ComplianceAsCode · teacup-on-rockingchair · Oct 5, 2025 · Oct 7, 2025 · Oct 8, 2025 · Oct 8, 2025
diff --git a/controls/base_sle16.yml b/controls/base_sle16.yml
@@ -7,17 +7,7 @@ source: not_publicly_available
 reference_type: suse-base-sle16
 
 levels:
-    - id: high
-    - id: medium
-    - id: low
+    - id: pcidss4
+    - id: anssi_minimal
 
 product: sle16
-
-controls:
-    - id: SLES-16-16016015
-      levels:
-          - high
-      title: SLES 16 must be a vendor-supported release.
-      rules:
-          - installed_OS_is_vendor_supported
-      status: automated
diff --git a/controls/base_sle16/0000_os_general.yml b/controls/base_sle16/0000_os_general.yml
@@ -0,0 +1,16 @@
+#
+# A group of rules regarding general operating system functionality
+# and system software installed
+#
+# SLES-16 ids allocated for this group from SLES-16-16016000 till SLES-16-16016099
+#
+
+controls:
+    - id: SLES-16-16016005
+      levels:
+          - pcidss4
+          - anssi_minimal
+      title: SLES 16 must be a vendor-supported release.
+      rules:
+          - installed_OS_is_vendor_supported
+      status: automated
diff --git a/controls/base_sle16/0100_file_ownership_n_permissions.yml b/controls/base_sle16/0100_file_ownership_n_permissions.yml
@@ -0,0 +1,20 @@
+#
+# Rules regarding secure file ownersip and permissions
+# SLES-16 ids allocated for this group from SLES-16-16016100 till SLES-16-16016399
+#
+controls:
+    - id: SLES-16-16016100
+      title: Ensure All Files Are Owned by a Group
+      levels:
+          - anssi_minimal
+      rules:
+          - file_permissions_ungroupowned
+      status: automated
+
+    - id: SLES-16-16016105
+      title: Ensure All Files Are Owned by a User
+      levels:
+          - anssi_minimal
+      rules:
+          - no_files_unowned_by_user
+      status: automated
diff --git a/controls/base_sle16/0400_kernel_paramters.yml b/controls/base_sle16/0400_kernel_paramters.yml
@@ -0,0 +1,14 @@
+#
+# A group of rules regarding kernel parameters and modules configuration and installation
+#
+# SLES-16 ids allocated for this group from SLES-16-16016400 till SLES-16-16016499
+#
+controls:
+    - id: SLES-16-16016400
+      title: Enable NX/XD Support
+      levels:
+          - pcidss4
+      automated: partially
+      rules:
+          - bios_enable_execution_restrictions
+          - install_PAE_kernel_on_x86-32
diff --git a/...uide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml b/...uide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml
@@ -63,7 +63,7 @@ ocil: |-
     <pre>$ grep -i "red hat" /etc/redhat-release</pre>
 {{% elif 'ol' in families %}}
     <pre>$ grep -i "oracle" /etc/oracle-release</pre>
-{{% elif product in ["sle12", "sle15", "slmicro5", "slmicro6"] %}}
+{{% elif product in ["sle12", "sle15", "sle16", "slmicro5", "slmicro6"] %}}
     <pre>$ grep -i "suse" /etc/os-release</pre>
 {{% elif 'ubuntu' in product %}}
     <pre>$ grep DISTRIB_DESCRIPTION /etc/lsb-release</pre>

@@ -0,0 +1,28 @@
+---
+documentation_complete: true
+
+metadata:
+    SMEs:
+        - svet-se
+        - rumch-se
+        - teacup-on-rockingchair
+
+title: 'DRAFT ANSSI-BP-028 (minimal)'
+
+description: |-
+    This profile contains configurations that align to ANSSI-BP-028 v2.0 at the minimal hardening level.
+
+    ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
+    ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
+
+    A copy of the ANSSI-BP-028 can be found at the ANSSI website:
+    https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
+
+    Only the components strictly necessary to the service provided by the system should be installed.
+    Those whose presence can not be justified should be disabled, removed or deleted.
+    Performing a minimal install is a good starting point, but doesn't provide any assurance
+    over any package installed later.
+    Manual review is required to assess if the installed services are minimal.
+
+selections:
+    - base_sle16:all:anssi_minimal
@@ -0,0 +1,17 @@
+documentation_complete: true
+
+metadata:
+    SMEs:
+        - svet-se
+        - rumch-se
+        - teacup-on-rockingchair
+
+reference: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf
+
+title: 'DRAFT PCI-DSS v4 Control Baseline for SUSE Linux Enterprise 16'
+
+description: |-
+    Ensures PCI-DSS v4 security configuration settings are applied.
+
+selections:
+    - base_sle16:all:pcidss4
diff --git a/shared/checks/oval/installed_OS_is_sle16.xml b/shared/checks/oval/installed_OS_is_sle16.xml
@@ -29,7 +29,7 @@
   </ind:family_state>
   <ind:family_object id="obj_sle16_unix_family" version="1" />
 
-  <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="sles-release is version 16" id="test_sle16_server" version="1">
+  <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="SLES-release is version 16" id="test_sle16_server" version="1">
     <linux:object object_ref="obj_sle16_server" />
     <linux:state state_ref="state_sle16_server" />
   </linux:rpminfo_test>