ComplianceAsCode · teacup-on-rockingchair · May 7, 2026 · May 7, 2026 · May 7, 2026 · May 7, 2026
@@ -0,0 +1,8 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+# packages = sudo
+
+if [ -e "/etc/sudoers" ] ; then
+    rm "/etc/sudoers"
+fi
+echo "Defaults noexec" >> /etc/sudoers.d/enable_noexec
@@ -2,6 +2,9 @@
 # platform = multi_platform_all
 
 touch /etc/sudoers.d/empty
+{{% if product in [ 'sle16', 'slmicro6' ] %}}
+touch /etc/sudoers
+{{% endif %}}
 # Code taken from macro bash_sudo_remove_config()
 for f in /etc/sudoers /etc/sudoers.d/*; do
   if [ ! -e "$f" ]; then

@@ -1,4 +1,7 @@
 #!/bin/bash
 # platform = multi_platform_all
 
+{{% if product in [ 'sle16', 'slmicro6' ] %}}
+touch /etc/sudoers
+{{% endif %}}
 echo "Defaults noexec" >> /etc/sudoers.d/enable_noexec
@@ -0,0 +1,8 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+# packages = sudo
+
+if [ -e "/etc/sudoers" ] ; then
+    rm "/etc/sudoers"
+fi
+echo "Defaults use_pty" >> /etc/sudoers.d/enable_use_pty
@@ -3,6 +3,9 @@
 # packages = sudo
 
 touch /etc/sudoers.d/empty
+{{% if product in [ 'sle16', 'slmicro6' ] %}}
+touch /etc/sudoers
+{{% endif %}}
 # Code taken from macro bash_sudo_remove_config()
 for f in /etc/sudoers /etc/sudoers.d/*; do
   [ -e "$f" ] || continue

@@ -2,5 +2,8 @@
 # platform = multi_platform_all
 # packages = sudo
 
+{{% if product in [ 'sle16', 'slmicro6' ] %}}
+touch /etc/sudoers
+{{% endif %}}
 sed '/Defaults.*use_pty/ s/.*/#&/g' -i /etc/sudoers /etc/sudoers.d/*
 echo "Defaults !use_pty" >> /etc/sudoers.d/enable_use_pty
@@ -2,4 +2,7 @@
 # platform = multi_platform_all
 # packages = sudo
 
+{{% if product in [ 'sle16', 'slmicro6' ] %}}
+touch /etc/sudoers
+{{% endif %}}
 echo "Defaults use_pty" >> /etc/sudoers.d/enable_use_pty
@@ -0,0 +1,8 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+# packages = sudo
+
+if [ -e "/etc/sudoers" ] ; then
+    rm "/etc/sudoers"
+fi
+echo "Defaults logfile=/var/log/sudo.log" >> /etc/sudoers.d/enable_logfile
@@ -3,6 +3,9 @@
 # packages = sudo
 
 touch /etc/sudoers.d/empty
+{{% if product in [ 'sle16', 'slmicro6' ] %}}
+touch /etc/sudoers
+{{% endif %}}
 # Code taken from macro bash_sudo_remove_config()
 for f in /etc/sudoers /etc/sudoers.d/*; do
   if [ ! -e "$f" ]; then

@@ -2,4 +2,7 @@
 # platform = multi_platform_all
 # packages = sudo
 
+{{% if product in [ 'sle16', 'slmicro6' ] %}}
+touch /etc/sudoers
+{{% endif %}}
 echo "Defaults logfile=/var/log/sudo.log" >> /etc/sudoers.d/enable_logfile
diff --git a/linux_os/guide/system/software/sudo/sudo_require_authentication/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudo_require_authentication/ansible/shared.yml
@@ -4,6 +4,19 @@
 # complexity = low
 # disruption = low
 
+{{% if product in [ 'sle16', 'slmicro6' ] %}}
+{{{ ansible_copy_distro_defaults('/usr/etc/sudoers', '/etc/sudoers', rule_title=rule_title) }}}
+{{{
+    ansible_lineinfile(
+        rule_title + " - Remove /usr/etc/sudoers.d include directive from /etc/sudoers",
+        path="/etc/sudoers",
+        regex='^\s*@includedir\s+/usr/etc/sudoers.d',
+        state="absent",
+        when="not ansible_check_mode"
+    )
+}}}
+{{% endif %}}
+
 {{{ ansible_sudo_remove_config("NOPASSWD", "NOPASSWD[\s]*\:") }}}
 
 {{{ ansible_sudo_remove_config("!authenticate", "\!authenticate") }}}
diff --git a/linux_os/guide/system/software/sudo/sudo_require_authentication/bash/shared.sh b/linux_os/guide/system/software/sudo/sudo_require_authentication/bash/shared.sh
@@ -4,6 +4,10 @@
 # complexity = low
 # disruption = low
 
+{{% if product in [ 'sle16', 'slmicro6' ] %}}
+{{{ bash_copy_distro_defaults("/usr/etc/sudoers", "/etc/sudoers") }}}
+{{{ lineinfile_absent("/etc/sudoers", "^\s*@includedir\s*/usr/etc/sudoers\.d", sed_path_separator="#", rule_id=rule_id) }}}
+{{% endif %}}
 {{{ bash_sudo_remove_config("NOPASSWD", "NOPASSWD[\s]*\:") }}}
 
