Merge pull request #14514 from teacup-on-rockingchair/sle16_anssi_rules

teacup-on-rockingchair · web-flow · commit 48ec5df0dd2f · 2026-03-12T08:55:45.000+02:00
Add more rules for SLE16 ANSSI profiles
diff --git a/linux_os/guide/services/dhcp/disabling_dhcp_server/package_kea_removed/rule.yml b/linux_os/guide/services/dhcp/disabling_dhcp_server/package_kea_removed/rule.yml
@@ -16,6 +16,7 @@ severity: medium
 identifiers:
     cce@rhel8: CCE-87348-9
     cce@rhel10: CCE-86596-4
+    cce@sle16: CCE-96693-7
 
 {{{ complete_ocil_entry_package(package="kea") }}}
 
diff --git a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml
@@ -25,6 +25,7 @@ identifiers:
     cce@rhel9: CCE-84217-9
     cce@rhel10: CCE-90511-7
     cce@sle15: CCE-92601-4
+    cce@sle16: CCE-96684-6
 
 references:
     srg: SRG-OS-000355-GPOS-00143
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
@@ -30,6 +30,7 @@ identifiers:
     cce@rhel9: CCE-83587-6
     cce@rhel10: CCE-87388-5
     cce@sle15: CCE-85842-3
+    cce@sle16: CCE-96664-8
 
 references:
     cis-csc: 1,12,15,16
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml
@@ -25,6 +25,7 @@ identifiers:
     cce@rhel10: CCE-87975-9
     cce@sle12: CCE-91468-9
     cce@sle15: CCE-91171-9
+    cce@sle16: CCE-96663-0
 
 references:
     cis-csc: 1,12,15,16
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml
@@ -29,6 +29,7 @@ identifiers:
     cce@rhel9: CCE-83583-5
     cce@rhel10: CCE-86672-3
     cce@sle15: CCE-91169-3
+    cce@sle16: CCE-96665-5
 
 references:
     cis-csc: 1,12,15,16
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml
@@ -31,6 +31,7 @@ identifiers:
     cce@rhel9: CCE-83588-4
     cce@rhel10: CCE-89250-5
     cce@sle15: CCE-85841-5
+    cce@sle16: CCE-96666-3
 
 references:
     cis-csc: 1,12,15,16
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/ansible/shared.yml
@@ -6,7 +6,7 @@
 
 {{{ ansible_instantiate_variables("var_password_pam_unix_rounds") }}}
 
-{{% if product in ["sle12", "sle15"] %}}
+{{% if product in ["sle12", "sle15", "sle16"] %}}
 {{{ ansible_ensure_pam_module_configuration('/etc/pam.d/common-password', 'password', 'sufficient', 'pam_unix.so', 'rounds', '{{ var_password_pam_unix_rounds }}', '', rule_id=rule_id, rule_title=rule_title) }}}
 {{% else %}}
 {{{ ansible_ensure_pam_module_configuration('/etc/pam.d/password-auth', 'password', 'sufficient', 'pam_unix.so', 'rounds', '{{ var_password_pam_unix_rounds }}', '', rule_id=rule_id, rule_title=rule_title) }}}
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/bash/shared.sh
@@ -2,7 +2,7 @@
 
 {{{ bash_instantiate_variables("var_password_pam_unix_rounds") }}}
 
-{{% if product in ["sle12", "sle15"] %}}
+{{% if product in ["sle12", "sle15", "sle16"] %}}
 {{{ bash_ensure_pam_module_configuration('/etc/pam.d/common-password', 'password', 'sufficient', 'pam_unix.so', 'rounds', "$var_password_pam_unix_rounds", '') }}}
 {{% elif product in ["debian12", "debian13"] %}}
 {{{ bash_ensure_pam_module_configuration('/etc/pam.d/common-password', 'password', '\[success=1 default=ignore\]', 'pam_unix.so', 'rounds', "$var_password_pam_unix_rounds", '') }}}
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/oval/shared.xml
@@ -1,4 +1,4 @@
-{{% if product in ["sle12", "sle15", "debian12", "debian13", 'ubuntu2204', 'ubuntu2404'] %}}
+{{% if product in ["debian12", "debian13", "sle12", "sle15", "sle16", "ubuntu2204", "ubuntu2404"] %}}
 {{% set pam_passwd_file_path = "/etc/pam.d/common-password" %}}
 {{% else %}}
 {{% set pam_passwd_file_path = "/etc/pam.d/password-auth" %}}
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/rule.yml
@@ -3,7 +3,7 @@ documentation_complete: true
 
 title: 'Set number of Password Hashing Rounds - password-auth'
 
