From 7d18a37672c945341c591c5411d0c4898f5302bd Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
<315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Sun, 1 Mar 2026 09:55:32 +0200
Subject: [PATCH 01/18] Enable for sle16 package_kea_removed rule
---
.../dhcp/disabling_dhcp_server/package_kea_removed/rule.yml | 1 +
1 file changed, 1 insertion(+)
diff --git a/linux_os/guide/services/dhcp/disabling_dhcp_server/package_kea_removed/rule.yml b/linux_os/guide/services/dhcp/disabling_dhcp_server/package_kea_removed/rule.yml
index 6acdf95eb38f..8311aa5ce764 100644
--- a/linux_os/guide/services/dhcp/disabling_dhcp_server/package_kea_removed/rule.yml
+++ b/linux_os/guide/services/dhcp/disabling_dhcp_server/package_kea_removed/rule.yml
@@ -16,6 +16,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-87348-9
cce@rhel10: CCE-86596-4
+ cce@sle16: CCE-96693-7
{{{ complete_ocil_entry_package(package="kea") }}}
From 5a04c2abf6c70d46ebf7c797a1369e005ad3bcf6 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
<315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Sun, 1 Mar 2026 09:56:03 +0200
Subject: [PATCH 02/18] Enable for sle16 package_sendmail_removed rule
---
linux_os/guide/services/mail/package_sendmail_removed/rule.yml | 1 +
1 file changed, 1 insertion(+)
diff --git a/linux_os/guide/services/mail/package_sendmail_removed/rule.yml b/linux_os/guide/services/mail/package_sendmail_removed/rule.yml
index 59e0d3880866..0fb185fef1b3 100644
--- a/linux_os/guide/services/mail/package_sendmail_removed/rule.yml
+++ b/linux_os/guide/services/mail/package_sendmail_removed/rule.yml
@@ -21,6 +21,7 @@ identifiers:
cce@rhel10: CCE-88826-3
cce@sle12: CCE-91463-0
cce@sle15: CCE-85761-5
+ cce@sle16: CCE-96690-3
references:
cis-csc: 11,14,3,9
From 7b3fe7ebc89cdf32f2f4bbb06808bb23e73c0c18 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
<315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Sun, 1 Mar 2026 09:57:39 +0200
Subject: [PATCH 03/18] Enable for sle16 service_chronyd_enabled rule
---
linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml | 1 +
1 file changed, 1 insertion(+)
diff --git a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml
index 754b1bf3d189..af8540441c24 100644
--- a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml
+++ b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml
@@ -25,6 +25,7 @@ identifiers:
cce@rhel9: CCE-84217-9
cce@rhel10: CCE-90511-7
cce@sle15: CCE-92601-4
+ cce@sle16: CCE-96684-6
references:
srg: SRG-OS-000355-GPOS-00143
From 76d1276b557bdcbcbf4da210d141fdeed84411e2 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
<315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Sun, 1 Mar 2026 10:00:53 +0200
Subject: [PATCH 04/18] Enable for sle16 package_xinetd_removed rule
---
.../obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml | 1 +
1 file changed, 1 insertion(+)
diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml
index c1e0d7193f3e..b30e4c6c31e3 100644
--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml
@@ -18,6 +18,7 @@ identifiers:
cce@rhel10: CCE-88760-4
cce@sle12: CCE-91480-4
cce@sle15: CCE-91436-6
+ cce@sle16: CCE-96685-3
cce@slmicro5: CCE-93905-8
references:
From ea0a5634158f6019801f9cc57b299bb85925e216 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
<315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Sun, 1 Mar 2026 10:01:44 +0200
Subject: [PATCH 05/18] Enable for sle16 package_talk-server_removed rule
---
.../services/obsolete/talk/package_talk-server_removed/rule.yml | 1 +
1 file changed, 1 insertion(+)
diff --git a/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml b/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml
index a820ba060e8e..f43a54f14e32 100644
--- a/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml
@@ -18,6 +18,7 @@ identifiers:
cce@rhel10: CCE-86747-3
cce@sle12: CCE-91464-8
cce@sle15: CCE-91433-3
+ cce@sle16: CCE-96687-9
references:
hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)
From 2534ea1120e91bd67264738fb70ba1dd71df9175 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
<315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Sun, 1 Mar 2026 10:02:10 +0200
Subject: [PATCH 06/18] Enable for sle16 package_talk_removed rule
---
.../guide/services/obsolete/talk/package_talk_removed/rule.yml | 1 +
1 file changed, 1 insertion(+)
diff --git a/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml b/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml
index 3004f7fda063..7007c466955e 100644
--- a/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml
@@ -23,6 +23,7 @@ identifiers:
cce@rhel10: CCE-90657-8
cce@sle12: CCE-91456-4
cce@sle15: CCE-91432-5
+ cce@sle16: CCE-96689-5
cce@slmicro5: CCE-93900-9
references:
From 4e54e8880adc742433836fbf6e7e2405900e5ae8 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
<315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Sun, 1 Mar 2026 10:04:03 +0200
Subject: [PATCH 07/18] Add accounts_passwords_pam_faillock rules for sle16
---
.../accounts_passwords_pam_faillock_deny/rule.yml | 1 +
.../accounts_passwords_pam_faillock_deny_root/rule.yml | 1 +
.../accounts_passwords_pam_faillock_interval/rule.yml | 1 +
.../accounts_passwords_pam_faillock_unlock_time/rule.yml | 1 +
4 files changed, 4 insertions(+)
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
index 7212a67f9415..6f472912698a 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
@@ -30,6 +30,7 @@ identifiers:
cce@rhel9: CCE-83587-6
cce@rhel10: CCE-87388-5
cce@sle15: CCE-85842-3
+ cce@sle16: CCE-96664-8
references:
cis-csc: 1,12,15,16
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml
index d836a170849b..fd7925a755f1 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml
