From 8f9e4269d58cfad57c9ac947cdbb503652f858c6 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Mon, 17 Nov 2025 21:36:06 +0200
Subject: [PATCH 1/4] Add definition for audisp_conf_path for sle15/16

---
 products/sle15/product.yml | 1 +
 products/sle16/product.yml | 1 +
 2 files changed, 2 insertions(+)

diff --git a/products/sle15/product.yml b/products/sle15/product.yml
index 658be079867..1e05518539f 100644
--- a/products/sle15/product.yml
+++ b/products/sle15/product.yml
@@ -23,6 +23,7 @@ release_key_fingerprint: "FEAB502539D846DB2C0961CA70AF9E8139DB7C82"
 oval_feed_url: "https://ftp.suse.com/pub/projects/security/oval/suse.linux.enterprise.15-patch.xml.bz2"
 
 aide_bin_path: "/usr/bin/aide"
+audisp_conf_path: "/etc/audit"
 
 cpes_root: "../../shared/applicability"
 cpes:
diff --git a/products/sle16/product.yml b/products/sle16/product.yml
index 326e1138e52..852315aec8f 100644
--- a/products/sle16/product.yml
+++ b/products/sle16/product.yml
@@ -18,6 +18,7 @@ pkg_manager: "zypper"
 pkg_manager_config_file: "/etc/zypp/zypp.conf"
 
 aide_bin_path: "/usr/bin/aide"
+audisp_conf_path: "/etc/audit"
 
 cpes_root: "../../shared/applicability"
 cpes:

From 4f0eb87d7e203f96d4ba30d76d9cfb27dc0e323a Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Mon, 17 Nov 2025 21:37:54 +0200
Subject: [PATCH 2/4] Enable pcidss related audit rules for latest sle15 and
 sle16

---
 .../rule.yml                                  |  1 +
 .../rule.yml                                  |  2 +-
 products/sle15/profiles/pci-dss-4.profile     |  4 +-
 .../sle16/controls/base_sle16/0500_audit.yml  | 46 +++++++++++++++++++
 shared/references/cce-sle15-avail.txt         |  3 --
 5 files changed, 49 insertions(+), 7 deletions(-)

diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat2/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat2/rule.yml
index 0a4166c4965..ffc0a118e5e 100644
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat2/rule.yml
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat2/rule.yml
@@ -25,6 +25,7 @@ severity: medium
 
 identifiers:
     cce@rhel10: CCE-86188-0
+    cce@sle15: CCE-92695-6
 
 references:
     hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification_etc_selinux/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification_etc_selinux/rule.yml
index 1bf0cbb74af..65bb2a6c1b3 100644
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification_etc_selinux/rule.yml
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification_etc_selinux/rule.yml
@@ -14,7 +14,7 @@ severity: medium
 
 identifiers:
     cce@rhel10: CCE-90737-8
-
+    cce@sle15: CCE-92694-9
 
 references:
     hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
diff --git a/products/sle15/profiles/pci-dss-4.profile b/products/sle15/profiles/pci-dss-4.profile
index 231e3d001f4..d00a0e00c56 100644
--- a/products/sle15/profiles/pci-dss-4.profile
+++ b/products/sle15/profiles/pci-dss-4.profile
@@ -19,6 +19,7 @@ selections:
     -  sshd_approved_ciphers=cis_sle15
     -  var_multiple_time_servers=suse
     -  var_multiple_time_pools=suse
+    -  audit_rules_enable_syscall_auditing
 # Exclude from PCI DISS profile all rules related to ntp and timesyncd and keep only
 # rules related to chrony
     - '!ntpd_specify_multiple_servers'
@@ -50,7 +51,6 @@ selections:
     - '!gnome_gdm_disable_guest_login'
     - '!accounts_password_pam_minlen'
     - '!no_password_auth_for_systemaccounts'
-    - '!auditd_name_format'
     - '!file_groupowner_user_cfg'
     - '!directory_access_var_log_audit'
     - '!ensure_root_password_configured'
@@ -64,7 +64,5 @@ selections:
     - '!dconf_gnome_disable_automount_open'
     - '!network_nmcli_permissions'
     - '!package_cryptsetup-luks_installed'
-    - '!audit_rules_file_deletion_events_renameat2'
-    - '!audit_rules_mac_modification_etc_selinux'
     - '!audit_rules_dac_modification_fchmodat2'
     - '!accounts_password_pam_unix_remember'
diff --git a/products/sle16/controls/base_sle16/0500_audit.yml b/products/sle16/controls/base_sle16/0500_audit.yml
index 67d2fb8890b..3992ba8450e 100644
--- a/products/sle16/controls/base_sle16/0500_audit.yml
+++ b/products/sle16/controls/base_sle16/0500_audit.yml
@@ -33,3 +33,49 @@ controls:
       status: automated
       rules:
           - display_login_attempts
+
+    - id: SLES-16-16016520
+      levels:
+          - pcidss4
+      title: SLE16 system should audit syscalls
+      status: automated
+      rules:
+          - audit_rules_enable_syscall_auditing
+
+    - id: SLES-16-16016525
+      levels:
+          - pcidss4
+          - anssi_minimal
+          - hipaa
+      title: SLE16 system should audit renameat2 syscalls
+      status: automated
+      rules:
+          - audit_rules_file_deletion_events_renameat2
+
+    - id: SLES-16-16016530
+      levels:
+          - pcidss4
+          - anssi_minimal
+      title: SLE16 system should audit SELinux settings modifications
+      status: automated
+      rules:
+          - audit_rules_mac_modification_etc_selinux
+
+    - id: SLES-16-16016535
+      levels:
+          - pcidss4
+      title: SLE16 system should record the computer node name in the audit events
+      status: automated
+      rules:
+          - var_auditd_name_format=fqd
+          - auditd_name_format
+
+    - id: SLES-16-16016540
+      levels:
+          - pcidss4
+          - anssi_minimal
+          - hipaa
+      title: SLE16 system should audit fchmodat2 syscalls
+      status: automated
+      rules:
+          - audit_rules_dac_modification_fchmodat2
diff --git a/shared/references/cce-sle15-avail.txt b/shared/references/cce-sle15-avail.txt
index a58c8f812cb..e75b08ba7a7 100644
--- a/shared/references/cce-sle15-avail.txt
+++ b/shared/references/cce-sle15-avail.txt
@@ -75,6 +75,3 @@ CCE-92690-7
 CCE-92691-5
 CCE-92692-3
 CCE-92693-1
-CCE-92694-9
-CCE-92695-6
-CCE-92696-4

