diff --git a/linux_os/guide/services/dhcp/disabling_dhcp_server/package_kea_removed/rule.yml b/linux_os/guide/services/dhcp/disabling_dhcp_server/package_kea_removed/rule.yml
index 6acdf95eb38f..8311aa5ce764 100644
--- a/linux_os/guide/services/dhcp/disabling_dhcp_server/package_kea_removed/rule.yml
+++ b/linux_os/guide/services/dhcp/disabling_dhcp_server/package_kea_removed/rule.yml
@@ -16,6 +16,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-87348-9
cce@rhel10: CCE-86596-4
+ cce@sle16: CCE-96693-7
{{{ complete_ocil_entry_package(package="kea") }}}
diff --git a/linux_os/guide/services/mail/package_sendmail_removed/rule.yml b/linux_os/guide/services/mail/package_sendmail_removed/rule.yml
index 59e0d3880866..0fb185fef1b3 100644
--- a/linux_os/guide/services/mail/package_sendmail_removed/rule.yml
+++ b/linux_os/guide/services/mail/package_sendmail_removed/rule.yml
@@ -21,6 +21,7 @@ identifiers:
cce@rhel10: CCE-88826-3
cce@sle12: CCE-91463-0
cce@sle15: CCE-85761-5
+ cce@sle16: CCE-96690-3
references:
cis-csc: 11,14,3,9
diff --git a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml
index 754b1bf3d189..af8540441c24 100644
--- a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml
+++ b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml
@@ -25,6 +25,7 @@ identifiers:
cce@rhel9: CCE-84217-9
cce@rhel10: CCE-90511-7
cce@sle15: CCE-92601-4
+ cce@sle16: CCE-96684-6
references:
srg: SRG-OS-000355-GPOS-00143
diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml
index c1e0d7193f3e..b30e4c6c31e3 100644
--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml
@@ -18,6 +18,7 @@ identifiers:
cce@rhel10: CCE-88760-4
cce@sle12: CCE-91480-4
cce@sle15: CCE-91436-6
+ cce@sle16: CCE-96685-3
cce@slmicro5: CCE-93905-8
references:
diff --git a/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml b/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml
index a820ba060e8e..f43a54f14e32 100644
--- a/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml
@@ -18,6 +18,7 @@ identifiers:
cce@rhel10: CCE-86747-3
cce@sle12: CCE-91464-8
cce@sle15: CCE-91433-3
+ cce@sle16: CCE-96687-9
references:
hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)
diff --git a/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml b/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml
index 3004f7fda063..7007c466955e 100644
--- a/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml
@@ -23,6 +23,7 @@ identifiers:
cce@rhel10: CCE-90657-8
cce@sle12: CCE-91456-4
cce@sle15: CCE-91432-5
+ cce@sle16: CCE-96689-5
cce@slmicro5: CCE-93900-9
references:
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
index 7212a67f9415..6f472912698a 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
@@ -30,6 +30,7 @@ identifiers:
cce@rhel9: CCE-83587-6
cce@rhel10: CCE-87388-5
cce@sle15: CCE-85842-3
+ cce@sle16: CCE-96664-8
references:
cis-csc: 1,12,15,16
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml
index d836a170849b..fd7925a755f1 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml
@@ -25,6 +25,7 @@ identifiers:
cce@rhel10: CCE-87975-9
cce@sle12: CCE-91468-9
cce@sle15: CCE-91171-9
+ cce@sle16: CCE-96663-0
references:
cis-csc: 1,12,15,16
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml
index e012ebd6b3f3..8bad63e27c08 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml
@@ -29,6 +29,7 @@ identifiers:
cce@rhel9: CCE-83583-5
cce@rhel10: CCE-86672-3
cce@sle15: CCE-91169-3
+ cce@sle16: CCE-96665-5
references:
cis-csc: 1,12,15,16
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml
index bf6799d6f0f4..faa85597accf 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml
@@ -31,6 +31,7 @@ identifiers:
cce@rhel9: CCE-83588-4
cce@rhel10: CCE-89250-5
cce@sle15: CCE-85841-5
+ cce@sle16: CCE-96666-3
references:
cis-csc: 1,12,15,16
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/ansible/shared.yml
index daf063350cb8..bf8aeb3f469c 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/ansible/shared.yml
@@ -6,7 +6,7 @@
{{{ ansible_instantiate_variables("var_password_pam_unix_rounds") }}}
-{{% if product in ["sle12", "sle15"] %}}
+{{% if product in ["sle12", "sle15", "sle16"] %}}
