
cisprofile + override for CIS 1.11. - SELinux permissive (policies loaded, full audit) โ full enforcing is ongoing upstream work.
- Native scan: oscap 1.3.6 sideloaded from Leap 15.6 (5 compat libs), SSG 0.1.80 from Tumbleweed (contains
slmicro6). - Documented tailoring: 30 non-applicable rules justified in
reports/stig-exceptions.md(FIPS, smartcard, Elemental partitions, etc.). - EU banner: generic CIS-aligned content (no US DoD), GDPR/NIS2/RGS.
- Debug packages removed: tcpdump/strace/fio/sysstat/iotop โ container-toolbox.
Documented exceptions (30 tailoring rules)
All justified in reports/stig-exceptions.md:
- Separate partitions
/home,/var,/var/log,/var/log/audit,/tmpโ fixed Elemental layout (COS_STATE + COS_PERSISTENT overlay) - FIPS mode โ no certified FIPS kernel in SL Micro 6.2
- Smartcard/PKI โ headless HCI, non-applicable
cracklib_*โ SL Micro usespwquality(functional equivalent)audit-audispd-plugins,systemd-journal-remoteโ packages missing from repossysctl_net_ipv4_ip_forward=0โ required by Kubernetes (risk acceptance)sudo_remove_nopasswdโ required for operational automation
3 residual FAILs (1.92%)
All are OVAL parse-strict artifacts or inheritance conflicts:
| Rule ID | Cause | Impact |
|---|---|---|
aide_check_audit_tools + 2 AIDE | Parse-strict vs our valid config | None โ AIDE operational |
sudoers_validate_passwd | NOPASSWD for automation | Documented acceptance |
permissions_local_var_log | /var/log 0755 (required by journald) | None |
Differentiators
- Evidence vs. claim: our 98.08% is scannable by any auditor with
oscap - EU context: zero US DoD references, banners and docs aligned to GDPR/NIS2/RGS
- Extensible: documented XML tailoring, reproducible Dapper build
- Open: hardening code available, no binary blob
Target audience
- European hosters (sovereignty)
- Public sector (RGS enhanced level)
- Healthcare (HDS + GDPR compliance)
- Critical industry (NIS2)
Next steps
- Certification / qualification (ANSSI, BSI, etc.)
- Upstream useful changes to SUSE SSG
- Publish rgeu.eu site (demo + ISO download)