Merge pull request #14010 from teacup-on-rockingchair/sle16_platform

Mab879 · web-flow · commit 87c6ea8e1f1f · 2025-10-13T10:39:58.000-05:00
Add SLE16 platform
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -114,6 +114,7 @@ option(SSG_PRODUCT_RHEL10 "If enabled, the RHEL10 SCAP content will be built" ${
 option(SSG_PRODUCT_RHV4 "If enabled, the RHV4 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_SLE12 "If enabled, the SLE12 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_SLE15 "If enabled, the SLE15 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
+option(SSG_PRODUCT_SLE16 "If enabled, the SLE16 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_SLMICRO5 "If enabled, the SLE Micro 5 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_SLMICRO6 "If enabled, the SLE Micro 6 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_TENCENTOS4 "If enabled, the TencentOS Server 4 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
@@ -351,6 +352,7 @@ message(STATUS "RHEL 10: ${SSG_PRODUCT_RHEL10}")
 message(STATUS "RHV 4: ${SSG_PRODUCT_RHV4}")
 message(STATUS "SUSE 12: ${SSG_PRODUCT_SLE12}")
 message(STATUS "SUSE 15: ${SSG_PRODUCT_SLE15}")
+message(STATUS "SUSE 16: ${SSG_PRODUCT_SLE16}")
 message(STATUS "SLE Micro 5: ${SSG_PRODUCT_SLMICRO5}")
 message(STATUS "SLE Micro 6: ${SSG_PRODUCT_SLMICRO6}")
 message(STATUS "TencentOS Server 4: ${SSG_PRODUCT_TENCENTOS4}")
@@ -471,6 +473,9 @@ endif()
 if(SSG_PRODUCT_SLE15)
     add_subdirectory("products/sle15" "sle15")
 endif()
+if(SSG_PRODUCT_SLE16)
+    add_subdirectory("products/sle16" "sle16")
+endif()
 if(SSG_PRODUCT_SLMICRO5)
     add_subdirectory("products/slmicro5" "slmicro5")
 endif()
diff --git a/build_product b/build_product
@@ -357,6 +357,7 @@ all_cmake_products=(
 	RHV4
 	SLE12
 	SLE15
+	SLE16
 	SLMICRO5
 	SLMICRO6
 	TENCENTOS4
diff --git a/controls/base_sle16.yml b/controls/base_sle16.yml
@@ -0,0 +1,23 @@
+---
+policy: DRAFT Basis System Security Profile for SUSE Linux Enterprise 16
+title: DRAFT Basis System Security Profile SUSE Linux Enterprise 16
+id: base_sle16
+version: '1.0'
+source: not_publicly_available
+reference_type: suse-base-sle16
+
+levels:
+    - id: high
+    - id: medium
+    - id: low
+
+product: sle16
+
+controls:
+    - id: SLES-16-16016015
+      levels:
+          - high
+      title: SLES 16 must be a vendor-supported release.
+      rules:
+          - installed_OS_is_vendor_supported
+      status: automated
diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/oval/shared.xml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/oval/shared.xml
@@ -13,6 +13,7 @@
       <extend_definition comment="Installed OS is OL9" definition_ref="installed_OS_is_ol9" />
       <extend_definition comment="Installed OS is SLE12" definition_ref="installed_OS_is_sle12" />
       <extend_definition comment="Installed OS is SLE15" definition_ref="installed_OS_is_sle15" />
+      <extend_definition comment="Installed OS is SLE16" definition_ref="installed_OS_is_sle16" />
       <extend_definition comment="Installed OS is SLE Micro 5" definition_ref="installed_OS_is_slmicro5" />
       <extend_definition comment="Installed OS is SLE Micro 6" definition_ref="installed_OS_is_slmicro6" />
       <extend_definition comment="Installed OS is Ubuntu 24.04" definition_ref="installed_OS_is_ubuntu2404" />
diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml
@@ -8,7 +8,7 @@ description: |-
 {{% if 'ol' in product %}}
     Oracle Linux is supported by Oracle Corporation. As the Oracle
     Linux vendor, Oracle Corporation is responsible for providing security patches.
-{{% elif product in ["sle12", "sle15", "slmicro5", "slmicro6"] %}}
+{{% elif product in ["sle12", "sle15", "sle16", "slmicro5", "slmicro6"] %}}
     SUSE Linux Enterprise is supported by SUSE. As the SUSE Linux Enterprise
     vendor, SUSE is responsible for providing security patches.
 {{% elif 'almalinux' in product %}}
@@ -39,7 +39,7 @@ identifiers:
     cce@sle12: CCE-83001-8
     cce@sle15: CCE-83260-0
     cce@slmicro5: CCE-93601-3
-    cce@slmicro6: CCE-95035-2 
+    cce@slmicro6: CCE-95035-2
 
 references:
     cis-csc: 18,20,4
diff --git a/products/sle16/CMakeLists.txt b/products/sle16/CMakeLists.txt
@@ -0,0 +1,10 @@
+# Sometimes our users will try to do: "cd sle16; cmake ." That needs to error in a nice way.