{{{ ansible_ensure_pam_module_configuration('/etc/pam.d/common-password', 'password', 'sufficient', 'pam_unix.so', 'rounds', '{{ var_password_pam_unix_rounds }}', '', rule_id=rule_id, rule_title=rule_title) }}}
{{% else %}}
{{{ ansible_ensure_pam_module_configuration('/etc/pam.d/password-auth', 'password', 'sufficient', 'pam_unix.so', 'rounds', '{{ var_password_pam_unix_rounds }}', '', rule_id=rule_id, rule_title=rule_title) }}}
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/bash/shared.sh
index cdef1f01f94e..3bca691a411c 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/bash/shared.sh
@@ -2,7 +2,7 @@
{{{ bash_instantiate_variables("var_password_pam_unix_rounds") }}}
-{{% if product in ["sle12", "sle15"] %}}
+{{% if product in ["sle12", "sle15", "sle16"] %}}
{{{ bash_ensure_pam_module_configuration('/etc/pam.d/common-password', 'password', 'sufficient', 'pam_unix.so', 'rounds', "$var_password_pam_unix_rounds", '') }}}
{{% elif product in ["debian12", "debian13"] %}}
{{{ bash_ensure_pam_module_configuration('/etc/pam.d/common-password', 'password', '\[success=1 default=ignore\]', 'pam_unix.so', 'rounds', "$var_password_pam_unix_rounds", '') }}}
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/oval/shared.xml
index e3d35e50f261..1ebd7c437550 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/oval/shared.xml
@@ -1,4 +1,4 @@
-{{% if product in ["sle12", "sle15", "debian12", "debian13", 'ubuntu2204', 'ubuntu2404'] %}}
+{{% if product in ["debian12", "debian13", "sle12", "sle15", "sle16", "ubuntu2204", "ubuntu2404"] %}}
{{% set pam_passwd_file_path = "/etc/pam.d/common-password" %}}
{{% else %}}
{{% set pam_passwd_file_path = "/etc/pam.d/password-auth" %}}
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/rule.yml
index f52c225f397d..f00a09c6d160 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/rule.yml
@@ -3,7 +3,7 @@ documentation_complete: true
title: 'Set number of Password Hashing Rounds - password-auth'
-{{% if product in ["sle12", "sle15", "debian12", "debian13", 'ubuntu2204', 'ubuntu2404'] %}}
+{{% if product in ["debian12", "debian13", "sle12", "sle15", "sle16", "ubuntu2204", "ubuntu2404"] %}}
{{% set pam_passwd_file_path = "/etc/pam.d/common-password" %}}
{{% else %}}
{{% set pam_passwd_file_path = "/etc/pam.d/password-auth" %}}
@@ -19,7 +19,7 @@ description: |-
password [success=1 default=ignore] pam_unix.so ...existing_options... rounds={{{ xccdf_value("var_password_pam_unix_rounds") }}}
{{% else %}}
password sufficient pam_unix.so ...existing_options... rounds={{{ xccdf_value("var_password_pam_unix_rounds") }}}
-
+
The system's default number of rounds is 5000.
{{% endif %}}
@@ -67,5 +67,5 @@ fixtext: |-
{{% else %}}
password sufficient pam_unix.so sha512 rounds=5000
{{% endif %}}
-
+
srg_requirement: '{{{ full_name }}} shadow password suite must be configured to use a sufficient number of hashing rounds in {{{ pam_passwd_file_path }}}.'
diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml
index f9f947d0bc79..e18fad5ddd4f 100644
--- a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml
+++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml
@@ -4,19 +4,25 @@
# complexity = low
# disruption = low
-- name: Configure daily log rotation in /etc/logrotate.conf
+{{% if product == 'sle16' %}}
+{{% set LOGROTATE_CONF_FILE="/usr/etc/logrotate.conf" %}}
+{{% else %}}
+{{% set LOGROTATE_CONF_FILE="/etc/logrotate.conf" %}}
+{{% endif %}}
+
+- name: "Configure daily log rotation in {{{ LOGROTATE_CONF_FILE }}}"
ansible.builtin.lineinfile:
create: yes
- dest: "/etc/logrotate.conf"
+ dest: {{{ LOGROTATE_CONF_FILE }}}
regexp: '^\s*(weekly|monthly|yearly)$'
line: "daily"
state: present
insertbefore: BOF
-- name: Make sure daily log rotation setting is not overridden in /etc/logrotate.conf
+- name: "Make sure daily log rotation setting is not overridden in {{{ LOGROTATE_CONF_FILE }}}"
ansible.builtin.lineinfile:
create: no
- dest: "/etc/logrotate.conf"
+ dest: {{{ LOGROTATE_CONF_FILE }}}
regexp: '^[\s]*(weekly|monthly|yearly)$'
state: absent
@@ -39,7 +45,7 @@
- name: Add logrotate call
ansible.builtin.lineinfile:
path: "/etc/cron.daily/logrotate"
- line: '/usr/sbin/logrotate /etc/logrotate.conf'
- regexp: '^[\s]*/usr/sbin/logrotate[\s\S]*/etc/logrotate.conf$'