@@ -25,6 +25,7 @@ identifiers:
cce@rhel10: CCE-87975-9
cce@sle12: CCE-91468-9
cce@sle15: CCE-91171-9
+ cce@sle16: CCE-96663-0
references:
cis-csc: 1,12,15,16
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml
index e012ebd6b3f3..8bad63e27c08 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml
@@ -29,6 +29,7 @@ identifiers:
cce@rhel9: CCE-83583-5
cce@rhel10: CCE-86672-3
cce@sle15: CCE-91169-3
+ cce@sle16: CCE-96665-5
references:
cis-csc: 1,12,15,16
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml
index bf6799d6f0f4..faa85597accf 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml
@@ -31,6 +31,7 @@ identifiers:
cce@rhel9: CCE-83588-4
cce@rhel10: CCE-89250-5
cce@sle15: CCE-85841-5
+ cce@sle16: CCE-96666-3
references:
cis-csc: 1,12,15,16
From 508a3d497e7482857f51bc97309f144ebeb4611d Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
<315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Sun, 1 Mar 2026 10:21:40 +0200
Subject: [PATCH 08/18] Adapt for SLE15/16 bash_ensure_pam_module_configuration
macro
---
shared/macros/10-bash.jinja | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja
index 8bcd4bec988c..1db802d3d50d 100644
--- a/shared/macros/10-bash.jinja
+++ b/shared/macros/10-bash.jinja
@@ -809,7 +809,7 @@ pam_file="/etc/pam.d/common-auth"
if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*$' "$pam_file" ; then
{{% if product in ['sle15', 'sle16'] %}}
# insert before pam_unix.so
- sed -i --follow-symlinks '/^auth.*required.*pam_unix\.so.*/i auth required pam_faillock.so preauth' "$pam_file"
+ sed -i --follow-symlinks '/^auth.*pam_unix\.so.*/i auth required pam_faillock.so preauth' "$pam_file"
{{% else %}}
# insert at the top
sed -i --follow-symlinks '/^# here are the per-package modules/i auth required pam_faillock.so preauth' "$pam_file"
@@ -846,6 +846,19 @@ if ! grep -qE '^\s*account\s+required\s+pam_faillock\.so.*$' "$pam_file" ; then
echo 'account required pam_faillock.so' >> "$pam_file"
{{% endif %}}
fi
+
+{{% if product in ['sle15', 'sle16'] %}}
+{{{
+ bash_ensure_pam_module_configuration(
+ '/etc/pam.d/common-auth',
+ 'auth',
+ '\[success=1 default=ignore\]',
+ 'pam_unix.so',
+ '',
+ '',
+ '')
+}}}
+{{% endif %}}
{{% elif 'ubuntu' in product %}}
conf_name=cac_faillock
From 604a90aabe0487d10040ad2ecac799fd76cd9199 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
<315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Sun, 1 Mar 2026 10:06:05 +0200
Subject: [PATCH 09/18] Add accounts_password_pam_unix_rounds_password_auth
rule and remediations for sle16
---
.../ansible/shared.yml | 2 +-
.../bash/shared.sh | 2 +-
.../oval/shared.xml | 2 +-
.../rule.yml | 6 +++---
4 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/ansible/shared.yml
index daf063350cb8..bf8aeb3f469c 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/ansible/shared.yml
@@ -6,7 +6,7 @@
{{{ ansible_instantiate_variables("var_password_pam_unix_rounds") }}}
-{{% if product in ["sle12", "sle15"] %}}
+{{% if product in ["sle12", "sle15", "sle16"] %}}
{{{ ansible_ensure_pam_module_configuration('/etc/pam.d/common-password', 'password', 'sufficient', 'pam_unix.so', 'rounds', '{{ var_password_pam_unix_rounds }}', '', rule_id=rule_id, rule_title=rule_title) }}}
{{% else %}}
{{{ ansible_ensure_pam_module_configuration('/etc/pam.d/password-auth', 'password', 'sufficient', 'pam_unix.so', 'rounds', '{{ var_password_pam_unix_rounds }}', '', rule_id=rule_id, rule_title=rule_title) }}}
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/bash/shared.sh
index cdef1f01f94e..3bca691a411c 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/bash/shared.sh
@@ -2,7 +2,7 @@
{{{ bash_instantiate_variables("var_password_pam_unix_rounds") }}}
-{{% if product in ["sle12", "sle15"] %}}
+{{% if product in ["sle12", "sle15", "sle16"] %}}
{{{ bash_ensure_pam_module_configuration('/etc/pam.d/common-password', 'password', 'sufficient', 'pam_unix.so', 'rounds', "$var_password_pam_unix_rounds", '') }}}
{{% elif product in ["debian12", "debian13"] %}}
{{{ bash_ensure_pam_module_configuration('/etc/pam.d/common-password', 'password', '\[success=1 default=ignore\]', 'pam_unix.so', 'rounds', "$var_password_pam_unix_rounds", '') }}}
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/oval/shared.xml
index e3d35e50f261..1ebd7c437550 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/oval/shared.xml
@@ -1,4 +1,4 @@
-{{% if product in ["sle12", "sle15", "debian12", "debian13", 'ubuntu2204', 'ubuntu2404'] %}}
+{{% if product in ["debian12", "debian13", "sle12", "sle15", "sle16", "ubuntu2204", "ubuntu2404"] %}}
{{% set pam_passwd_file_path = "/etc/pam.d/common-password" %}}
{{% else %}}
{{% set pam_passwd_file_path = "/etc/pam.d/password-auth" %}}
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/rule.yml
index f52c225f397d..f00a09c6d160 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/rule.yml
@@ -3,7 +3,7 @@ documentation_complete: true
title: 'Set number of Password Hashing Rounds - password-auth'
-{{% if product in ["sle12", "sle15", "debian12", "debian13", 'ubuntu2204', 'ubuntu2404'] %}}
+{{% if product in ["debian12", "debian13", "sle12", "sle15", "sle16", "ubuntu2204", "ubuntu2404"] %}}
{{% set pam_passwd_file_path = "/etc/pam.d/common-password" %}}
{{% else %}}
{{% set pam_passwd_file_path = "/etc/pam.d/password-auth" %}}
@@ -19,7 +19,7 @@ description: |-
password [success=1 default=ignore] pam_unix.so ...existing_options... rounds={{{ xccdf_value("var_password_pam_unix_rounds") }}}
{{% else %}}
password sufficient pam_unix.so ...existing_options... rounds={{{ xccdf_value("var_password_pam_unix_rounds") }}}
-
+
The system's default number of rounds is 5000.
