ComplianceAsCode · jan-cerny · May 4, 2022 · Apr 13, 2022 · May 2, 2022
diff --git a/controls/anssi_sle.yml b/controls/anssi_sle.yml
diff --git a/linux_os/guide/services/dhcp/disabling_dhcp_server/package_dhcp_removed/rule.yml b/linux_os/guide/services/dhcp/disabling_dhcp_server/package_dhcp_removed/rule.yml
@@ -25,7 +25,8 @@ identifiers:
     cce@rhel7: CCE-80331-2
     cce@rhel8: CCE-83385-5
     cce@rhel9: CCE-84240-1
-
+    cce@sle15: CCE-85759-9
+
 references:
     anssi: BP28(R1)
     cis-csc: 11,14,3,9

diff --git a/linux_os/guide/services/mail/package_sendmail_removed/rule.yml b/linux_os/guide/services/mail/package_sendmail_removed/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9
+prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,sle15
 
 title: 'Uninstall Sendmail Package'
 
@@ -20,6 +20,7 @@ identifiers:
     cce@rhel7: CCE-80288-4
     cce@rhel8: CCE-81039-0
     cce@rhel9: CCE-90830-1
+    cce@sle15: CCE-85761-5
 
 references:
     anssi: BP28(R1)

diff --git a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml
@@ -23,6 +23,7 @@ identifiers:
     cce@rhel7: CCE-27396-1
     cce@rhel8: CCE-82181-9
     cce@rhel9: CCE-84151-0
+    cce@sle15: CCE-91159-4
 
 references:
     anssi: BP28(R1)

diff --git a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml
@@ -21,6 +21,7 @@ identifiers:
     cce@rhel7: CCE-27399-5
     cce@rhel8: CCE-82432-6
     cce@rhel9: CCE-84152-8
+    cce@sle15: CCE-91160-2
 
 references:
     anssi: BP28(R1)

diff --git a/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml b/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml
@@ -30,6 +30,7 @@ identifiers:
     cce@rhel7: CCE-27274-0
     cce@rhel8: CCE-82183-5
     cce@rhel9: CCE-84142-9
+    cce@sle15: CCE-85760-7
 
 references:
     anssi: BP28(R1)

diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: rhel7,rhel8,rhel9
+prodtype: rhel7,rhel8,rhel9,sle15
 
 title: 'Remove tftp Daemon'
 
@@ -21,6 +21,7 @@ identifiers:
     cce@rhel7: CCE-80443-5
     cce@rhel8: CCE-83590-0
     cce@rhel9: CCE-84153-6
+    cce@sle15: CCE-91158-6
 
 references:
     anssi: BP28(R1)

diff --git a/.../accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml b/.../accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,wrlinux1019
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle15,wrlinux1019
 
 title: 'Lock Accounts After Failed Password Attempts'
 

diff --git a/...unts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml b/...unts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,wrlinux1019
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle15,wrlinux1019
 
 title: 'Configure the root Account for Failed Password Attempts'
 
@@ -24,6 +24,7 @@ identifiers:
     cce@rhel7: CCE-80353-6
     cce@rhel8: CCE-80668-7
     cce@rhel9: CCE-83589-2
+    cce@sle15: CCE-91171-9
 
 references:
     anssi: BP28(R18)

diff --git a/...ounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml b/...ounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle15
 
 title: 'Set Interval For Counting Failed Password Attempts'
 
@@ -51,6 +51,7 @@ identifiers:
     cce@rhel7: CCE-27297-1
     cce@rhel8: CCE-80669-5
     cce@rhel9: CCE-83583-5
+    cce@sle15: CCE-91169-3
 
 references:
     anssi: BP28(R18)

diff --git a/...ts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml b/...ts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle15
 
 title: 'Set Lockout Time for Failed Password Attempts'
 

diff --git a/...ts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml b/...ts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml
@@ -31,6 +31,7 @@ identifiers:
     cce@rhel7: CCE-27360-7
     cce@rhel8: CCE-80663-8
     cce@rhel9: CCE-83565-2
+    cce@sle15: CCE-91157-8
 
 references:
     anssi: BP28(R18)

diff --git a/...s-restrictions/password_expiration/accounts_password_minlen_login_defs/ansible/shared.yml b/...s-restrictions/password_expiration/accounts_password_minlen_login_defs/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel
+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle
 # reboot = false
 # strategy = restrict
 # complexity = low

diff --git a/...ounts-restrictions/password_expiration/accounts_password_minlen_login_defs/bash/shared.sh b/...ounts-restrictions/password_expiration/accounts_password_minlen_login_defs/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel
+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle
 