+ line: '/usr/sbin/logrotate {{{ LOGROTATE_CONF_FILE }}}'
+ regexp: '^[\s]*/usr/sbin/logrotate[\s\S]*{{{ LOGROTATE_CONF_FILE }}}$'
create: yes
{{% endif %}}
diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/bash/shared.sh b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/bash/shared.sh
index c55cd9de94a6..82446d128faa 100644
--- a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/bash/shared.sh
+++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/bash/shared.sh
@@ -1,6 +1,10 @@
# platform = multi_platform_all
-LOGROTATE_CONF_FILE="/etc/logrotate.conf"
+{{% if product == 'sle16' %}}
+LOGROTATE_CONF_FILE='/usr/etc/logrotate.conf'
+{{% else %}}
+LOGROTATE_CONF_FILE='/etc/logrotate.conf'
+{{% endif %}}
{{% if 'sle' in product or product == 'slmicro5' %}}
SYSTEMCTL_EXEC='/usr/bin/systemctl'
{{% else %}}
diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/oval/shared.xml b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/oval/shared.xml
index fc8a7ba8688b..762e706a563d 100644
--- a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/oval/shared.xml
+++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/oval/shared.xml
@@ -25,7 +25,11 @@
+{{% if product == 'sle16' %}}
+ /usr/etc/logrotate.conf
+{{% else %}}
/etc/logrotate.conf
+{{% endif %}}
^\s*daily[\s#]*$
1
@@ -37,7 +41,11 @@
+{{% if product == 'sle16' %}}
+ /usr/etc/logrotate.conf
+{{% else %}}
/etc/logrotate.conf
+{{% endif %}}
^\s*(weekly|monthly|yearly)[\s#]*$
1
diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_weekly.fail.sh b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_weekly.fail.sh
index de41c7b2844b..7e3bf2ae36ac 100644
--- a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_weekly.fail.sh
+++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_weekly.fail.sh
@@ -1,3 +1,8 @@
#!/bin/bash
-sed -i "s/daily/weekly/" /etc/logrotate.conf
+{{% if product == 'sle16' %}}
+LOGROTATE_CONF_FILE="/usr/etc/logrotate.conf"
+{{% else %}}
+LOGROTATE_CONF_FILE="/etc/logrotate.conf"
+{{% endif %}}
+sed -i "s/daily/weekly/" "${LOGROTATE_CONF_FILE}"
diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_no_cron_daily_no_timer.fail.sh b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_no_cron_daily_no_timer.fail.sh
index 86b1ca86090d..9ae01cc789bd 100644
--- a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_no_cron_daily_no_timer.fail.sh
+++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_no_cron_daily_no_timer.fail.sh
@@ -2,11 +2,17 @@
# packages = logrotate,crontabs
+{{% if product == 'sle16' %}}
+LOGROTATE_CONF_FILE="/usr/etc/logrotate.conf"
+{{% else %}}
+LOGROTATE_CONF_FILE="/etc/logrotate.conf"
+{{% endif %}}
+
# disable the timer
systemctl disable logrotate.timer || true
# fix logrotate config
-sed -i "s/weekly/daily/" /etc/logrotate.conf
+sed -i "s/weekly/daily/" "${LOGROTATE_CONF_FILE}"
# remove default for cron.daily
rm -f /etc/cron.daily/logrotate
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_autoconf/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_autoconf/rule.yml
index 9488675532ca..2b6704e6c378 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_autoconf/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_autoconf/rule.yml
@@ -15,6 +15,7 @@ identifiers:
cce@rhel10: CCE-88386-8
cce@sle12: CCE-91520-7
cce@sle15: CCE-91205-5
+ cce@sle16: CCE-96669-7
{{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.autoconf", value="0") }}}
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_drop_gratuitous_arp/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_drop_gratuitous_arp/rule.yml
index c3a61454b8e4..b3c83e6a668a 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_drop_gratuitous_arp/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_drop_gratuitous_arp/rule.yml
@@ -18,6 +18,7 @@ identifiers:
cce@rhel8: CCE-88001-3
cce@rhel9: CCE-89001-2
cce@rhel10: CCE-89975-7
+ cce@sle16: CCE-96672-1
{{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.drop_gratuitous_arp", value="1") }}}
diff --git a/linux_os/guide/system/permissions/files/sysctl_fs_protected_fifos/rule.yml b/linux_os/guide/system/permissions/files/sysctl_fs_protected_fifos/rule.yml
index d21952c3300d..f6325c7cfb07 100644