{{% endif %}}
@@ -67,5 +67,5 @@ fixtext: |-
{{% else %}}
password sufficient pam_unix.so sha512 rounds=5000
{{% endif %}}
-
+
srg_requirement: '{{{ full_name }}} shadow password suite must be configured to use a sufficient number of hashing rounds in {{{ pam_passwd_file_path }}}.'
From 172fd34c25160dc7270c96e2edb87d9358d5a847 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
<315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Sun, 1 Mar 2026 10:07:34 +0200
Subject: [PATCH 10/18] Enabe for sle16 ensure_logrotate_activated rule
---
.../ansible/shared.yml | 18 ++++++++++++------
.../ensure_logrotate_activated/bash/shared.sh | 6 +++++-
.../ensure_logrotate_activated/oval/shared.xml | 8 ++++++++
.../tests/logrotate_conf_weekly.fail.sh | 7 ++++++-
.../logrotate_no_cron_daily_no_timer.fail.sh | 8 +++++++-
5 files changed, 38 insertions(+), 9 deletions(-)
diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml
index f9f947d0bc79..e18fad5ddd4f 100644
--- a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml
+++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml
@@ -4,19 +4,25 @@
# complexity = low
# disruption = low
-- name: Configure daily log rotation in /etc/logrotate.conf
+{{% if product == 'sle16' %}}
+{{% set LOGROTATE_CONF_FILE="/usr/etc/logrotate.conf" %}}
+{{% else %}}
+{{% set LOGROTATE_CONF_FILE="/etc/logrotate.conf" %}}
+{{% endif %}}
+
+- name: "Configure daily log rotation in {{{ LOGROTATE_CONF_FILE }}}"
ansible.builtin.lineinfile:
create: yes
- dest: "/etc/logrotate.conf"
+ dest: {{{ LOGROTATE_CONF_FILE }}}
regexp: '^\s*(weekly|monthly|yearly)$'
line: "daily"
state: present
insertbefore: BOF
-- name: Make sure daily log rotation setting is not overridden in /etc/logrotate.conf
+- name: "Make sure daily log rotation setting is not overridden in {{{ LOGROTATE_CONF_FILE }}}"
ansible.builtin.lineinfile:
create: no
- dest: "/etc/logrotate.conf"
+ dest: {{{ LOGROTATE_CONF_FILE }}}
regexp: '^[\s]*(weekly|monthly|yearly)$'
state: absent
@@ -39,7 +45,7 @@
- name: Add logrotate call
ansible.builtin.lineinfile:
path: "/etc/cron.daily/logrotate"
- line: '/usr/sbin/logrotate /etc/logrotate.conf'
- regexp: '^[\s]*/usr/sbin/logrotate[\s\S]*/etc/logrotate.conf$'
+ line: '/usr/sbin/logrotate {{{ LOGROTATE_CONF_FILE }}}'
+ regexp: '^[\s]*/usr/sbin/logrotate[\s\S]*{{{ LOGROTATE_CONF_FILE }}}$'
create: yes
{{% endif %}}
diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/bash/shared.sh b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/bash/shared.sh
index c55cd9de94a6..82446d128faa 100644
--- a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/bash/shared.sh
+++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/bash/shared.sh
@@ -1,6 +1,10 @@
# platform = multi_platform_all
-LOGROTATE_CONF_FILE="/etc/logrotate.conf"
+{{% if product == 'sle16' %}}
+LOGROTATE_CONF_FILE='/usr/etc/logrotate.conf'
+{{% else %}}
+LOGROTATE_CONF_FILE='/etc/logrotate.conf'
+{{% endif %}}
{{% if 'sle' in product or product == 'slmicro5' %}}
SYSTEMCTL_EXEC='/usr/bin/systemctl'
{{% else %}}
diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/oval/shared.xml b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/oval/shared.xml
index fc8a7ba8688b..762e706a563d 100644
--- a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/oval/shared.xml
+++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/oval/shared.xml
@@ -25,7 +25,11 @@
+{{% if product == 'sle16' %}}
+ /usr/etc/logrotate.conf
+{{% else %}}
/etc/logrotate.conf
+{{% endif %}}
^\s*daily[\s#]*$
1
@@ -37,7 +41,11 @@
+{{% if product == 'sle16' %}}
+ /usr/etc/logrotate.conf
+{{% else %}}
/etc/logrotate.conf
+{{% endif %}}
^\s*(weekly|monthly|yearly)[\s#]*$
1
diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_weekly.fail.sh b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_weekly.fail.sh
index de41c7b2844b..7e3bf2ae36ac 100644
--- a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_weekly.fail.sh
+++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_weekly.fail.sh
@@ -1,3 +1,8 @@
#!/bin/bash
-sed -i "s/daily/weekly/" /etc/logrotate.conf
+{{% if product == 'sle16' %}}
+LOGROTATE_CONF_FILE="/usr/etc/logrotate.conf"
+{{% else %}}
+LOGROTATE_CONF_FILE="/etc/logrotate.conf"
+{{% endif %}}
+sed -i "s/daily/weekly/" "${LOGROTATE_CONF_FILE}"
diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_no_cron_daily_no_timer.fail.sh b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_no_cron_daily_no_timer.fail.sh
index 86b1ca86090d..9ae01cc789bd 100644
--- a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_no_cron_daily_no_timer.fail.sh
+++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_no_cron_daily_no_timer.fail.sh
@@ -2,11 +2,17 @@
# packages = logrotate,crontabs
+{{% if product == 'sle16' %}}
+LOGROTATE_CONF_FILE="/usr/etc/logrotate.conf"
+{{% else %}}
+LOGROTATE_CONF_FILE="/etc/logrotate.conf"
+{{% endif %}}
+
# disable the timer
systemctl disable logrotate.timer || true
# fix logrotate config
-sed -i "s/weekly/daily/" /etc/logrotate.conf