 {{{ bash_instantiate_variables("var_accounts_password_minlen_login_defs") }}}
 

diff --git a/...ts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml b/...ts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml
@@ -29,6 +29,7 @@ identifiers:
     cce@rhel7: CCE-82049-8
     cce@rhel8: CCE-80652-1
     cce@rhel9: CCE-83608-0
+    cce@sle15: CCE-91168-5
 
 references:
     anssi: BP28(R18)

diff --git a/...tions/password_storage/accounts_password_pam_unix_rounds_password_auth/ansible/shared.yml b/...tions/password_storage/accounts_password_pam_unix_rounds_password_auth/ansible/shared.yml
@@ -1,13 +1,20 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
 # reboot = false
 # strategy = configure
 # complexity = low
 # disruption = medium
 {{{ ansible_instantiate_variables("var_password_pam_unix_rounds") }}}
 
+{{% if product in ["sle12", "sle15"] %}}
+    {{% set pam_passwd_file_path = "/etc/pam.d/common-password" %}}
+{{% else %}}
+    {{% set pam_passwd_file_path = "/etc/pam.d/password-auth" %}}
+{{% endif %}}
+
+
 - name: Check for existing rounds parameter
   ansible.builtin.lineinfile:
-    path: "/etc/pam.d/password-auth"
+    path: {{{ pam_passwd_file_path }}}
     create: no
     regexp: '^password.*pam_unix.so.*rounds='
     state: absent
@@ -150,13 +157,13 @@
   block:
     - name: Ensure the desired rounds value is updated in the custom profile
       ansible.builtin.replace:
-        dest: "/etc/pam.d/password-auth"
+        dest: {{{ pam_passwd_file_path }}}
         regexp: '(^\s*password.*pam_unix.so.*rounds=)(\S+)(.*)$'
         replace: '\g<1>{{ var_password_pam_unix_rounds }}\g<3>'
 
     - name: Ensure the remember parameter is included in the custom profile
       ansible.builtin.replace:
-        dest: "/etc/pam.d/password-auth"
+        dest: {{{ pam_passwd_file_path }}}
         regexp: '(^\s*password.*pam_unix.so.*)(?! rounds=\S+)(.*)$'
         replace: '\g<1> \g<2> rounds={{ var_password_pam_unix_rounds }}'
       when:

diff --git a/...trictions/password_storage/accounts_password_pam_unix_rounds_password_auth/bash/shared.sh b/...trictions/password_storage/accounts_password_pam_unix_rounds_password_auth/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
 
 {{{ bash_instantiate_variables("var_password_pam_unix_rounds") }}}
 
@@ -35,8 +35,11 @@ In cases where the default authselect profile does not cover a specific demand,
         false
     fi
 else
+{{% if product in ["sle15", "sle12"] %}}
+    pamFile="/etc/pam.d/common-password"
+{{% else %}}
     pamFile="/etc/pam.d/password-auth"
-
+{{% endif %}}
     if grep -q "rounds=" $pamFile; then
         sed -iP --follow-symlinks "/password[[:space:]]\+sufficient[[:space:]]\+pam_unix\.so/ \
                                         s/rounds=[[:digit:]]\+/rounds=$var_password_pam_unix_rounds/" $pamFile

diff --git a/...rictions/password_storage/accounts_password_pam_unix_rounds_password_auth/oval/shared.xml b/...rictions/password_storage/accounts_password_pam_unix_rounds_password_auth/oval/shared.xml
@@ -1,3 +1,8 @@
+{{% if product in ["sle12", "sle15"] %}}
+{{% set pam_passwd_file_path = "/etc/pam.d/common-password" %}}
+{{% else %}}
+{{% set pam_passwd_file_path = "/etc/pam.d/password-auth" %}}
+{{% endif %}}
 <def-group>
     <definition class="compliance" id="{{{ rule_id }}}" version="1">
     {{{ oval_metadata("The number of rounds for password hashing should be set correctly.") }}}
@@ -11,18 +16,18 @@
   </definition>
 
