Sle16 base control

CMakeLists.txt

@@ -117,6 +117,7 @@ option(SSG_PRODUCT_RHEL10 "If enabled, the RHEL10 SCAP content will be built" ${
 option(SSG_PRODUCT_RHV4 "If enabled, the RHV4 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_SLE12 "If enabled, the SLE12 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_SLE15 "If enabled, the SLE15 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
+option(SSG_PRODUCT_SLE16 "If enabled, the SLE16 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_SLMICRO5 "If enabled, the SLE Micro 5 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_SLMICRO6 "If enabled, the SLE Micro 6 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_TENCENTOS4 "If enabled, the TencentOS Server 4 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
@@ -358,6 +359,7 @@ message(STATUS "RHEL 10: ${SSG_PRODUCT_RHEL10}")
 message(STATUS "RHV 4: ${SSG_PRODUCT_RHV4}")
 message(STATUS "SUSE 12: ${SSG_PRODUCT_SLE12}")
 message(STATUS "SUSE 15: ${SSG_PRODUCT_SLE15}")
+message(STATUS "SUSE 16: ${SSG_PRODUCT_SLE16}")
 message(STATUS "SLE Micro 5: ${SSG_PRODUCT_SLMICRO5}")
 message(STATUS "SLE Micro 6: ${SSG_PRODUCT_SLMICRO6}")
 message(STATUS "TencentOS Server 4: ${SSG_PRODUCT_TENCENTOS4}")
@@ -478,6 +480,9 @@ endif()
 if(SSG_PRODUCT_SLE15)
     add_subdirectory("products/sle15" "sle15")
 endif()
+if(SSG_PRODUCT_SLE16)
+    add_subdirectory("products/sle16" "sle16")
+endif()
 if(SSG_PRODUCT_SLMICRO5)
     add_subdirectory("products/slmicro5" "slmicro5")
 endif()

build_product

@@ -383,6 +383,7 @@ all_cmake_products=(
 	RHV4
 	SLE12
 	SLE15
+	SLE16
 	SLMICRO5
 	SLMICRO6
 	TENCENTOS4

controls/base_sle16.yml

@@ -0,0 +1,48 @@
+---
+policy: Basis System Security Profile for SUSE Linux Enterprise 16
+title: asis System Security Profile SUSE Linux Enterprise 16
+id: base_sle16
+version: '1.0'
+source: not_publicly_available
+reference_type: suse-base-sle16
+
+levels:
+    - id: pcidss4
+    - id: anssi_minimal
+
+product: sle16
+
+controls:
+    - id: SLES-16-16016015
+      levels:
+          - pcidss4
+          - anssi_minimal
+      title: SLES 16 must be a vendor-supported release.
+      rules:
+          - installed_OS_is_vendor_supported
+      status: automated
+
+    - id: SLES-16-16016020
+      title: Enable NX/XD Support
+      levels:
+          - pcidss4
+      automated: partially
+      rules:
+          - bios_enable_execution_restrictions
+          - install_PAE_kernel_on_x86-32
+
+    - id: SLES-16-16016025
+      title: Ensure All Files Are Owned by a Group
+      levels:
+          - anssi_minimal
+      rules:
+          - file_permissions_ungroupowned
+      status: automated
+
+    - id: SLES-16-16016030
+      title: Ensure All Files Are Owned by a Use
+      levels:
+          - anssi_minimal
+      rules:
+          - no_files_unowned_by_user
+      status: automated

products/sle16/CMakeLists.txt

@@ -0,0 +1,10 @@
+# Sometimes our users will try to do: "cd sle16; cmake ." That needs to error in a nice way.
+if("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}")
+    message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!")
+endif()
+
+set(PRODUCT "sle16")
+ssg_build_product("sle16")
+
+
+ssg_build_html_cce_table(${PRODUCT})

products/sle16/product.yml

@@ -0,0 +1,47 @@
+product: sle16
+full_name: SUSE Linux Enterprise Server 16
+type: platform
+
+families:
+  - suse
+
+major_version_ordinal: 16
+
+benchmark_id: SLE-16
+benchmark_root: "../../linux_os/guide"
+
+profiles_root: "./profiles"
+
+init_system: "systemd"
+
+pkg_manager: "zypper"
+pkg_manager_config_file: "/etc/zypp/zypp.conf"
+
+aide_bin_path: "/usr/bin/aide"
+
+cpes_root: "../../shared/applicability"
+cpes:
+  - sle16:
+      name: "cpe:/o:suse:sles:16.0"
+      title: "SUSE Linux Enterprise Server 16.0"
+      check_id: installed_OS_is_sle16
+
+platform_package_overrides:
+  login_defs: "shadow"
+  grub2: "grub2"
+  sssd: "sssd"
+  crontabs: "cronie"
+  passwd: "shadow"
+
+reference_uris:
+  suse-base-sle16: 'not_publicly_available'
+
+dconf_gdm_dir: "gdm.d"
+
+sysctl_remediate_drop_in_file: "true"
+journald_conf_dir_path: /etc/systemd/journal.d
+xwindows_packages:
+  - xorg-x11-server
+  - xorg-x11-server-extra
+  - xorg-x11-server-Xvfb
+  - xwayland