-{{% if product in ["sle12", "sle15", "debian12", "debian13", 'ubuntu2204', 'ubuntu2404'] %}}
+{{% if product in ["debian12", "debian13", "sle12", "sle15", "sle16", "ubuntu2204", "ubuntu2404"] %}}
 {{% set pam_passwd_file_path = "/etc/pam.d/common-password" %}}
 {{% else %}}
 {{% set pam_passwd_file_path = "/etc/pam.d/password-auth" %}}
@@ -19,7 +19,7 @@ description: |-
     <pre>password [success=1 default=ignore] pam_unix.so <i>...existing_options...</i> rounds={{{ xccdf_value("var_password_pam_unix_rounds") }}}</pre>
     {{% else %}}
     <pre>password sufficient pam_unix.so <i>...existing_options...</i> rounds={{{ xccdf_value("var_password_pam_unix_rounds") }}}</pre>
-    
+
     The system's default number of rounds is 5000.
     {{% endif %}}
 
@@ -67,5 +67,5 @@ fixtext: |-
     {{% else %}}
     password sufficient pam_unix.so sha512 rounds=5000
     {{% endif %}}
-    
+
 srg_requirement: '{{{ full_name }}} shadow password suite must be configured to use a sufficient number of hashing rounds in {{{ pam_passwd_file_path }}}.'
diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml
@@ -4,19 +4,25 @@
 # complexity = low
 # disruption = low
 
-- name: Configure daily log rotation in /etc/logrotate.conf
+{{% if product == 'sle16' %}}
+{{% set LOGROTATE_CONF_FILE="/usr/etc/logrotate.conf" %}}
+{{% else %}}
+{{% set LOGROTATE_CONF_FILE="/etc/logrotate.conf" %}}
+{{% endif %}}
+
+- name: "Configure daily log rotation in {{{ LOGROTATE_CONF_FILE }}}"
   ansible.builtin.lineinfile:
     create: yes
-    dest: "/etc/logrotate.conf"
+    dest: {{{ LOGROTATE_CONF_FILE }}}
     regexp: '^\s*(weekly|monthly|yearly)$'
     line: "daily"
     state: present
     insertbefore: BOF
 
-- name: Make sure daily log rotation setting is not overridden in /etc/logrotate.conf
+- name: "Make sure daily log rotation setting is not overridden in {{{ LOGROTATE_CONF_FILE }}}"
   ansible.builtin.lineinfile:
     create: no
-    dest: "/etc/logrotate.conf"
+    dest: {{{ LOGROTATE_CONF_FILE }}}
     regexp: '^[\s]*(weekly|monthly|yearly)$'
     state: absent
 
@@ -39,7 +45,7 @@
     - name: Add logrotate call
       ansible.builtin.lineinfile:
         path: "/etc/cron.daily/logrotate"
-        line: '/usr/sbin/logrotate /etc/logrotate.conf'
-        regexp: '^[\s]*/usr/sbin/logrotate[\s\S]*/etc/logrotate.conf$'
+        line: '/usr/sbin/logrotate {{{ LOGROTATE_CONF_FILE }}}'
+        regexp: '^[\s]*/usr/sbin/logrotate[\s\S]*{{{ LOGROTATE_CONF_FILE }}}$'
         create: yes
 {{% endif %}}
diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/bash/shared.sh b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/bash/shared.sh
@@ -1,6 +1,10 @@
 # platform = multi_platform_all
 
-LOGROTATE_CONF_FILE="/etc/logrotate.conf"
+{{% if product == 'sle16' %}}
+LOGROTATE_CONF_FILE='/usr/etc/logrotate.conf'
+{{% else %}}
+LOGROTATE_CONF_FILE='/etc/logrotate.conf'
+{{% endif %}}
 {{% if 'sle' in product or product == 'slmicro5' %}}
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
 {{% else %}}
diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/oval/shared.xml b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/oval/shared.xml
@@ -25,7 +25,11 @@
   </ind:textfilecontent54_test>
 
   <ind:textfilecontent54_object id="object_logrotate_conf_daily_setting" version="2">
+{{% if product == 'sle16' %}}
+    <ind:filepath>/usr/etc/logrotate.conf</ind:filepath>
+{{% else %}}
     <ind:filepath>/etc/logrotate.conf</ind:filepath>
+{{% endif %}}
     <ind:pattern operation="pattern match">^\s*daily[\s#]*$</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
@@ -37,7 +41,11 @@
   </ind:textfilecontent54_test>
 