--- a/linux_os/guide/system/permissions/files/sysctl_fs_protected_fifos/rule.yml
+++ b/linux_os/guide/system/permissions/files/sysctl_fs_protected_fifos/rule.yml
@@ -15,6 +15,7 @@ severity: medium
identifiers:
cce@rhel9: CCE-85884-5
cce@rhel10: CCE-87125-1
+ cce@sle16: CCE-96680-4
references:
nist: CM-6(a),AC-6(1)
diff --git a/linux_os/guide/system/permissions/files/sysctl_fs_protected_regular/rule.yml b/linux_os/guide/system/permissions/files/sysctl_fs_protected_regular/rule.yml
index bcf733e4ad0a..9a6b3ba2e0f4 100644
--- a/linux_os/guide/system/permissions/files/sysctl_fs_protected_regular/rule.yml
+++ b/linux_os/guide/system/permissions/files/sysctl_fs_protected_regular/rule.yml
@@ -16,6 +16,7 @@ severity: medium
identifiers:
cce@rhel9: CCE-85885-2
cce@rhel10: CCE-90354-2
+ cce@sle16: CCE-96679-6
references:
nist: CM-6(a),AC-6(1)
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/ansible/sle16.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/ansible/sle16.yml
new file mode 100644
index 000000000000..8dfea23acad8
--- /dev/null
+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/ansible/sle16.yml
@@ -0,0 +1,28 @@
+# platform = SUSE Linux Enterprise 16
+# reboot = true
+# strategy = configure
+# complexity = low
+# disruption = low
+
+- name: '{{{ rule_title }}} - Check if noexec options is configured in /usr/lib/systemd/system/tmp.mount'
+ ansible.builtin.lineinfile:
+ path: /usr/lib/systemd/system/tmp.mount
+ regexp: ^[\s]*Options=[\s]*.*noexec.*$
+ state: absent
+ check_mode: true
+ register: noexec_match
+
+# if no match, collect current options and add noexec
+- name: '{{{ rule_title }}} - Collect previously configured options'
+ ansible.builtin.shell:
+ cmd: sed -n 's/^[\s]*Options=[\s]*\(.*\)$/\1/p' /usr/lib/systemd/system/tmp.mount
+ register: current_options
+ when:
+ - noexec_match is defined and noexec_match.found == 0
+
+
+- name: '{{{ rule_title }}} - Add noexec option to previously configured options'
+ ansible.builtin.shell:
+ cmd: sed -i "s/^Options=.*/Options={{ current_options.stdout }},noexec/g" /usr/lib/systemd/system/tmp.mount
+ when:
+ - noexec_match.found == 0 and current_options is defined
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/bash/sle16.sh b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/bash/sle16.sh
new file mode 100644
index 000000000000..9f694b9bb9d3
--- /dev/null
+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/bash/sle16.sh
@@ -0,0 +1,23 @@
+# platform = SUSE Linux Enterprise 16
+# reboot = true
+# strategy = configure
+# complexity = low
+# disruption = low
+
+tmp_mount_file="/usr/lib/systemd/system/tmp.mount"
+
+# if already set, skip
+if grep -qE '^[\s]*Options=[\s]*.*noexec.*$' ${tmp_mount_file}; then
+ echo "noexec option already present, skipping remediation"
+ exit 0
+fi
+
+# no options set, add it
+if ! grep -qE '^[\s]*Options=[\s]*.*$' ${tmp_mount_file}; then
+ echo "Options=noexec" >> ${tmp_mount_file}
+else
+ # collect currently set options
+ current_options=$(sed -n 's/^[\s]*Options=[\s]*\(.*\)$/\1/p' ${tmp_mount_file})
+ # add noexec to current options and replace
+ sed -i "s/^Options=.*/Options=${current_options},noexec/g" ${tmp_mount_file}
+fi
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/oval/sle16.xml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/oval/sle16.xml
new file mode 100644
index 000000000000..81bec910ddfd
--- /dev/null
+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/oval/sle16.xml
@@ -0,0 +1,18 @@
+
+
+ {{{ oval_metadata("ensure tmp.mount services has noexec option configured.") }}}
+
+
+
+
+
+
+
+
+
+ /usr/lib/systemd/system/tmp.mount
+ ^[\s]*Options=.*noexec.*$
+ 1
+
+
+
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml
index 735018892a8c..75fb0ec5f6c6 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml
@@ -23,6 +23,7 @@ identifiers:
cce@rhel10: CCE-87095-6
cce@sle12: CCE-91586-8
cce@sle15: CCE-91272-5
+ cce@sle16: CCE-96696-0
cce@slmicro5: CCE-94079-1
references:
@@ -39,7 +40,7 @@ references:
srg: SRG-OS-000368-GPOS-00154
stigid@ol8: OL08-00-040125
-{{% if product == 'slmicro5' %}}
+{{% if product in ['slmicro5', 'sle16'] %}}
platform: system_with_kernel
{{% else %}}
platform: mount[tmp]