+if("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}")
+    message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!")
+endif()
+
+set(PRODUCT "sle16")
+ssg_build_product("sle16")
+
+
+ssg_build_html_cce_table(${PRODUCT})
diff --git a/products/sle16/product.yml b/products/sle16/product.yml
@@ -0,0 +1,47 @@
+product: sle16
+full_name: SUSE Linux Enterprise Server 16
+type: platform
+
+families:
+  - suse
+
+major_version_ordinal: 16
+
+benchmark_id: SLE-16
+benchmark_root: "../../linux_os/guide"
+
+profiles_root: "./profiles"
+
+init_system: "systemd"
+
+pkg_manager: "zypper"
+pkg_manager_config_file: "/etc/zypp/zypp.conf"
+
+aide_bin_path: "/usr/bin/aide"
+
+cpes_root: "../../shared/applicability"
+cpes:
+  - sle16:
+      name: "cpe:/o:suse:linux_enterprise_server:16"
+      title: "SUSE Linux Enterprise Server 16"
+      check_id: installed_OS_is_sle16
+
+platform_package_overrides:
+  login_defs: "shadow"
+  grub2: "grub2"
+  sssd: "sssd"
+  crontabs: "cronie"
+  passwd: "shadow"
+
+reference_uris:
+  suse-base-sle16: 'not_publicly_available'
+
+dconf_gdm_dir: "gdm.d"
+
+sysctl_remediate_drop_in_file: "true"
+journald_conf_dir_path: /etc/systemd/journal.d
+xwindows_packages:
+  - xorg-x11-server
+  - xorg-x11-server-extra
+  - xorg-x11-server-Xvfb
+  - xwayland
diff --git a/products/sle16/profiles/base.profile b/products/sle16/profiles/base.profile
@@ -0,0 +1,19 @@
+documentation_complete: true
+
+metadata:
+    version: 1.0
+    SMEs:
+        - svet-se
+        - rumch-se
+        - teacup-on-rockingchair
+
+reference: not_publicly_available
+
+title: 'DRAFT General System Security Profile for SUSE Linux Enterprise (SLES) 16'
+
+description: |-
+    This profile contains configuration checks that align to the
+    General System Security Profile for SUSE Linux Enterprise (SLES) 16.
+
+selections:
+    - base_sle16:all
diff --git a/products/sle16/transforms/constants.xslt b/products/sle16/transforms/constants.xslt
@@ -0,0 +1,9 @@
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+
+<xsl:include href="../../../shared/transforms/shared_constants.xslt"/>
+
+<xsl:variable name="product_long_name">SUSE Linux Enterprise Server 16.0</xsl:variable>
+<xsl:variable name="product_short_name">SLES 16</xsl:variable>
+<xsl:variable name="prod_type">sle16</xsl:variable>
+
+</xsl:stylesheet>
diff --git a/products/sle16/transforms/table-style.xslt b/products/sle16/transforms/table-style.xslt
@@ -0,0 +1,5 @@
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+
+<xsl:import href="../../../shared/transforms/shared_table-style.xslt"/>
+
+</xsl:stylesheet>
diff --git a/products/sle16/transforms/xccdf-apply-overlay-stig.xslt b/products/sle16/transforms/xccdf-apply-overlay-stig.xslt
@@ -0,0 +1,8 @@
+<?xml version="1.0"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:xccdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml" exclude-result-prefixes="xccdf">
+
+<xsl:include href="../../../shared/transforms/shared_xccdf-apply-overlay-stig.xslt"/>
+<xsl:include href="constants.xslt"/>
+<xsl:variable name="overlays" select="document($overlay)/xccdf:overlays" />
+
+</xsl:stylesheet>
diff --git a/products/sle16/transforms/xccdf2table-cce.xslt b/products/sle16/transforms/xccdf2table-cce.xslt
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:cce="http://cce.mitre.org" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
+
+<xsl:import href="../../../shared/transforms/shared_xccdf2table-cce.xslt"/>
+
+<xsl:include href="constants.xslt"/>
+<xsl:include href="table-style.xslt"/>
+
+</xsl:stylesheet>
diff --git a/products/sle16/transforms/xccdf2table-profileccirefs.xslt b/products/sle16/transforms/xccdf2table-profileccirefs.xslt
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:cci="https://www.cyber.mil/stigs/cci" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:ovalns="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+
+<xsl:import href="../../../shared/transforms/shared_xccdf2table-profileccirefs.xslt"/>
+
+<xsl:include href="constants.xslt"/>
+<xsl:include href="table-style.xslt"/>
+
+</xsl:stylesheet>
diff --git a/shared/checks/oval/installed_OS_is_sle16.xml b/shared/checks/oval/installed_OS_is_sle16.xml