   <ind:textfilecontent54_object id="object_logrotate_conf_no_other_keyword" version="2">
+{{% if product == 'sle16' %}}
+    <ind:filepath>/usr/etc/logrotate.conf</ind:filepath>
+{{% else %}}
     <ind:filepath>/etc/logrotate.conf</ind:filepath>
+{{% endif %}}
     <ind:pattern operation="pattern match">^\s*(weekly|monthly|yearly)[\s#]*$</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_weekly.fail.sh b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_weekly.fail.sh
@@ -1,3 +1,8 @@
 #!/bin/bash
 
-sed -i "s/daily/weekly/" /etc/logrotate.conf
+{{% if product == 'sle16' %}}
+LOGROTATE_CONF_FILE="/usr/etc/logrotate.conf"
+{{% else %}}
+LOGROTATE_CONF_FILE="/etc/logrotate.conf"
+{{% endif %}}
+sed -i "s/daily/weekly/" "${LOGROTATE_CONF_FILE}"
diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_no_cron_daily_no_timer.fail.sh b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_no_cron_daily_no_timer.fail.sh
@@ -2,11 +2,17 @@
 
 # packages = logrotate,crontabs
 
+{{% if product == 'sle16' %}}
+LOGROTATE_CONF_FILE="/usr/etc/logrotate.conf"
+{{% else %}}
+LOGROTATE_CONF_FILE="/etc/logrotate.conf"
+{{% endif %}}
+
 # disable the timer
 systemctl disable logrotate.timer || true
 
 # fix logrotate config
-sed -i "s/weekly/daily/" /etc/logrotate.conf
+sed -i "s/weekly/daily/" "${LOGROTATE_CONF_FILE}"
 
 # remove default for cron.daily
 rm -f /etc/cron.daily/logrotate
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_autoconf/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_autoconf/rule.yml
@@ -15,6 +15,7 @@ identifiers:
     cce@rhel10: CCE-88386-8
     cce@sle12: CCE-91520-7
     cce@sle15: CCE-91205-5
+    cce@sle16: CCE-96669-7
 
 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.autoconf", value="0") }}}
 
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_drop_gratuitous_arp/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_drop_gratuitous_arp/rule.yml
@@ -18,6 +18,7 @@ identifiers:
     cce@rhel8: CCE-88001-3
     cce@rhel9: CCE-89001-2
     cce@rhel10: CCE-89975-7
+    cce@sle16: CCE-96672-1
 
 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.drop_gratuitous_arp", value="1") }}}
 
diff --git a/linux_os/guide/system/permissions/files/sysctl_fs_protected_fifos/rule.yml b/linux_os/guide/system/permissions/files/sysctl_fs_protected_fifos/rule.yml
@@ -15,6 +15,7 @@ severity: medium
 identifiers:
     cce@rhel9: CCE-85884-5
     cce@rhel10: CCE-87125-1
+    cce@sle16: CCE-96680-4
 
 references:
     nist: CM-6(a),AC-6(1)
diff --git a/linux_os/guide/system/permissions/files/sysctl_fs_protected_regular/rule.yml b/linux_os/guide/system/permissions/files/sysctl_fs_protected_regular/rule.yml
@@ -16,6 +16,7 @@ severity: medium
 identifiers:
     cce@rhel9: CCE-85885-2
     cce@rhel10: CCE-90354-2
+    cce@sle16: CCE-96679-6
 