products/sle16/profiles/anssi_bp28_minimal.profile

@@ -0,0 +1,28 @@
+---
+documentation_complete: true
+
+metadata:
+    SMEs:
+        - svet-se
+        - rumch-se
+        - teacup-on-rockingchair
+
+title: 'ANSSI-BP-028 (minimal)'
+
+description: |-
+    This profile contains configurations that align to ANSSI-BP-028 v2.0 at the minimal hardening level.
+
+    ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
+    ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
+
+    A copy of the ANSSI-BP-028 can be found at the ANSSI website:
+    https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
+
+    Only the components strictly necessary to the service provided by the system should be installed.
+    Those whose presence can not be justified should be disabled, removed or deleted.
+    Performing a minimal install is a good starting point, but doesn't provide any assurance
+    over any package installed later.
+    Manual review is required to assess if the installed services are minimal.
+
+selections:
+    - base_sle16:all:anssi_minimal

products/sle16/profiles/base.profile

@@ -0,0 +1,19 @@
+documentation_complete: true
+
+metadata:
+    version: 1.0
+    SMEs:
+        - svet-se
+        - rumch-se
+        - teacup-on-rockingchair
+
+reference: not_publicly_available
+
+title: 'General System Security Profile for SUSE Linux Enterprise (SLES) 16'
+
+description: |-
+    This profile contains configuration checks that align to the
+    General System Security Profile for SUSE Linux Enterprise (SLES) 16.
+
+selections:
+    - base_sle16:all

products/sle16/profiles/pci-dss-4.profile

@@ -0,0 +1,17 @@
+documentation_complete: true
+
+metadata:
+    SMEs:
+        - svet-se
+        - rumch-se
+        - teacup-on-rockingchair
+
+reference: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf
+
+title: 'PCI-DSS v4 Control Baseline for SUSE Linux Enterprise 16'
+
+description: |-
+    Ensures PCI-DSS v4 security configuration settings are applied.
+
+selections:
+    - base_sle16:all:pcidss4

products/sle16/transforms/constants.xslt

@@ -0,0 +1,9 @@
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+
+<xsl:include href="../../../shared/transforms/shared_constants.xslt"/>
+
+<xsl:variable name="product_long_name">SUSE Linux Enterprise Server 16.0</xsl:variable>
+<xsl:variable name="product_short_name">SLES 16</xsl:variable>
+<xsl:variable name="prod_type">sle16</xsl:variable>
+
+</xsl:stylesheet>

products/sle16/transforms/table-style.xslt

@@ -0,0 +1,5 @@
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+
+<xsl:import href="../../../shared/transforms/shared_table-style.xslt"/>
+
+</xsl:stylesheet>

products/sle16/transforms/xccdf-apply-overlay-stig.xslt

@@ -0,0 +1,8 @@
+<?xml version="1.0"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:xccdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml" exclude-result-prefixes="xccdf">
+
+<xsl:include href="../../../shared/transforms/shared_xccdf-apply-overlay-stig.xslt"/>
+<xsl:include href="constants.xslt"/>
+<xsl:variable name="overlays" select="document($overlay)/xccdf:overlays" />
+
+</xsl:stylesheet>

products/sle16/transforms/xccdf2table-cce.xslt

@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:cce="http://cce.mitre.org" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
+
+<xsl:import href="../../../shared/transforms/shared_xccdf2table-cce.xslt"/>
+
+<xsl:include href="constants.xslt"/>
+<xsl:include href="table-style.xslt"/>
+
+</xsl:stylesheet>

products/sle16/transforms/xccdf2table-profileccirefs.xslt

@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:cci="https://www.cyber.mil/stigs/cci" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:ovalns="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+
+<xsl:import href="../../../shared/transforms/shared_xccdf2table-profileccirefs.xslt"/>
+
+<xsl:include href="constants.xslt"/>
+<xsl:include href="table-style.xslt"/>
+
+</xsl:stylesheet>