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml
index 53af78ce203b..d2d1e2cf9284 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml
@@ -16,6 +16,7 @@ identifiers:
cce@rhel8: CCE-82974-7
cce@rhel9: CCE-83957-1
cce@rhel10: CCE-89405-5
+ cce@sle16: CCE-96676-2
references:
nist: AC-6,SC-7(10)
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml
index 2c6e83019b64..3a56b472e039 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml
@@ -20,6 +20,7 @@ identifiers:
cce@rhel10: CCE-88785-1
cce@sle12: CCE-91572-8
cce@sle15: CCE-91262-6
+ cce@sle16: CCE-96674-7
references:
nist: SC-7(10)
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml
index e05977fecfbb..d67f456472e3 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml
@@ -17,6 +17,7 @@ identifiers:
cce@rhel8: CCE-82934-1
cce@rhel9: CCE-83966-2
cce@rhel10: CCE-89631-6
+ cce@sle16: CCE-96674-7
references:
nist: CM-6,SC-7(10)
diff --git a/products/sle16/profiles/anssi_bp28_enhanced.profile b/products/sle16/profiles/anssi_bp28_enhanced.profile
index f93536a0114c..d93e440d079a 100644
--- a/products/sle16/profiles/anssi_bp28_enhanced.profile
+++ b/products/sle16/profiles/anssi_bp28_enhanced.profile
@@ -27,71 +27,50 @@ selections:
- var_sudo_dedicated_group=root
- accounts_password_pam_pwhistory_remember
- set_password_hashing_min_rounds_logindefs
- - '!accounts_password_pam_dcredit'
- - '!accounts_password_pam_lcredit'
- - '!accounts_password_pam_minclass'
- - '!accounts_password_pam_minlen'
- - '!accounts_password_pam_ocredit'
- - '!accounts_password_pam_retry'
- - '!accounts_password_pam_ucredit'
- - '!accounts_password_pam_unix_remember'
- - '!accounts_password_pam_unix_rounds_password_auth'
+ - '!cracklib_accounts_password_pam_dcredit'
+ - '!cracklib_accounts_password_pam_lcredit'
+ - '!cracklib_accounts_password_pam_minlen'
+ - '!cracklib_accounts_password_pam_ocredit'
+ - '!cracklib_accounts_password_pam_ucredit'
- '!accounts_password_pam_unix_rounds_system_auth'
- - '!accounts_passwords_pam_faillock_deny_root'
- - '!accounts_passwords_pam_faillock_deny'
- - '!accounts_passwords_pam_faillock_interval'
- - '!accounts_passwords_pam_faillock_unlock_time'
- '!accounts_passwords_pam_tally2_deny_root'
- '!accounts_passwords_pam_tally2_unlock_time'
- '!accounts_passwords_pam_tally2'
+ - '!aide_periodic_cron_checking'
- '!all_apparmor_profiles_enforced'
- '!apparmor_configured'
- - '!audit_rules_dac_modification_fchmodat2'
- - '!audit_rules_file_deletion_events_renameat2'
- '!audit_rules_immutable'
- - '!audit_rules_mac_modification_etc_selinux'
- '!dnf-automatic_apply_updates'
- '!dnf-automatic_security_updates_only'
- '!enable_authselect'
- '!ensure_almalinux_gpgkey_installed'
- '!ensure_oracle_gpgkey_installed'
- '!ensure_redhat_gpgkey_installed'
- - '!file_groupowner_etc_chrony_keys'
- '!file_groupowner_user_cfg'
- '!file_owner_user_cfg'
- '!file_permissions_sudo'
- '!file_permissions_user_cfg'
- '!grub2_enable_apparmor'
- - '!grub2_mds_argument'
- - '!grub2_page_alloc_shuffle_argument'
- - '!grub2_page_poison_argument'
- - '!grub2_pti_argument'
- - '!grub2_slub_debug_argument'
+ - '!kernel_config_arm64_sw_ttbr0_pan'
+ - '!kernel_config_gcc_plugin_latent_entropy'
+ - '!kernel_config_gcc_plugin_randstruct'
+ - '!kernel_config_gcc_plugin_stackleak'
+ - '!kernel_config_gcc_plugin_structleak_byref_all'
+ - '!kernel_config_gcc_plugin_structleak'
+ - '!kernel_config_legacy_vsyscall_emulate'
+ - '!kernel_config_modify_ldt_syscall'
+ - '!kernel_config_refcount_full'
+ - '!kernel_config_slab_merge_default'
- '!ldap_client_start_tls'
- '!ldap_client_tls_cacertpath'
- - '!mount_option_tmp_noexec'
- '!no_nis_in_nsswitch'
- '!package_apparmor_installed'
- '!package_dnf-automatic_installed'
- '!package_dracut-fips-aesni_installed'
- - '!package_kea_removed'
- '!package_pam_apparmor_installed'
- '!package_rsh_removed'
- '!package_rsh-server_removed'
- - '!package_sendmail_removed'
- - '!package_sequoia-sq_installed'
- - '!package_talk_removed'
- - '!package_talk-server_removed'
- - '!package_xinetd_removed'
- '!package_ypbind_removed'
- '!package_ypserv_removed'
- - '!service_chronyd_enabled'
- - '!set_password_hashing_algorithm_systemauth'
- - '!sysctl_fs_protected_fifos'
- - '!sysctl_fs_protected_regular'
