My team is interested in whether or not Harvester HCI is updated routinely to patch STIG vulnerabilities. I am aware of the Harvester Government product, but curious if the open source version is STIG compliant. Thanks!
Great question. Here is what the official documentation and SUSE’s product landscape say about STIG compliance for Harvester:
Open-source Harvester (community version):
The open-source Harvester HCI project does not officially provide a STIG (Security Technical Implementation Guide) or guarantee routine STIG vulnerability patching as part of its release cycle. The project focuses on HCI functionality, and security hardening is largely left to the operator.
Harvester Government (SUSE Rancher Prime for Government):
SUSE offers a hardened, government-certified variant called Harvester Government (part of SUSE Rancher Prime for Government), which is specifically built to meet U.S. government security standards, including STIG compliance and FIPS 140-2 requirements. This is the product your team would want to evaluate if STIG compliance is a hard requirement.
What you can do with open-source Harvester:
- Harvester is built on SUSE Linux Micro (an immutable, security-focused OS), which has a hardened baseline.
-
- You can apply additional CIS (Center for Internet Security) benchmarks manually using RKE2’s built-in hardening guides, as Harvester uses RKE2 under the hood.
-
- The Harvester OS uses an immutable design, which reduces the attack surface.
- Recommendation:
- If your team needs formal STIG compliance documentation and certified patches, contact SUSE about the Harvester Government offering through the SUSE Customer Center or SUSE sales. For the open-source version, STIG compliance would need to be achieved and maintained manually by your team.
- Reference: Official Harvester docs > FAQ and SUSE Rancher Prime Government product page