+sed -i "s/weekly/daily/" "${LOGROTATE_CONF_FILE}"
# remove default for cron.daily
rm -f /etc/cron.daily/logrotate
From b4039b8341b91a19b5bf83f87cbabae34e6a24d1 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
<315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Sun, 1 Mar 2026 10:08:39 +0200
Subject: [PATCH 11/18] Enable for sle16 sysctl_net_ipv6_conf_all_autoconf rule
---
.../configuring_ipv6/sysctl_net_ipv6_conf_all_autoconf/rule.yml | 1 +
1 file changed, 1 insertion(+)
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_autoconf/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_autoconf/rule.yml
index 9488675532ca..2b6704e6c378 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_autoconf/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_autoconf/rule.yml
@@ -15,6 +15,7 @@ identifiers:
cce@rhel10: CCE-88386-8
cce@sle12: CCE-91520-7
cce@sle15: CCE-91205-5
+ cce@sle16: CCE-96669-7
{{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.autoconf", value="0") }}}
From 1acfc5954564b3b2aa533cc9372dfff380512ef3 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
<315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Sun, 1 Mar 2026 10:13:32 +0200
Subject: [PATCH 12/18] Enable sysctl_net_ipv4_conf_all_drop_gratuitous_arp for
sle16
---
.../sysctl_net_ipv4_conf_all_drop_gratuitous_arp/rule.yml | 1 +
1 file changed, 1 insertion(+)
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_drop_gratuitous_arp/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_drop_gratuitous_arp/rule.yml
index c3a61454b8e4..b3c83e6a668a 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_drop_gratuitous_arp/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_drop_gratuitous_arp/rule.yml
@@ -18,6 +18,7 @@ identifiers:
cce@rhel8: CCE-88001-3
cce@rhel9: CCE-89001-2
cce@rhel10: CCE-89975-7
+ cce@sle16: CCE-96672-1
{{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.drop_gratuitous_arp", value="1") }}}
From a58129e273cd58820dc56d98b7e70f6546c9ede2 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
<315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Sun, 1 Mar 2026 10:14:21 +0200
Subject: [PATCH 13/18] Enable for sle16 sysctl_fs_protected* rules
---
.../system/permissions/files/sysctl_fs_protected_fifos/rule.yml | 1 +
.../permissions/files/sysctl_fs_protected_regular/rule.yml | 1 +
2 files changed, 2 insertions(+)
diff --git a/linux_os/guide/system/permissions/files/sysctl_fs_protected_fifos/rule.yml b/linux_os/guide/system/permissions/files/sysctl_fs_protected_fifos/rule.yml
index d21952c3300d..f6325c7cfb07 100644
--- a/linux_os/guide/system/permissions/files/sysctl_fs_protected_fifos/rule.yml
+++ b/linux_os/guide/system/permissions/files/sysctl_fs_protected_fifos/rule.yml
@@ -15,6 +15,7 @@ severity: medium
identifiers:
cce@rhel9: CCE-85884-5
cce@rhel10: CCE-87125-1
+ cce@sle16: CCE-96680-4
references:
nist: CM-6(a),AC-6(1)
diff --git a/linux_os/guide/system/permissions/files/sysctl_fs_protected_regular/rule.yml b/linux_os/guide/system/permissions/files/sysctl_fs_protected_regular/rule.yml
index bcf733e4ad0a..9a6b3ba2e0f4 100644
--- a/linux_os/guide/system/permissions/files/sysctl_fs_protected_regular/rule.yml
+++ b/linux_os/guide/system/permissions/files/sysctl_fs_protected_regular/rule.yml
@@ -16,6 +16,7 @@ severity: medium
identifiers:
cce@rhel9: CCE-85885-2
cce@rhel10: CCE-90354-2
+ cce@sle16: CCE-96679-6
references:
nist: CM-6(a),AC-6(1)
From 34dc6d4916205391b015af0b9475d34cfeae976a Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
<315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Sun, 1 Mar 2026 10:15:21 +0200
Subject: [PATCH 14/18] Enable for sle16 rule mount_option_tmp_noexec
---
.../permissions/partitions/mount_option_tmp_noexec/rule.yml | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml
index 735018892a8c..75fb0ec5f6c6 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml
@@ -23,6 +23,7 @@ identifiers:
cce@rhel10: CCE-87095-6
cce@sle12: CCE-91586-8
cce@sle15: CCE-91272-5
+ cce@sle16: CCE-96696-0
cce@slmicro5: CCE-94079-1
references:
@@ -39,7 +40,7 @@ references:
srg: SRG-OS-000368-GPOS-00154
stigid@ol8: OL08-00-040125
-{{% if product == 'slmicro5' %}}
+{{% if product in ['slmicro5', 'sle16'] %}}
platform: system_with_kernel
{{% else %}}
platform: mount[tmp]
From d608ca7df93a03c8d0793ce25ef67359df16c7c1 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
<315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Sun, 1 Mar 2026 10:20:36 +0200
Subject: [PATCH 15/18] Enable sle16 specific checks and remediations for
mount_option_tmp_noexec
---
.../mount_option_tmp_noexec/ansible/sle16.yml | 28 +++++++++++++++++++
.../mount_option_tmp_noexec/bash/sle16.sh | 23 +++++++++++++++
.../mount_option_tmp_noexec/oval/sle16.xml | 18 ++++++++++++
3 files changed, 69 insertions(+)
create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/ansible/sle16.yml
create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/bash/sle16.sh
create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/oval/sle16.xml
