Sle16 restrict serial port logins

linux_os/guide/system/accounts/accounts-restrictions/root_logins/restrict_serial_port_logins/ansible/shared.yml

@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_almalinux
+# platform = multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_rhv,multi_platform_sle
 # reboot = false
 # strategy = restrict
 # complexity = low
@@ -8,3 +8,7 @@
     dest: /etc/securetty
     regexp: 'ttyS[0-9]'
     state: absent
+
+{{% if product == "sle16" %}}
+{{{ ansible_ensure_pam_module_option('/etc/pam.d/login', 'auth', 'required', 'pam_securetty.so', 'noconsole', '', '', rule_id=rule_id, rule_title=rule_title) }}}
+{{% endif %}}

linux_os/guide/system/accounts/accounts-restrictions/root_logins/restrict_serial_port_logins/bash/shared.sh

@@ -1,2 +1,6 @@
 # platform = multi_platform_all
 sed -i '/ttyS/d' /etc/securetty
+
+{{% if product == "sle16" %}}
+{{{ bash_ensure_pam_module_option('/etc/pam.d/login', 'auth', 'required', 'pam_securetty.so', 'noconsole', '', '') }}}
+{{% endif %}}

linux_os/guide/system/accounts/accounts-restrictions/root_logins/restrict_serial_port_logins/oval/shared.xml

@@ -3,8 +3,11 @@
     {{{ oval_metadata("Preventing direct root login to serial port interfaces helps
       ensure accountability for actions taken on the system using the root
       account.", rule_title=rule_title) }}}
-    <criteria>
+    <criteria operator="AND">
       <criterion comment="serial ports /etc/securetty" test_ref="test_serial_ports_etc_securetty" negate="true" />
+      {{% if product == "sle16" %}}
+      <criterion comment="pam_securetty is enabled with noconsole" test_ref="test_pam_securetty_noconsole"/>
+      {{% endif %}}
     </criteria>
   </definition>
 
@@ -17,4 +20,14 @@
     <ind:pattern operation="pattern match">^ttyS[0-9]+$</ind:pattern>
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
   </ind:textfilecontent54_object>
+
+
+  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="pam_securetty is enabled" id="test_pam_securetty_noconsole" version="1">
+    <ind:object object_ref="object_pam_securetty_noconsole" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_pam_securetty_noconsole" comment="Check pam_securetty" version="1">
+    <ind:filepath>/etc/pam.d/login</ind:filepath>
+    <ind:pattern operation="pattern match">^\s*auth(?:(?!\n)\s)+required(?:(?!\n)\s)+pam_securetty.so\s+noconsole</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
 </def-group>

products/sle16/controls/base_sle16.yml

@@ -9,5 +9,6 @@ reference_type: suse-base-sle16
 levels:
     - id: pcidss4
     - id: anssi_minimal
+    - id: hipaa
 
 product: sle16

products/sle16/controls/base_sle16/0000_os_general.yml

@@ -14,3 +14,11 @@ controls:
       rules:
           - installed_OS_is_vendor_supported
       status: automated
+
+    - id: SLES-16-16016010
+      levels:
+          - hipaa
+      title: SLES 16 should restrict serial port root logins
+      rules:
+          - restrict_serial_port_logins
+      status: automated