   <ind:textfilecontent54_test id="test_password_auth_pam_unix_rounds_is_set" check="all" check_existence="all_exist"
-  comment="Test if rounds attribute of pam_unix.so is set correctly in /etc/pam.d/password-auth" version="1">
+  comment="Test if rounds attribute of pam_unix.so is set correctly in {{{ pam_passwd_file_path }}} " version="1">
     <ind:object object_ref="object_password_auth_pam_unix_rounds" />
     <ind:state state_ref="state_password_auth_pam_unix_rounds" />
   </ind:textfilecontent54_test>
 
   <ind:textfilecontent54_test id="test_password_auth_pam_unix_rounds_is_default" check="all" check_existence="none_exist"
-  comment="Test if rounds attribute of pam_unix.so is not set in /etc/pam.d/password-auth" version="1">
+  comment="Test if rounds attribute of pam_unix.so is not set in {{{ pam_passwd_file_path }}} " version="1">
     <ind:object object_ref="object_password_auth_pam_unix_rounds" />
   </ind:textfilecontent54_test>
 
   <ind:textfilecontent54_object id="object_password_auth_pam_unix_rounds" version="1">
-    <ind:filepath operation="pattern match">^/etc/pam.d/password-auth$</ind:filepath>
+    <ind:filepath operation="pattern match">^{{{ pam_passwd_file_path }}}$</ind:filepath>
     <ind:pattern operation="pattern match">^\s*password\s+(?:(?:sufficient)|(?:required))\s+pam_unix\.so.*rounds=([0-9]*).*$</ind:pattern>
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
   </ind:textfilecontent54_object>

diff --git a/...ts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/rule.yml b/...ts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle15
 
 title: 'Set number of Password Hashing Rounds - password-auth'
 
@@ -27,6 +27,7 @@ identifiers:
     cce@rhel7: CCE-83402-8
     cce@rhel8: CCE-83403-6
     cce@rhel9: CCE-83615-5
+    cce@sle15: CCE-91173-5
 
 references:
     anssi: BP28(R32)

diff --git a/...ictions/password_storage/accounts_password_pam_unix_rounds_system_auth/ansible/shared.yml b/...ictions/password_storage/accounts_password_pam_unix_rounds_system_auth/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
 # reboot = false
 # strategy = configure
 # complexity = low

diff --git a/...estrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/bash/shared.sh b/...estrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
 
 {{{ bash_instantiate_variables("var_password_pam_unix_rounds") }}}
 

diff --git a/...unts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/rule.yml b/...unts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle15
 
 title: 'Set number of Password Hashing Rounds - system-auth'
 
@@ -27,6 +27,7 @@ identifiers:
     cce@rhel7: CCE-83384-8
     cce@rhel8: CCE-83386-3
     cce@rhel9: CCE-83621-3
+    cce@sle15: CCE-91172-7
 
 references:
   anssi: BP28(R32)

diff --git a/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml b/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml
@@ -14,6 +14,7 @@ identifiers:
     cce@rhel7: CCE-80187-8
     cce@rhel8: CCE-80847-7
     cce@rhel9: CCE-84063-7
+    cce@sle15: CCE-91161-0
 
 references:
     anssi: BP28(R5),NT28(R46)

diff --git a/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml b/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml
@@ -16,6 +16,7 @@ identifiers:
     cce@rhel7: CCE-80188-6
     cce@rhel8: CCE-80886-5
     cce@rhel9: CCE-83989-4
+    cce@sle15: CCE-91162-8
 
 references:
     anssi: BP28(R5),NT28(R46)

diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml
@@ -28,6 +28,7 @@ identifiers:
     cce@rhel7: CCE-80132-4
     cce@rhel8: CCE-80816-2
     cce@rhel9: CCE-83901-9
+    cce@sle15: CCE-91175-0
 