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/ansible/sle16.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/ansible/sle16.yml
new file mode 100644
index 000000000000..8dfea23acad8
--- /dev/null
+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/ansible/sle16.yml
@@ -0,0 +1,28 @@
+# platform = SUSE Linux Enterprise 16
+# reboot = true
+# strategy = configure
+# complexity = low
+# disruption = low
+
+- name: '{{{ rule_title }}} - Check if noexec options is configured in /usr/lib/systemd/system/tmp.mount'
+ ansible.builtin.lineinfile:
+ path: /usr/lib/systemd/system/tmp.mount
+ regexp: ^[\s]*Options=[\s]*.*noexec.*$
+ state: absent
+ check_mode: true
+ register: noexec_match
+
+# if no match, collect current options and add noexec
+- name: '{{{ rule_title }}} - Collect previously configured options'
+ ansible.builtin.shell:
+ cmd: sed -n 's/^[\s]*Options=[\s]*\(.*\)$/\1/p' /usr/lib/systemd/system/tmp.mount
+ register: current_options
+ when:
+ - noexec_match is defined and noexec_match.found == 0
+
+
+- name: '{{{ rule_title }}} - Add noexec option to previously configured options'
+ ansible.builtin.shell:
+ cmd: sed -i "s/^Options=.*/Options={{ current_options.stdout }},noexec/g" /usr/lib/systemd/system/tmp.mount
+ when:
+ - noexec_match.found == 0 and current_options is defined
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/bash/sle16.sh b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/bash/sle16.sh
new file mode 100644
index 000000000000..9f694b9bb9d3
--- /dev/null
+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/bash/sle16.sh
@@ -0,0 +1,23 @@
+# platform = SUSE Linux Enterprise 16
+# reboot = true
+# strategy = configure
+# complexity = low
+# disruption = low
+
+tmp_mount_file="/usr/lib/systemd/system/tmp.mount"
+
+# if already set, skip
+if grep -qE '^[\s]*Options=[\s]*.*noexec.*$' ${tmp_mount_file}; then
+ echo "noexec option already present, skipping remediation"
+ exit 0
+fi
+
+# no options set, add it
+if ! grep -qE '^[\s]*Options=[\s]*.*$' ${tmp_mount_file}; then
+ echo "Options=noexec" >> ${tmp_mount_file}
+else
+ # collect currently set options
+ current_options=$(sed -n 's/^[\s]*Options=[\s]*\(.*\)$/\1/p' ${tmp_mount_file})
+ # add noexec to current options and replace
+ sed -i "s/^Options=.*/Options=${current_options},noexec/g" ${tmp_mount_file}
+fi
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/oval/sle16.xml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/oval/sle16.xml
new file mode 100644
index 000000000000..81bec910ddfd
--- /dev/null
+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/oval/sle16.xml
@@ -0,0 +1,18 @@
+
+
+ {{{ oval_metadata("ensure tmp.mount services has noexec option configured.") }}}
+
+
+
+
+
+
+
+
+
+ /usr/lib/systemd/system/tmp.mount
+ ^[\s]*Options=.*noexec.*$
+ 1
+
+
+
From ec6f03138c6f06263ceab257eb3750b24b9d9ddf Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
<315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Sun, 1 Mar 2026 10:16:56 +0200
Subject: [PATCH 16/18] Add sysctl_kernel_unprivileged_bpf_disabled and
sysctl_kernel_yama_ptrace_scope sysctl_net_core_bpf_jit_harden rules
---
.../sysctl_kernel_unprivileged_bpf_disabled/rule.yml | 1 +
.../restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml | 1 +
.../restrictions/sysctl_net_core_bpf_jit_harden/rule.yml | 1 +
3 files changed, 3 insertions(+)
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml
index 53af78ce203b..d2d1e2cf9284 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml
@@ -16,6 +16,7 @@ identifiers:
cce@rhel8: CCE-82974-7
cce@rhel9: CCE-83957-1
cce@rhel10: CCE-89405-5
+ cce@sle16: CCE-96676-2
references:
nist: AC-6,SC-7(10)
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml
index 2c6e83019b64..3a56b472e039 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml
@@ -20,6 +20,7 @@ identifiers:
cce@rhel10: CCE-88785-1
cce@sle12: CCE-91572-8
cce@sle15: CCE-91262-6
+ cce@sle16: CCE-96674-7
references:
nist: SC-7(10)
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml
index e05977fecfbb..d67f456472e3 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml
@@ -17,6 +17,7 @@ identifiers:
cce@rhel8: CCE-82934-1
cce@rhel9: CCE-83966-2
cce@rhel10: CCE-89631-6
+ cce@sle16: CCE-96674-7
references:
nist: CM-6,SC-7(10)
From 8ee7309cfaf5f94f5656922f4527a79322922cfc Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
<315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Sun, 1 Mar 2026 10:18:18 +0200
Subject: [PATCH 17/18] Enable more rules for SLE16 ANSSI
---
.../profiles/anssi_bp28_enhanced.profile | 55 +++++-----------
.../sle16/profiles/anssi_bp28_high.profile | 59 ++----------------
.../profiles/anssi_bp28_intermediary.profile | 62 +++++++++----------
.../sle16/profiles/anssi_bp28_minimal.profile | 51 +++++++++------
4 files changed, 81 insertions(+), 146 deletions(-)
diff --git a/products/sle16/profiles/anssi_bp28_enhanced.profile b/products/sle16/profiles/anssi_bp28_enhanced.profile