@@ -0,0 +1,64 @@
+<def-group>
+  <definition class="inventory"
+  id="installed_OS_is_sle16" version="1">
+    <metadata>
+      <title>SUSE Linux Enterprise 16</title>
+      <affected family="unix">
+        <platform>multi_platform_all</platform>
+      </affected>
+      <reference ref_id="cpe:/o:suse:linux_enterprise_server:16" source="CPE" />
+      <description>The operating system installed on the system is SUSE Linux Enterprise Server 16.</description>
+    </metadata>
+    <criteria>
+      <criterion comment="Installed operating system is part of the unix family"
+      test_ref="test_sle16_unix_family" />
+      <criteria operator="OR">
+       <criterion comment="SLE 16 Server is installed" test_ref="test_sle16_server" />
+       <criterion comment="SLES 16 for SAP Applications is installed" test_ref="test_sles_16_for_sap" />
+       <criterion comment="SLES 16 for High Availability Extension is installed" test_ref="test_sles_16_for_ha" />
+      </criteria>
+    </criteria>
+  </definition>
+
+  <ind:family_test check="all" check_existence="at_least_one_exists" comment="installed OS part of unix family" id="test_sle16_unix_family" version="1">
+    <ind:object object_ref="obj_sle16_unix_family" />
+    <ind:state state_ref="state_sle16_unix_family" />
+  </ind:family_test>
+  <ind:family_state id="state_sle16_unix_family" version="1">
+    <ind:family>unix</ind:family>
+  </ind:family_state>
+  <ind:family_object id="obj_sle16_unix_family" version="1" />
+
+  <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="sles-release is version 16" id="test_sle16_server" version="1">
+    <linux:object object_ref="obj_sle16_server" />
+    <linux:state state_ref="state_sle16_server" />
+  </linux:rpminfo_test>
+  <linux:rpminfo_state id="state_sle16_server" version="1">
+    <linux:version operation="pattern match">^16.*$</linux:version>
+  </linux:rpminfo_state>
+  <linux:rpminfo_object id="obj_sle16_server" version="1">
+    <linux:name>SLES-release</linux:name>
+  </linux:rpminfo_object>
+
+  <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="SLES_SAP-release is version 16" id="test_sles_16_for_sap" version="1">
+    <linux:object object_ref="obj_sles_16_for_sap" />
+    <linux:state state_ref="state_sles_16_for_sap" />
+  </linux:rpminfo_test>
+  <linux:rpminfo_state id="state_sles_16_for_sap" version="1">
+    <linux:version operation="pattern match">^16.*$</linux:version>
+  </linux:rpminfo_state>
+  <linux:rpminfo_object id="obj_sles_16_for_sap" version="1">
+    <linux:name>SLES_SAP-release</linux:name>
+  </linux:rpminfo_object>
+
+  <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="sle-ha-release is version 16" id="test_sles_16_for_ha" version="1">
+    <linux:object object_ref="obj_sles_16_for_ha" />
+    <linux:state state_ref="state_sles_16_for_ha" />
+  </linux:rpminfo_test>
+  <linux:rpminfo_state id="state_sles_16_for_ha" version="1">
+    <linux:version operation="pattern match">^16.*$</linux:version>
+  </linux:rpminfo_state>
+  <linux:rpminfo_object id="obj_sles_16_for_ha" version="1">
+    <linux:name>sle-ha-release</linux:name>
+  </linux:rpminfo_object>
+</def-group>
diff --git a/ssg/constants.py b/ssg/constants.py
@@ -59,7 +59,7 @@
     'openembedded',
     'rhel8', 'rhel9', 'rhel10',
     'rhv4',
-    'sle12', 'sle15', 'slmicro5', 'slmicro6',
+    'sle12', 'sle15', 'sle16', 'slmicro5', 'slmicro6',
     'tencentos4',
     'ubuntu2204', 'ubuntu2404'
 ]
@@ -238,6 +238,7 @@
     "Red Hat Virtualization 4": "rhv4",
     "SUSE Linux Enterprise 12": "sle12",
     "SUSE Linux Enterprise 15": "sle15",
+    "SUSE Linux Enterprise 16": "sle16",
     "SUSE Linux Enterprise Micro 5": "slmicro5",
     "SUSE Linux Enterprise Micro 6": "slmicro6",
     "TencentOS Server 4": "tencentos4",
@@ -315,7 +316,7 @@
     "multi_platform_rhcos": ["rhcos4"],
     "multi_platform_rhel": ["rhel8", "rhel9", "rhel10"],
     "multi_platform_rhv": ["rhv4"],
-    "multi_platform_sle": ["sle12", "sle15"],
+    "multi_platform_sle": ["sle12", "sle15", "sle16"],
     "multi_platform_slmicro": ["slmicro5", "slmicro6"],
     "multi_platform_tencentos": ["tencentos4"],
     "multi_platform_ubuntu": ["ubuntu2204", "ubuntu2404"],