 references:
     nist: CM-6(a),AC-6(1)
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/ansible/sle16.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/ansible/sle16.yml
@@ -0,0 +1,28 @@
+# platform = SUSE Linux Enterprise 16
+# reboot = true
+# strategy = configure
+# complexity = low
+# disruption = low
+
+- name: '{{{ rule_title }}} - Check if noexec options is configured in /usr/lib/systemd/system/tmp.mount'
+  ansible.builtin.lineinfile:
+    path: /usr/lib/systemd/system/tmp.mount
+    regexp: ^[\s]*Options=[\s]*.*noexec.*$
+    state: absent
+  check_mode: true
+  register: noexec_match
+
+# if no match, collect current options and add noexec
+- name: '{{{ rule_title }}} - Collect previously configured options'
+  ansible.builtin.shell:
+    cmd: sed -n 's/^[\s]*Options=[\s]*\(.*\)$/\1/p' /usr/lib/systemd/system/tmp.mount
+  register: current_options
+  when:
+    - noexec_match is defined and noexec_match.found == 0
+
+
+- name: '{{{ rule_title }}} - Add noexec option to previously configured options'
+  ansible.builtin.shell:
+    cmd: sed -i "s/^Options=.*/Options={{ current_options.stdout }},noexec/g" /usr/lib/systemd/system/tmp.mount
+  when:
+    - noexec_match.found == 0 and current_options is defined
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/bash/sle16.sh b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/bash/sle16.sh
@@ -0,0 +1,23 @@
+# platform = SUSE Linux Enterprise 16
+# reboot = true
+# strategy = configure
+# complexity = low
+# disruption = low
+
+tmp_mount_file="/usr/lib/systemd/system/tmp.mount"
+
+# if already set, skip
+if grep -qE '^[\s]*Options=[\s]*.*noexec.*$' ${tmp_mount_file}; then
+    echo "noexec option already present, skipping remediation"
+    exit 0
+fi
+
+# no options set, add it
+if ! grep -qE '^[\s]*Options=[\s]*.*$' ${tmp_mount_file}; then
+    echo "Options=noexec" >> ${tmp_mount_file}
+else
+  # collect currently set options
+  current_options=$(sed -n 's/^[\s]*Options=[\s]*\(.*\)$/\1/p' ${tmp_mount_file})
+  # add noexec to current options and replace
+  sed -i "s/^Options=.*/Options=${current_options},noexec/g" ${tmp_mount_file}
+fi
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/oval/sle16.xml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/oval/sle16.xml
@@ -0,0 +1,18 @@
+<def-group>
+  <definition class="compliance" id="mount_option_tmp_noexec" version="1">
+    {{{ oval_metadata("ensure tmp.mount services has noexec option configured.") }}}
+    <criteria>
+        <criterion comment="check noexec is set in Options in /usr/lib/systemd/system/tmp.mount" test_ref="test_tmp_mount_noexec_option" />
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="check noexec is set in Options in /usr/lib/systemd/system/tmp.mount" id="test_tmp_mount_noexec_option" version="1">
+    <ind:object object_ref="object_tmp_mount_noexec_option" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_tmp_mount_noexec_option" comment="Options has  noexec set in /usr/lib/systemd/system/tmp.mount" version="1">
+    <ind:filepath>/usr/lib/systemd/system/tmp.mount</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*Options=.*noexec.*$</ind:pattern>
+    <ind:instance datatype="int" operation="equals">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+</def-group>
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml
@@ -23,6 +23,7 @@ identifiers:
     cce@rhel10: CCE-87095-6
     cce@sle12: CCE-91586-8
     cce@sle15: CCE-91272-5
+    cce@sle16: CCE-96696-0
     cce@slmicro5: CCE-94079-1
 
 references:
@@ -39,7 +40,7 @@ references:
     srg: SRG-OS-000368-GPOS-00154
     stigid@ol8: OL08-00-040125
 
-{{% if product == 'slmicro5' %}}
+{{% if product in ['slmicro5', 'sle16'] %}}
 platform: system_with_kernel
 {{% else %}}
 platform: mount[tmp]
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml
@@ -16,6 +16,7 @@ identifiers:
     cce@rhel8: CCE-82974-7
     cce@rhel9: CCE-83957-1
     cce@rhel10: CCE-89405-5
+    cce@sle16: CCE-96676-2
 
 references:
     nist: AC-6,SC-7(10)
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml
@@ -20,6 +20,7 @@ identifiers:
     cce@rhel10: CCE-88785-1
     cce@sle12: CCE-91572-8
     cce@sle15: CCE-91262-6
+    cce@sle16: CCE-96674-7
 
 references:
     nist: SC-7(10)
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml
@@ -17,6 +17,7 @@ identifiers:
     cce@rhel8: CCE-82934-1
     cce@rhel9: CCE-83966-2
     cce@rhel10: CCE-89631-6
+    cce@sle16: CCE-96656-4
 
 references:
     nist: CM-6,SC-7(10)
diff --git a/products/sle16/profiles/anssi_bp28_enhanced.profile b/products/sle16/profiles/anssi_bp28_enhanced.profile
diff --git a/products/sle16/profiles/anssi_bp28_high.profile b/products/sle16/profiles/anssi_bp28_high.profile
diff --git a/products/sle16/profiles/anssi_bp28_intermediary.profile b/products/sle16/profiles/anssi_bp28_intermediary.profile
diff --git a/products/sle16/profiles/anssi_bp28_minimal.profile b/products/sle16/profiles/anssi_bp28_minimal.profile
diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja
diff --git a/shared/references/cce-sle16-avail.txt b/shared/references/cce-sle16-avail.txt

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-{{% if product in ["sle12", "sle15", "debian12", "debian13", 'ubuntu2204', 'ubuntu2404'] %}}`
	`1`	`+{{% if product in ["debian12", "debian13", "sle12", "sle15", "sle16", "ubuntu2204", "ubuntu2404"] %}}`
`2`	`2`	`{{% set pam_passwd_file_path = "/etc/pam.d/common-password" %}}`
`3`	`3`	`{{% else %}}`
`4`	`4`	`{{% set pam_passwd_file_path = "/etc/pam.d/password-auth" %}}`