index f93536a0114c..d93e440d079a 100644
--- a/products/sle16/profiles/anssi_bp28_enhanced.profile
+++ b/products/sle16/profiles/anssi_bp28_enhanced.profile
@@ -27,71 +27,50 @@ selections:
- var_sudo_dedicated_group=root
- accounts_password_pam_pwhistory_remember
- set_password_hashing_min_rounds_logindefs
- - '!accounts_password_pam_dcredit'
- - '!accounts_password_pam_lcredit'
- - '!accounts_password_pam_minclass'
- - '!accounts_password_pam_minlen'
- - '!accounts_password_pam_ocredit'
- - '!accounts_password_pam_retry'
- - '!accounts_password_pam_ucredit'
- - '!accounts_password_pam_unix_remember'
- - '!accounts_password_pam_unix_rounds_password_auth'
+ - '!cracklib_accounts_password_pam_dcredit'
+ - '!cracklib_accounts_password_pam_lcredit'
+ - '!cracklib_accounts_password_pam_minlen'
+ - '!cracklib_accounts_password_pam_ocredit'
+ - '!cracklib_accounts_password_pam_ucredit'
- '!accounts_password_pam_unix_rounds_system_auth'
- - '!accounts_passwords_pam_faillock_deny_root'
- - '!accounts_passwords_pam_faillock_deny'
- - '!accounts_passwords_pam_faillock_interval'
- - '!accounts_passwords_pam_faillock_unlock_time'
- '!accounts_passwords_pam_tally2_deny_root'
- '!accounts_passwords_pam_tally2_unlock_time'
- '!accounts_passwords_pam_tally2'
+ - '!aide_periodic_cron_checking'
- '!all_apparmor_profiles_enforced'
- '!apparmor_configured'
- - '!audit_rules_dac_modification_fchmodat2'
- - '!audit_rules_file_deletion_events_renameat2'
- '!audit_rules_immutable'
- - '!audit_rules_mac_modification_etc_selinux'
- '!dnf-automatic_apply_updates'
- '!dnf-automatic_security_updates_only'
- '!enable_authselect'
- '!ensure_almalinux_gpgkey_installed'
- '!ensure_oracle_gpgkey_installed'
- '!ensure_redhat_gpgkey_installed'
- - '!file_groupowner_etc_chrony_keys'
- '!file_groupowner_user_cfg'
- '!file_owner_user_cfg'
- '!file_permissions_sudo'
- '!file_permissions_user_cfg'
- '!grub2_enable_apparmor'
- - '!grub2_mds_argument'
- - '!grub2_page_alloc_shuffle_argument'
- - '!grub2_page_poison_argument'
- - '!grub2_pti_argument'
- - '!grub2_slub_debug_argument'
+ - '!kernel_config_arm64_sw_ttbr0_pan'
+ - '!kernel_config_gcc_plugin_latent_entropy'
+ - '!kernel_config_gcc_plugin_randstruct'
+ - '!kernel_config_gcc_plugin_stackleak'
+ - '!kernel_config_gcc_plugin_structleak_byref_all'
+ - '!kernel_config_gcc_plugin_structleak'
+ - '!kernel_config_legacy_vsyscall_emulate'
+ - '!kernel_config_modify_ldt_syscall'
+ - '!kernel_config_refcount_full'
+ - '!kernel_config_slab_merge_default'
- '!ldap_client_start_tls'
- '!ldap_client_tls_cacertpath'
- - '!mount_option_tmp_noexec'
- '!no_nis_in_nsswitch'
- '!package_apparmor_installed'
- '!package_dnf-automatic_installed'
- '!package_dracut-fips-aesni_installed'
- - '!package_kea_removed'
- '!package_pam_apparmor_installed'
- '!package_rsh_removed'
- '!package_rsh-server_removed'
- - '!package_sendmail_removed'
- - '!package_sequoia-sq_installed'
- - '!package_talk_removed'
- - '!package_talk-server_removed'
- - '!package_xinetd_removed'
- '!package_ypbind_removed'
- '!package_ypserv_removed'
- - '!service_chronyd_enabled'
- - '!set_password_hashing_algorithm_systemauth'
- - '!sysctl_fs_protected_fifos'
- - '!sysctl_fs_protected_regular'
- - '!sysctl_kernel_unprivileged_bpf_disabled'
- - '!sysctl_kernel_yama_ptrace_scope'
- - '!sysctl_net_core_bpf_jit_harden'
- - '!sysctl_net_ipv4_conf_all_drop_gratuitous_arp'
- - '!sysctl_net_ipv6_conf_all_autoconf'
+ - '!sebool_secure_mode_insmod'
- '!timer_dnf-automatic_enabled'
diff --git a/products/sle16/profiles/anssi_bp28_high.profile b/products/sle16/profiles/anssi_bp28_high.profile
index 9884a6c214f5..c0c4fd81912c 100644
--- a/products/sle16/profiles/anssi_bp28_high.profile
+++ b/products/sle16/profiles/anssi_bp28_high.profile
@@ -27,99 +27,50 @@ selections:
- var_sudo_dedicated_group=root
- accounts_password_pam_pwhistory_remember
- set_password_hashing_min_rounds_logindefs
- - '!accounts_password_pam_dcredit'
- - '!accounts_password_pam_lcredit'
- - '!accounts_password_pam_minclass'
- - '!accounts_password_pam_minlen'
- - '!accounts_password_pam_ocredit'
- - '!accounts_password_pam_retry'
- - '!accounts_password_pam_ucredit'
- - '!accounts_password_pam_unix_remember'
- - '!accounts_password_pam_unix_rounds_password_auth'
+ - '!cracklib_accounts_password_pam_dcredit'
+ - '!cracklib_accounts_password_pam_lcredit'
+ - '!cracklib_accounts_password_pam_minlen'
+ - '!cracklib_accounts_password_pam_ocredit'
+ - '!cracklib_accounts_password_pam_ucredit'
- '!accounts_password_pam_unix_rounds_system_auth'
- - '!accounts_passwords_pam_faillock_deny_root'
- - '!accounts_passwords_pam_faillock_deny'
- - '!accounts_passwords_pam_faillock_interval'
- - '!accounts_passwords_pam_faillock_unlock_time'
- '!accounts_passwords_pam_tally2_deny_root'
- '!accounts_passwords_pam_tally2_unlock_time'
- '!accounts_passwords_pam_tally2'
- '!aide_periodic_cron_checking'
- '!all_apparmor_profiles_enforced'
- '!apparmor_configured'
- - '!audit_rules_dac_modification_fchmodat2'