- - '!sysctl_kernel_unprivileged_bpf_disabled'
- - '!sysctl_kernel_yama_ptrace_scope'
- - '!sysctl_net_core_bpf_jit_harden'
- - '!sysctl_net_ipv4_conf_all_drop_gratuitous_arp'
- - '!sysctl_net_ipv6_conf_all_autoconf'
+ - '!sebool_secure_mode_insmod'
- '!timer_dnf-automatic_enabled'
diff --git a/products/sle16/profiles/anssi_bp28_high.profile b/products/sle16/profiles/anssi_bp28_high.profile
index 9884a6c214f5..c0c4fd81912c 100644
--- a/products/sle16/profiles/anssi_bp28_high.profile
+++ b/products/sle16/profiles/anssi_bp28_high.profile
@@ -27,99 +27,50 @@ selections:
- var_sudo_dedicated_group=root
- accounts_password_pam_pwhistory_remember
- set_password_hashing_min_rounds_logindefs
- - '!accounts_password_pam_dcredit'
- - '!accounts_password_pam_lcredit'
- - '!accounts_password_pam_minclass'
- - '!accounts_password_pam_minlen'
- - '!accounts_password_pam_ocredit'
- - '!accounts_password_pam_retry'
- - '!accounts_password_pam_ucredit'
- - '!accounts_password_pam_unix_remember'
- - '!accounts_password_pam_unix_rounds_password_auth'
+ - '!cracklib_accounts_password_pam_dcredit'
+ - '!cracklib_accounts_password_pam_lcredit'
+ - '!cracklib_accounts_password_pam_minlen'
+ - '!cracklib_accounts_password_pam_ocredit'
+ - '!cracklib_accounts_password_pam_ucredit'
- '!accounts_password_pam_unix_rounds_system_auth'
- - '!accounts_passwords_pam_faillock_deny_root'
- - '!accounts_passwords_pam_faillock_deny'
- - '!accounts_passwords_pam_faillock_interval'
- - '!accounts_passwords_pam_faillock_unlock_time'
- '!accounts_passwords_pam_tally2_deny_root'
- '!accounts_passwords_pam_tally2_unlock_time'
- '!accounts_passwords_pam_tally2'
- '!aide_periodic_cron_checking'
- '!all_apparmor_profiles_enforced'
- '!apparmor_configured'
- - '!audit_rules_dac_modification_fchmodat2'
- - '!audit_rules_file_deletion_events_renameat2'
- '!audit_rules_immutable'
- - '!audit_rules_mac_modification_etc_selinux'
- '!dnf-automatic_apply_updates'
- '!dnf-automatic_security_updates_only'
- '!enable_authselect'
- '!ensure_almalinux_gpgkey_installed'
- '!ensure_oracle_gpgkey_installed'
- '!ensure_redhat_gpgkey_installed'
- - '!file_groupowner_etc_chrony_keys'
- '!file_groupowner_user_cfg'
- '!file_owner_user_cfg'
- '!file_permissions_sudo'
- '!file_permissions_user_cfg'
- '!grub2_enable_apparmor'
- - '!grub2_mds_argument'
- - '!grub2_page_alloc_shuffle_argument'
- - '!grub2_page_poison_argument'
- - '!grub2_pti_argument'
- - '!grub2_slub_debug_argument'
- '!kernel_config_arm64_sw_ttbr0_pan'
- - '!kernel_config_bug_on_data_corruption'
- - '!kernel_config_debug_wx'
- - '!kernel_config_fortify_source'
- '!kernel_config_gcc_plugin_latent_entropy'
- '!kernel_config_gcc_plugin_randstruct'
- '!kernel_config_gcc_plugin_stackleak'
- '!kernel_config_gcc_plugin_structleak_byref_all'
- '!kernel_config_gcc_plugin_structleak'
- - '!kernel_config_hardened_usercopy_fallback'
- - '!kernel_config_hardened_usercopy'
- '!kernel_config_legacy_vsyscall_emulate'
- - '!kernel_config_legacy_vsyscall_none'
- - '!kernel_config_legacy_vsyscall_xonly'
- '!kernel_config_modify_ldt_syscall'
- - '!kernel_config_page_poisoning'
- '!kernel_config_refcount_full'
- - '!kernel_config_sched_stack_end_check'
- - '!kernel_config_slab_freelist_hardened'
- - '!kernel_config_slab_freelist_random'
- '!kernel_config_slab_merge_default'
- - '!kernel_config_stackprotector_strong'
- - '!kernel_config_stackprotector'
- - '!kernel_config_strict_kernel_rwx'
- - '!kernel_config_strict_module_rwx'
- - '!kernel_config_vmap_stack'
- '!ldap_client_start_tls'
- '!ldap_client_tls_cacertpath'
- - '!mount_option_tmp_noexec'
- '!no_nis_in_nsswitch'
- '!package_apparmor_installed'
- '!package_dnf-automatic_installed'
- '!package_dracut-fips-aesni_installed'
- - '!package_kea_removed'
- '!package_pam_apparmor_installed'
- '!package_rsh_removed'
- '!package_rsh-server_removed'
- - '!package_sendmail_removed'
- - '!package_sequoia-sq_installed'
- - '!package_talk_removed'
- - '!package_talk-server_removed'
- - '!package_xinetd_removed'
- '!package_ypbind_removed'
- '!package_ypserv_removed'
- '!sebool_secure_mode_insmod'
- - '!service_chronyd_enabled'
- - '!set_password_hashing_algorithm_systemauth'
- - '!sysctl_fs_protected_fifos'