 references:
     anssi: BP28(R37),BP28(R38)

diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml
@@ -28,6 +28,7 @@ identifiers:
     cce@rhel7: CCE-80133-2
     cce@rhel8: CCE-80817-0
     cce@rhel9: CCE-83897-9
+    cce@sle15: CCE-91174-3
 
 references:
     anssi: BP28(R37),BP28(R38)

diff --git a/linux_os/guide/system/software/updating/dnf-automatic_apply_updates/ansible/shared.yml b/linux_os/guide/system/software/updating/dnf-automatic_apply_updates/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8
+# platform = multi_platform_fedora,multi_platform_sle,Red Hat Enterprise Linux 8,Oracle Linux 8
 # reboot = false
 # strategy = unknown
 # complexity = low

diff --git a/linux_os/guide/system/software/updating/dnf-automatic_apply_updates/rule.yml b/linux_os/guide/system/software/updating/dnf-automatic_apply_updates/rule.yml
@@ -1,8 +1,8 @@
 documentation_complete: true
 
-prodtype: fedora,ol8,rhel8,rhel9
+prodtype: fedora,ol8,rhel8,rhel9,sle15
 
-title: Configure dnf-automatic to Install Available Updates Automatically
+title: 'Configure dnf-automatic to Install Available Updates Automatically'
 
 description: |-
     To ensure that the packages comprising the available updates will be automatically installed by <tt>dnf-automatic</tt>, set <tt>apply_updates</tt> to <tt>yes</tt> under <tt>[commands]</tt> section in <tt>/etc/dnf/automatic.conf</tt>.
@@ -21,6 +21,7 @@ severity: medium
 identifiers:
     cce@rhel8: CCE-82494-6
     cce@rhel9: CCE-83456-4
+    cce@sle15: CCE-91165-1
 
 references:
     anssi: BP28(R8)

diff --git a/..._os/guide/system/software/updating/dnf-automatic_security_updates_only/ansible/shared.yml b/..._os/guide/system/software/updating/dnf-automatic_security_updates_only/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8
+# platform = multi_platform_fedora,multi_platform_sle,Red Hat Enterprise Linux 8,Oracle Linux 8
 # reboot = false
 # strategy = unknown
 # complexity = low

diff --git a/linux_os/guide/system/software/updating/dnf-automatic_security_updates_only/rule.yml b/linux_os/guide/system/software/updating/dnf-automatic_security_updates_only/rule.yml
@@ -1,8 +1,8 @@
 documentation_complete: true
 
-prodtype: fedora,ol8,rhel8,rhel9
+prodtype: fedora,ol8,rhel8,rhel9,sle15
 
-title: Configure dnf-automatic to Install Only Security Updates
+title: 'Configure dnf-automatic to Install Only Security Updates'
 
 description: |-
     To configure <tt>dnf-automatic</tt> to install only security updates
@@ -19,6 +19,7 @@ severity: low
 identifiers:
     cce@rhel8: CCE-82267-6
     cce@rhel9: CCE-83461-4
+    cce@sle15: CCE-91166-9
 
 references:
     anssi: BP28(R8)

diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,wrlinux1019
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle15,wrlinux1019
 
 title: 'Ensure gpgcheck Enabled for Local Packages'
 
@@ -23,6 +23,7 @@ identifiers:
     cce@rhel7: CCE-80347-8
     cce@rhel8: CCE-80791-7
     cce@rhel9: CCE-83463-0
+    cce@sle15: CCE-91167-7
 
 references:
     anssi: BP28(R15)

diff --git a/linux_os/guide/system/software/updating/package_dnf-automatic_installed/rule.yml b/linux_os/guide/system/software/updating/package_dnf-automatic_installed/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ol8,rhel8,rhel9
+prodtype: fedora,ol8,rhel8,rhel9,sle15
 
 title: 'Install dnf-automatic Package'
 
@@ -17,6 +17,8 @@ identifiers:
     cce@rhel7: CCE-82986-1
     cce@rhel8: CCE-82985-3
     cce@rhel9: CCE-83454-9
+    cce@sle15: CCE-91163-6
+
 
 references:
     anssi: BP28(R8)