- - '!audit_rules_file_deletion_events_renameat2'
- '!audit_rules_immutable'
- - '!audit_rules_mac_modification_etc_selinux'
- '!dnf-automatic_apply_updates'
- '!dnf-automatic_security_updates_only'
- '!enable_authselect'
- '!ensure_almalinux_gpgkey_installed'
- '!ensure_oracle_gpgkey_installed'
- '!ensure_redhat_gpgkey_installed'
- - '!file_groupowner_etc_chrony_keys'
- '!file_groupowner_user_cfg'
- '!file_owner_user_cfg'
- '!file_permissions_sudo'
- '!file_permissions_user_cfg'
- '!grub2_enable_apparmor'
- - '!grub2_mds_argument'
- - '!grub2_page_alloc_shuffle_argument'
- - '!grub2_page_poison_argument'
- - '!grub2_pti_argument'
- - '!grub2_slub_debug_argument'
- '!kernel_config_arm64_sw_ttbr0_pan'
- - '!kernel_config_bug_on_data_corruption'
- - '!kernel_config_debug_wx'
- - '!kernel_config_fortify_source'
- '!kernel_config_gcc_plugin_latent_entropy'
- '!kernel_config_gcc_plugin_randstruct'
- '!kernel_config_gcc_plugin_stackleak'
- '!kernel_config_gcc_plugin_structleak_byref_all'
- '!kernel_config_gcc_plugin_structleak'
- - '!kernel_config_hardened_usercopy_fallback'
- - '!kernel_config_hardened_usercopy'
- '!kernel_config_legacy_vsyscall_emulate'
- - '!kernel_config_legacy_vsyscall_none'
- - '!kernel_config_legacy_vsyscall_xonly'
- '!kernel_config_modify_ldt_syscall'
- - '!kernel_config_page_poisoning'
- '!kernel_config_refcount_full'
- - '!kernel_config_sched_stack_end_check'
- - '!kernel_config_slab_freelist_hardened'
- - '!kernel_config_slab_freelist_random'
- '!kernel_config_slab_merge_default'
- - '!kernel_config_stackprotector_strong'
- - '!kernel_config_stackprotector'
- - '!kernel_config_strict_kernel_rwx'
- - '!kernel_config_strict_module_rwx'
- - '!kernel_config_vmap_stack'
- '!ldap_client_start_tls'
- '!ldap_client_tls_cacertpath'
- - '!mount_option_tmp_noexec'
- '!no_nis_in_nsswitch'
- '!package_apparmor_installed'
- '!package_dnf-automatic_installed'
- '!package_dracut-fips-aesni_installed'
- - '!package_kea_removed'
- '!package_pam_apparmor_installed'
- '!package_rsh_removed'
- '!package_rsh-server_removed'
- - '!package_sendmail_removed'
- - '!package_sequoia-sq_installed'
- - '!package_talk_removed'
- - '!package_talk-server_removed'
- - '!package_xinetd_removed'
- '!package_ypbind_removed'
- '!package_ypserv_removed'
- '!sebool_secure_mode_insmod'
- - '!service_chronyd_enabled'
- - '!set_password_hashing_algorithm_systemauth'
- - '!sysctl_fs_protected_fifos'
- - '!sysctl_fs_protected_regular'
- - '!sysctl_kernel_unprivileged_bpf_disabled'
- - '!sysctl_kernel_yama_ptrace_scope'
- - '!sysctl_net_core_bpf_jit_harden'
- - '!sysctl_net_ipv4_conf_all_drop_gratuitous_arp'
- - '!sysctl_net_ipv6_conf_all_autoconf'
- '!timer_dnf-automatic_enabled'
diff --git a/products/sle16/profiles/anssi_bp28_intermediary.profile b/products/sle16/profiles/anssi_bp28_intermediary.profile
index dd68326e7307..5fbf1d3ee013 100644
--- a/products/sle16/profiles/anssi_bp28_intermediary.profile
+++ b/products/sle16/profiles/anssi_bp28_intermediary.profile
@@ -27,56 +27,50 @@ selections:
- var_sudo_dedicated_group=root
- accounts_password_pam_pwhistory_remember
- set_password_hashing_min_rounds_logindefs
- - '!accounts_password_pam_dcredit'
- - '!accounts_password_pam_lcredit'
- - '!accounts_password_pam_minclass'
- - '!accounts_password_pam_minlen'
- - '!accounts_password_pam_ocredit'
- - '!accounts_password_pam_retry'
- - '!accounts_password_pam_ucredit'
- - '!accounts_password_pam_unix_remember'
- - '!accounts_password_pam_unix_rounds_password_auth'
+ - '!cracklib_accounts_password_pam_dcredit'
+ - '!cracklib_accounts_password_pam_lcredit'
+ - '!cracklib_accounts_password_pam_minlen'
+ - '!cracklib_accounts_password_pam_ocredit'
+ - '!cracklib_accounts_password_pam_ucredit'
- '!accounts_password_pam_unix_rounds_system_auth'
- - '!accounts_passwords_pam_faillock_deny_root'
- - '!accounts_passwords_pam_faillock_deny'
- - '!accounts_passwords_pam_faillock_interval'
- - '!accounts_passwords_pam_faillock_unlock_time'
- '!accounts_passwords_pam_tally2_deny_root'
- '!accounts_passwords_pam_tally2_unlock_time'
- '!accounts_passwords_pam_tally2'
+ - '!aide_periodic_cron_checking'
+ - '!all_apparmor_profiles_enforced'
+ - '!apparmor_configured'
+ - '!audit_rules_immutable'
- '!dnf-automatic_apply_updates'
- '!dnf-automatic_security_updates_only'
- '!enable_authselect'
- '!ensure_almalinux_gpgkey_installed'
- '!ensure_oracle_gpgkey_installed'
- '!ensure_redhat_gpgkey_installed'
- - '!file_groupowner_etc_chrony_keys'
- - '!grub2_mds_argument'
- - '!grub2_page_alloc_shuffle_argument'
- - '!grub2_page_poison_argument'
- - '!grub2_pti_argument'
- - '!grub2_slub_debug_argument'
+ - '!file_groupowner_user_cfg'
+ - '!file_owner_user_cfg'
+ - '!file_permissions_sudo'
+ - '!file_permissions_user_cfg'
+ - '!grub2_enable_apparmor'
+ - '!kernel_config_arm64_sw_ttbr0_pan'
+ - '!kernel_config_gcc_plugin_latent_entropy'
+ - '!kernel_config_gcc_plugin_randstruct'
+ - '!kernel_config_gcc_plugin_stackleak'