- - '!sysctl_fs_protected_regular'
- - '!sysctl_kernel_unprivileged_bpf_disabled'
- - '!sysctl_kernel_yama_ptrace_scope'
- - '!sysctl_net_core_bpf_jit_harden'
- - '!sysctl_net_ipv4_conf_all_drop_gratuitous_arp'
- - '!sysctl_net_ipv6_conf_all_autoconf'
- '!timer_dnf-automatic_enabled'
diff --git a/products/sle16/profiles/anssi_bp28_intermediary.profile b/products/sle16/profiles/anssi_bp28_intermediary.profile
index dd68326e7307..5fbf1d3ee013 100644
--- a/products/sle16/profiles/anssi_bp28_intermediary.profile
+++ b/products/sle16/profiles/anssi_bp28_intermediary.profile
@@ -27,56 +27,50 @@ selections:
- var_sudo_dedicated_group=root
- accounts_password_pam_pwhistory_remember
- set_password_hashing_min_rounds_logindefs
- - '!accounts_password_pam_dcredit'
- - '!accounts_password_pam_lcredit'
- - '!accounts_password_pam_minclass'
- - '!accounts_password_pam_minlen'
- - '!accounts_password_pam_ocredit'
- - '!accounts_password_pam_retry'
- - '!accounts_password_pam_ucredit'
- - '!accounts_password_pam_unix_remember'
- - '!accounts_password_pam_unix_rounds_password_auth'
+ - '!cracklib_accounts_password_pam_dcredit'
+ - '!cracklib_accounts_password_pam_lcredit'
+ - '!cracklib_accounts_password_pam_minlen'
+ - '!cracklib_accounts_password_pam_ocredit'
+ - '!cracklib_accounts_password_pam_ucredit'
- '!accounts_password_pam_unix_rounds_system_auth'
- - '!accounts_passwords_pam_faillock_deny_root'
- - '!accounts_passwords_pam_faillock_deny'
- - '!accounts_passwords_pam_faillock_interval'
- - '!accounts_passwords_pam_faillock_unlock_time'
- '!accounts_passwords_pam_tally2_deny_root'
- '!accounts_passwords_pam_tally2_unlock_time'
- '!accounts_passwords_pam_tally2'
+ - '!aide_periodic_cron_checking'
+ - '!all_apparmor_profiles_enforced'
+ - '!apparmor_configured'
+ - '!audit_rules_immutable'
- '!dnf-automatic_apply_updates'
- '!dnf-automatic_security_updates_only'
- '!enable_authselect'
- '!ensure_almalinux_gpgkey_installed'
- '!ensure_oracle_gpgkey_installed'
- '!ensure_redhat_gpgkey_installed'
- - '!file_groupowner_etc_chrony_keys'
- - '!grub2_mds_argument'
- - '!grub2_page_alloc_shuffle_argument'
- - '!grub2_page_poison_argument'
- - '!grub2_pti_argument'
- - '!grub2_slub_debug_argument'
+ - '!file_groupowner_user_cfg'
+ - '!file_owner_user_cfg'
+ - '!file_permissions_sudo'
+ - '!file_permissions_user_cfg'
+ - '!grub2_enable_apparmor'
+ - '!kernel_config_arm64_sw_ttbr0_pan'
+ - '!kernel_config_gcc_plugin_latent_entropy'
+ - '!kernel_config_gcc_plugin_randstruct'
+ - '!kernel_config_gcc_plugin_stackleak'
+ - '!kernel_config_gcc_plugin_structleak_byref_all'
+ - '!kernel_config_gcc_plugin_structleak'
+ - '!kernel_config_legacy_vsyscall_emulate'
+ - '!kernel_config_modify_ldt_syscall'
+ - '!kernel_config_refcount_full'
+ - '!kernel_config_slab_merge_default'
- '!ldap_client_start_tls'
- '!ldap_client_tls_cacertpath'
- - '!mount_option_tmp_noexec'
- '!no_nis_in_nsswitch'
+ - '!package_apparmor_installed'
- '!package_dnf-automatic_installed'
- - '!package_kea_removed'
+ - '!package_dracut-fips-aesni_installed'
+ - '!package_pam_apparmor_installed'
- '!package_rsh_removed'
- '!package_rsh-server_removed'
- - '!package_sendmail_removed'
- - '!package_sequoia-sq_installed'
- - '!package_talk_removed'
- - '!package_talk-server_removed'
- - '!package_xinetd_removed'
- '!package_ypbind_removed'
- '!package_ypserv_removed'
- - '!set_password_hashing_algorithm_systemauth'
- - '!sysctl_fs_protected_fifos'
- - '!sysctl_fs_protected_regular'
- - '!sysctl_kernel_unprivileged_bpf_disabled'
- - '!sysctl_kernel_yama_ptrace_scope'
- - '!sysctl_net_core_bpf_jit_harden'
- - '!sysctl_net_ipv4_conf_all_drop_gratuitous_arp'
- - '!sysctl_net_ipv6_conf_all_autoconf'
+ - '!sebool_secure_mode_insmod'
- '!timer_dnf-automatic_enabled'
diff --git a/products/sle16/profiles/anssi_bp28_minimal.profile b/products/sle16/profiles/anssi_bp28_minimal.profile
index 0fbb44696a92..441229a07086 100644
--- a/products/sle16/profiles/anssi_bp28_minimal.profile
+++ b/products/sle16/profiles/anssi_bp28_minimal.profile
@@ -27,39 +27,50 @@ selections:
- var_sudo_dedicated_group=root
- accounts_password_pam_pwhistory_remember
- set_password_hashing_min_rounds_logindefs