shared/checks/oval/installed_OS_is_sle16.xml

@@ -0,0 +1,69 @@
+<def-group>
+  <definition class="inventory"
+  id="installed_OS_is_sle16" version="1">
+    <metadata>
+      <title>SUSE Linux Enterprise 16</title>
+      <affected family="unix">
+        <platform>multi_platform_all</platform>
+      </affected>
+      <reference ref_id="cpe:/o:suse:linux_enterprise_server:16"
+      source="CPE" />
+      <reference ref_id="cpe:/o:suse:linux_enterprise_desktop:16"
+      source="CPE" />
+      <description>The operating system installed on the system is
+      SUSE Linux Enterprise 15.</description>
+    </metadata>
+    <criteria>
+      <criterion comment="Installed operating system is part of the unix family"
+      test_ref="test_sle15_unix_family" />
+      <criteria operator="OR">
+       <criterion comment="SLE 16 Desktop is installed" test_ref="test_sle16_desktop" />
+       <criterion comment="SLE 16 Server is installed" test_ref="test_sle16_server" />
+       <criterion comment="SLES 16 for SAP Applications is installed" test_ref="test_sles_16_for_sap" />
+      </criteria>
+    </criteria>
+  </definition>
+
+  <ind:family_test check="all" check_existence="at_least_one_exists" comment="installed OS part of unix family" id="test_sle16_unix_family" version="1">
+    <ind:object object_ref="obj_sle16_unix_family" />
+    <ind:state state_ref="state_sle16_unix_family" />
+  </ind:family_test>
+  <ind:family_state id="state_sle16_unix_family" version="1">
+    <ind:family>unix</ind:family>
+  </ind:family_state>
+  <ind:family_object id="obj_sle16_unix_family" version="1" />
+
+  <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="sled-release is version 16" id="test_sle16_desktop" version="1">
+    <linux:object object_ref="obj_sle16_desktop" />
+    <linux:state state_ref="state_sle16_desktop" />
+  </linux:rpminfo_test>
+  <linux:rpminfo_state id="state_sle16_desktop" version="1">
+    <linux:version operation="pattern match">^16.*$</linux:version>
+  </linux:rpminfo_state>
+  <linux:rpminfo_object id="obj_sle16_desktop" version="1">
+    <linux:name>sled-release</linux:name>
+  </linux:rpminfo_object>
+
+  <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="sles-release is version 16" id="test_sle16_server" version="1">
+    <linux:object object_ref="obj_sle16_server" />
+    <linux:state state_ref="state_sle16_server" />
+  </linux:rpminfo_test>
+  <linux:rpminfo_state id="state_sle16_server" version="1">
+    <linux:version operation="pattern match">^16.*$</linux:version>
+  </linux:rpminfo_state>
+  <linux:rpminfo_object id="obj_sle16_server" version="1">
+    <linux:name>sles-release</linux:name>
+  </linux:rpminfo_object>
+
+  <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="SLES_SAP-release is version 16" id="test_sles_16_for_sap" version="1">
+    <linux:object object_ref="obj_sles_16_for_sap" />
+    <linux:state state_ref="state_sles_16_for_sap" />
+  </linux:rpminfo_test>
+  <linux:rpminfo_state id="state_sles_16_for_sap" version="1">
+    <linux:version operation="pattern match">^16.*$</linux:version>
+  </linux:rpminfo_state>
+  <linux:rpminfo_object id="obj_sles_16_for_sap" version="1">
+    <linux:name>SLES_SAP-release</linux:name>
+  </linux:rpminfo_object>
+
+</def-group>

ssg/constants.py

@@ -59,7 +59,7 @@
     'openembedded',
     'rhel8', 'rhel9', 'rhel10',
     'rhv4',
-    'sle12', 'sle15', 'slmicro5', 'slmicro6',
+    'sle12', 'sle15', 'sle16', 'slmicro5', 'slmicro6',
     'tencentos4',
     'ubuntu2204', 'ubuntu2404'
 ]
@@ -238,6 +238,7 @@
     "Red Hat Virtualization 4": "rhv4",
     "SUSE Linux Enterprise 12": "sle12",
     "SUSE Linux Enterprise 15": "sle15",
+    "SUSE Linux Enterprise 16": "sle16",
     "SUSE Linux Enterprise Micro 5": "slmicro5",
     "SUSE Linux Enterprise Micro 6": "slmicro6",
     "TencentOS Server 4": "tencentos4",
@@ -315,7 +316,7 @@
     "multi_platform_rhcos": ["rhcos4"],
     "multi_platform_rhel": ["rhel8", "rhel9", "rhel10"],
     "multi_platform_rhv": ["rhv4"],
-    "multi_platform_sle": ["sle12", "sle15"],
+    "multi_platform_sle": ["sle12", "sle15", "sle16"],
     "multi_platform_slmicro": ["slmicro5", "slmicro6"],
     "multi_platform_tencentos": ["tencentos4"],
     "multi_platform_ubuntu": ["ubuntu2204", "ubuntu2404"],