+ - '!kernel_config_gcc_plugin_structleak_byref_all'
+ - '!kernel_config_gcc_plugin_structleak'
+ - '!kernel_config_legacy_vsyscall_emulate'
+ - '!kernel_config_modify_ldt_syscall'
+ - '!kernel_config_refcount_full'
+ - '!kernel_config_slab_merge_default'
- '!ldap_client_start_tls'
- '!ldap_client_tls_cacertpath'
- - '!mount_option_tmp_noexec'
- '!no_nis_in_nsswitch'
+ - '!package_apparmor_installed'
- '!package_dnf-automatic_installed'
- - '!package_kea_removed'
+ - '!package_dracut-fips-aesni_installed'
+ - '!package_pam_apparmor_installed'
- '!package_rsh_removed'
- '!package_rsh-server_removed'
- - '!package_sendmail_removed'
- - '!package_sequoia-sq_installed'
- - '!package_talk_removed'
- - '!package_talk-server_removed'
- - '!package_xinetd_removed'
- '!package_ypbind_removed'
- '!package_ypserv_removed'
- - '!set_password_hashing_algorithm_systemauth'
- - '!sysctl_fs_protected_fifos'
- - '!sysctl_fs_protected_regular'
- - '!sysctl_kernel_unprivileged_bpf_disabled'
- - '!sysctl_kernel_yama_ptrace_scope'
- - '!sysctl_net_core_bpf_jit_harden'
- - '!sysctl_net_ipv4_conf_all_drop_gratuitous_arp'
- - '!sysctl_net_ipv6_conf_all_autoconf'
+ - '!sebool_secure_mode_insmod'
- '!timer_dnf-automatic_enabled'
diff --git a/products/sle16/profiles/anssi_bp28_minimal.profile b/products/sle16/profiles/anssi_bp28_minimal.profile
index 0fbb44696a92..441229a07086 100644
--- a/products/sle16/profiles/anssi_bp28_minimal.profile
+++ b/products/sle16/profiles/anssi_bp28_minimal.profile
@@ -27,39 +27,50 @@ selections:
- var_sudo_dedicated_group=root
- accounts_password_pam_pwhistory_remember
- set_password_hashing_min_rounds_logindefs
- - '!accounts_password_pam_dcredit'
- - '!accounts_password_pam_lcredit'
- - '!accounts_password_pam_minclass'
- - '!accounts_password_pam_minlen'
- - '!accounts_password_pam_ocredit'
- - '!accounts_password_pam_retry'
- - '!accounts_password_pam_ucredit'
- - '!accounts_password_pam_unix_remember'
- - '!accounts_password_pam_unix_rounds_password_auth'
+ - '!cracklib_accounts_password_pam_dcredit'
+ - '!cracklib_accounts_password_pam_lcredit'
+ - '!cracklib_accounts_password_pam_minlen'
+ - '!cracklib_accounts_password_pam_ocredit'
+ - '!cracklib_accounts_password_pam_ucredit'
- '!accounts_password_pam_unix_rounds_system_auth'
- - '!accounts_passwords_pam_faillock_deny_root'
- - '!accounts_passwords_pam_faillock_deny'
- - '!accounts_passwords_pam_faillock_interval'
- - '!accounts_passwords_pam_faillock_unlock_time'
- '!accounts_passwords_pam_tally2_deny_root'
- '!accounts_passwords_pam_tally2_unlock_time'
- '!accounts_passwords_pam_tally2'
+ - '!aide_periodic_cron_checking'
+ - '!all_apparmor_profiles_enforced'
+ - '!apparmor_configured'
+ - '!audit_rules_immutable'
- '!dnf-automatic_apply_updates'
- '!dnf-automatic_security_updates_only'
- '!enable_authselect'
- '!ensure_almalinux_gpgkey_installed'
- '!ensure_oracle_gpgkey_installed'
- '!ensure_redhat_gpgkey_installed'
+ - '!file_groupowner_user_cfg'
+ - '!file_owner_user_cfg'
+ - '!file_permissions_sudo'
+ - '!file_permissions_user_cfg'
+ - '!grub2_enable_apparmor'
+ - '!kernel_config_arm64_sw_ttbr0_pan'
+ - '!kernel_config_gcc_plugin_latent_entropy'
+ - '!kernel_config_gcc_plugin_randstruct'
+ - '!kernel_config_gcc_plugin_stackleak'
+ - '!kernel_config_gcc_plugin_structleak_byref_all'
+ - '!kernel_config_gcc_plugin_structleak'
+ - '!kernel_config_legacy_vsyscall_emulate'
+ - '!kernel_config_modify_ldt_syscall'
+ - '!kernel_config_refcount_full'
+ - '!kernel_config_slab_merge_default'
+ - '!ldap_client_start_tls'
+ - '!ldap_client_tls_cacertpath'
+ - '!no_nis_in_nsswitch'
+ - '!package_apparmor_installed'
- '!package_dnf-automatic_installed'
- - '!package_kea_removed'
+ - '!package_dracut-fips-aesni_installed'
+ - '!package_pam_apparmor_installed'
- '!package_rsh_removed'
- '!package_rsh-server_removed'
- - '!package_sendmail_removed'
- - '!package_sequoia-sq_installed'
- - '!package_talk_removed'
- - '!package_talk-server_removed'
- - '!package_xinetd_removed'
- '!package_ypbind_removed'
- '!package_ypserv_removed'
- - '!set_password_hashing_algorithm_systemauth'
+ - '!sebool_secure_mode_insmod'
- '!timer_dnf-automatic_enabled'
From 648138c664d4298ef41b5bdcd39cad4488c052ce Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
<315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Sun, 1 Mar 2026 10:19:37 +0200
Subject: [PATCH 18/18] Reserve for SLE16 CCE rules
---
shared/references/cce-sle16-avail.txt | 17 -----------------
1 file changed, 17 deletions(-)
diff --git a/shared/references/cce-sle16-avail.txt b/shared/references/cce-sle16-avail.txt
index 32b21dd878c5..26c3e6e170bd 100644
--- a/shared/references/cce-sle16-avail.txt
+++ b/shared/references/cce-sle16-avail.txt
@@ -419,20 +419,3 @@ CCE-96656-4
CCE-96657-2
CCE-96659-8
CCE-96662-2
-CCE-96663-0
-CCE-96664-8
-CCE-96665-5
-CCE-96666-3
-CCE-96669-7
-CCE-96672-1
-CCE-96674-7
-CCE-96676-2
-CCE-96679-6
-CCE-96680-4
-CCE-96684-6
-CCE-96685-3
-CCE-96687-9
-CCE-96689-5
-CCE-96690-3
-CCE-96693-7
-CCE-96696-0