- - '!accounts_password_pam_dcredit'
- - '!accounts_password_pam_lcredit'
- - '!accounts_password_pam_minclass'
- - '!accounts_password_pam_minlen'
- - '!accounts_password_pam_ocredit'
- - '!accounts_password_pam_retry'
- - '!accounts_password_pam_ucredit'
- - '!accounts_password_pam_unix_remember'
- - '!accounts_password_pam_unix_rounds_password_auth'
+ - '!cracklib_accounts_password_pam_dcredit'
+ - '!cracklib_accounts_password_pam_lcredit'
+ - '!cracklib_accounts_password_pam_minlen'
+ - '!cracklib_accounts_password_pam_ocredit'
+ - '!cracklib_accounts_password_pam_ucredit'
- '!accounts_password_pam_unix_rounds_system_auth'
- - '!accounts_passwords_pam_faillock_deny_root'
- - '!accounts_passwords_pam_faillock_deny'
- - '!accounts_passwords_pam_faillock_interval'
- - '!accounts_passwords_pam_faillock_unlock_time'
- '!accounts_passwords_pam_tally2_deny_root'
- '!accounts_passwords_pam_tally2_unlock_time'
- '!accounts_passwords_pam_tally2'
+ - '!aide_periodic_cron_checking'
+ - '!all_apparmor_profiles_enforced'
+ - '!apparmor_configured'
+ - '!audit_rules_immutable'
- '!dnf-automatic_apply_updates'
- '!dnf-automatic_security_updates_only'
- '!enable_authselect'
- '!ensure_almalinux_gpgkey_installed'
- '!ensure_oracle_gpgkey_installed'
- '!ensure_redhat_gpgkey_installed'
+ - '!file_groupowner_user_cfg'
+ - '!file_owner_user_cfg'
+ - '!file_permissions_sudo'
+ - '!file_permissions_user_cfg'
+ - '!grub2_enable_apparmor'
+ - '!kernel_config_arm64_sw_ttbr0_pan'
+ - '!kernel_config_gcc_plugin_latent_entropy'
+ - '!kernel_config_gcc_plugin_randstruct'
+ - '!kernel_config_gcc_plugin_stackleak'
+ - '!kernel_config_gcc_plugin_structleak_byref_all'
+ - '!kernel_config_gcc_plugin_structleak'
+ - '!kernel_config_legacy_vsyscall_emulate'
+ - '!kernel_config_modify_ldt_syscall'
+ - '!kernel_config_refcount_full'
+ - '!kernel_config_slab_merge_default'
+ - '!ldap_client_start_tls'
+ - '!ldap_client_tls_cacertpath'
+ - '!no_nis_in_nsswitch'
+ - '!package_apparmor_installed'
- '!package_dnf-automatic_installed'
- - '!package_kea_removed'
+ - '!package_dracut-fips-aesni_installed'
+ - '!package_pam_apparmor_installed'
- '!package_rsh_removed'
- '!package_rsh-server_removed'
- - '!package_sendmail_removed'
- - '!package_sequoia-sq_installed'
- - '!package_talk_removed'
- - '!package_talk-server_removed'
- - '!package_xinetd_removed'
- '!package_ypbind_removed'
- '!package_ypserv_removed'
- - '!set_password_hashing_algorithm_systemauth'
+ - '!sebool_secure_mode_insmod'
- '!timer_dnf-automatic_enabled'
diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja
index 8bcd4bec988c..1db802d3d50d 100644
--- a/shared/macros/10-bash.jinja
+++ b/shared/macros/10-bash.jinja
@@ -809,7 +809,7 @@ pam_file="/etc/pam.d/common-auth"
if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*$' "$pam_file" ; then
{{% if product in ['sle15', 'sle16'] %}}
# insert before pam_unix.so
- sed -i --follow-symlinks '/^auth.*required.*pam_unix\.so.*/i auth required pam_faillock.so preauth' "$pam_file"
+ sed -i --follow-symlinks '/^auth.*pam_unix\.so.*/i auth required pam_faillock.so preauth' "$pam_file"
{{% else %}}
# insert at the top
sed -i --follow-symlinks '/^# here are the per-package modules/i auth required pam_faillock.so preauth' "$pam_file"
@@ -846,6 +846,19 @@ if ! grep -qE '^\s*account\s+required\s+pam_faillock\.so.*$' "$pam_file" ; then
echo 'account required pam_faillock.so' >> "$pam_file"
{{% endif %}}
fi
+
+{{% if product in ['sle15', 'sle16'] %}}
+{{{
+ bash_ensure_pam_module_configuration(
+ '/etc/pam.d/common-auth',
+ 'auth',
+ '\[success=1 default=ignore\]',
+ 'pam_unix.so',
+ '',
+ '',
+ '')
+}}}
+{{% endif %}}
{{% elif 'ubuntu' in product %}}
conf_name=cac_faillock
diff --git a/shared/references/cce-sle16-avail.txt b/shared/references/cce-sle16-avail.txt
index 32b21dd878c5..26c3e6e170bd 100644
--- a/shared/references/cce-sle16-avail.txt
+++ b/shared/references/cce-sle16-avail.txt
@@ -419,20 +419,3 @@ CCE-96656-4
CCE-96657-2
CCE-96659-8
CCE-96662-2
-CCE-96663-0
-CCE-96664-8
-CCE-96665-5
-CCE-96666-3
-CCE-96669-7
-CCE-96672-1
-CCE-96674-7
-CCE-96676-2
-CCE-96679-6
-CCE-96680-4
-CCE-96684-6
-CCE-96685-3
-CCE-96687-9
-CCE-96689-5
-CCE-96690-3
-CCE-96693-7
-CCE-96696-0