From 68dacc919887a12eb46cdc5c310e31aa4d0a58b6 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Mon, 17 Nov 2025 21:40:11 +0200
Subject: [PATCH 3/4] Enable auditd_name_format rule for sle15/16

---
 .../auditd_name_format/ansible/shared.yml                     | 2 +-
 .../auditd_name_format/bash/shared.sh                         | 4 +---
 .../auditd_name_format/rule.yml                               | 1 +
 .../auditd_name_format/tests/correct_value.pass.sh            | 4 ++++
 4 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/ansible/shared.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/ansible/shared.yml
index e39442425d4..a65017f27de 100644
--- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/ansible/shared.yml
+++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_almalinux
+# platform = multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle
 # reboot = false
 # strategy = restrict
 # complexity = low
diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/bash/shared.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/bash/shared.sh
index b62a3eb8add..bf4e7647a95 100644
--- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/bash/shared.sh
+++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_almalinux
+# platform = multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle
 # reboot = true
 # strategy = restrict
 # complexity = low
@@ -23,5 +23,3 @@ var_auditd_name_format="$(echo $var_auditd_name_format | cut -d \| -f 1)"
                   separator=" = ",
                   separator_regex="\s*=\s*",
                   prefix_regex="^\s*", rule_id=rule_id)}}}
-
-
diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml
index d09e6edda7a..88858211007 100644
--- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml
+++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml
@@ -21,6 +21,7 @@ identifiers:
     cce@rhel8: CCE-82897-0
     cce@rhel9: CCE-83686-6
     cce@rhel10: CCE-87429-7
+    cce@sle15: CCE-92696-4
 
 references:
     nist: CM-6,AU-3
diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/tests/correct_value.pass.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/tests/correct_value.pass.sh
index 86ec89511f5..492c7686ece 100644
--- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/tests/correct_value.pass.sh
+++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/tests/correct_value.pass.sh
@@ -12,4 +12,8 @@ config_file="/etc/audit/auditd.conf"
 
 # remove any occurrence
 sed -i "s/^.*name_format.*$//" $config_file
+{{%- if product in ["sle15", "sle16"] %}}
+echo "name_format = fqd" >> $config_file
+{{%- else %}}
 echo "name_format = hostname" >> $config_file
+{{%- endif %}}

From af9cb94f3d64d80d2f85ed9e32bebd2fc55eb238 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Tue, 18 Nov 2025 06:25:02 +0200
Subject: [PATCH 4/4] Fix yamllint errors on pci-dss-4.profile

Thanks to @mab879 for noting :bow:
---
 products/sle15/profiles/pci-dss-4.profile | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/products/sle15/profiles/pci-dss-4.profile b/products/sle15/profiles/pci-dss-4.profile
index d00a0e00c56..a3201d214dc 100644
--- a/products/sle15/profiles/pci-dss-4.profile
+++ b/products/sle15/profiles/pci-dss-4.profile
@@ -12,14 +12,14 @@ description: |-
     Ensures PCI-DSS v4 security configuration settings are applied.
 
 selections:
-    -  pcidss_4:all:base
-    -  ensure_pam_wheel_group_empty
-    -  sshd_strong_kex=pcidss
-    -  sshd_approved_macs=cis_sle15
-    -  sshd_approved_ciphers=cis_sle15
-    -  var_multiple_time_servers=suse
-    -  var_multiple_time_pools=suse
-    -  audit_rules_enable_syscall_auditing
+    - pcidss_4:all:base
+    - ensure_pam_wheel_group_empty
+    - sshd_strong_kex=pcidss
+    - sshd_approved_macs=cis_sle15
+    - sshd_approved_ciphers=cis_sle15
+    - var_multiple_time_servers=suse
+    - var_multiple_time_pools=suse
+    - audit_rules_enable_syscall_auditing
 # Exclude from PCI DISS profile all rules related to ntp and timesyncd and keep only
 # rules related to chrony
     - '!ntpd_specify_multiple_servers'
@@ -29,9 +29,9 @@ selections:
     - '!service_timesyncd_enabled'
     - '!package_libreswan_installed'
     - '!use_pam_wheel_for_su'
-    -  use_pam_wheel_group_for_su
-    -  var_pam_wheel_group_for_su=cis
-    -  var_accounts_tmout=15_min
+    - use_pam_wheel_group_for_su
+    - var_pam_wheel_group_for_su=cis
+    - var_accounts_tmout=15_min
 # Following rules once had a prodtype incompatible with the sle15 product
     - '!aide_periodic_cron_checking'
     - '!accounts_password_pam_dcredit'