 {{{ bash_sudo_remove_config("!authenticate", "\!authenticate") }}}
diff --git a/linux_os/guide/system/software/sudo/sudo_require_authentication/oval/shared.xml b/linux_os/guide/system/software/sudo/sudo_require_authentication/oval/shared.xml
@@ -4,6 +4,15 @@
     <criteria operator="AND">
       <extend_definition definition_ref="sudo_remove_no_authenticate" />
       <extend_definition definition_ref="sudo_remove_nopasswd" />
+      {{% if product in [ 'sle16', 'slmicro6' ] %}}
+      <criterion
+          comment="test if configuration file /etc/sudoers exists for {{{ rule_id }}}"
+          test_ref="test_{{{ rule_id }}}_config_file_exists"/>
+      {{% endif %}}
     </criteria>
   </definition>
+  {{% if product in [ 'sle16', 'slmicro6' ] %}}
+  {{{ oval_config_file_exists_test('/etc/sudoers', rule_id=rule_id) }}}
+  {{{ oval_config_file_exists_object('/etc/sudoers', rule_id=rule_id) }}}
+  {{% endif %}}
 </def-group>
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+# packages = sudo
+
+touch /etc/sudoers
+echo "Defaults !authenticate" > /etc/sudoers.d/sudoers
@@ -0,0 +1,8 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+# packages = sudo
+
+if [ -e "/etc/sudoers" ] ; then
+    rm "/etc/sudoers"
+fi
+echo "Defaults authenticate" > /etc/sudoers.d/authenticate
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+# packages = sudo
+
+touch /etc/sudoers
+echo "%wheel        ALL=(ALL)       NOPASSWD: ALL" > /etc/sudoers.d/sudoers
diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/ansible/shared.yml
@@ -6,6 +6,19 @@
 
 {{{ ansible_instantiate_variables("var_sudo_timestamp_timeout") }}}
 
+{{% if product in [ 'sle16', 'slmicro6' ] %}}
+{{{ ansible_copy_distro_defaults('/usr/etc/sudoers', '/etc/sudoers', rule_title=rule_title) }}}
+{{{
+    ansible_lineinfile(
+        rule_title + " - Remove /usr/etc/sudoers.d include directive from /etc/sudoers",
+        path="/etc/sudoers",
+        regex='^\s*@includedir\s+/usr/etc/sudoers.d',
+        state="absent",
+        when="not ansible_check_mode"
+    )
+}}}
+{{% endif %}}
+
 - name: "{{{ rule_title }}} - Find /etc/sudoers.d/* files containing 'Defaults timestamp_timeout'"
   ansible.builtin.find:
     path: "/etc/sudoers.d"
@@ -28,15 +41,24 @@
     validate: /usr/sbin/visudo -cf %s
     backrefs: yes
   register: edit_sudoers_timestamp_timeout_option
+{{% if product in [ 'sle16', 'slmicro6' ] %}}
+  when: not ansible_check_mode
+{{% endif %}}
 
 - name: "{{{ rule_title }}} - Enable timestamp_timeout option with correct value in /etc/sudoers"
   ansible.builtin.lineinfile: # noqa 503
     path: /etc/sudoers
     line: 'Defaults timestamp_timeout={{ var_sudo_timestamp_timeout }}'
     validate: /usr/sbin/visudo -cf %s
+{{% if product in [ 'sle16', 'slmicro6' ] %}}
+  when: >
+    not ansible_check_mode and edit_sudoers_timestamp_timeout_option is defined and
+    not edit_sudoers_timestamp_timeout_option.changed
+{{% else %}}
   when: >
     edit_sudoers_timestamp_timeout_option is defined and
     not edit_sudoers_timestamp_timeout_option.changed
+{{% endif %}}
 
 - name: "{{{ rule_title }}} - Remove timestamp_timeout wrong values in /etc/sudoers"
   ansible.builtin.lineinfile:

diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/bash/shared.sh b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/bash/shared.sh
@@ -7,6 +7,11 @@
 
 {{{ bash_instantiate_variables("var_sudo_timestamp_timeout") }}}
 
+{{% if product in [ 'sle16', 'slmicro6' ] %}}
+{{{ bash_copy_distro_defaults("/usr/etc/sudoers", "/etc/sudoers") }}}
+{{{ lineinfile_absent("/etc/sudoers", "^\s*@includedir\s*/usr/etc/sudoers\.d", sed_path_separator="#", rule_id=rule_id) }}}
+{{% endif %}}
+
 if grep -Px '^[\s]*Defaults.*timestamp_timeout[\s]*=.*' /etc/sudoers.d/*; then
     find /etc/sudoers.d/ -type f -exec sed -Ei "/^[[:blank:]]*Defaults.*timestamp_timeout[[:blank:]]*=.*/d" {} \;
 fi
@@ -22,7 +27,7 @@ if /usr/sbin/visudo -qcf /etc/sudoers; then
             sed -Ei "s/(^[[:blank:]]*Defaults.*timestamp_timeout[[:blank:]]*=)[[:blank:]]*[-]?\w+(.*$)/\1${var_sudo_timestamp_timeout}\2/" /etc/sudoers
         fi
     fi
-    
+
     # Check validity of sudoers and cleanup bak
     if /usr/sbin/visudo -qcf /etc/sudoers; then
         rm -f /etc/sudoers.bak

diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/oval/shared.xml b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/oval/shared.xml
@@ -4,6 +4,11 @@
     <criteria comment="The timestamp_timeout should be configured" operator="AND">
       <criterion comment="check configuration in /etc/sudoers" test_ref="test_sudo_timestamp_timeout" />
       <criterion comment="check for - sign in configuration" test_ref="test_sudo_timestamp_timeout_no_signs" />
+      {{% if product in [ 'sle16', 'slmicro6' ] %}}
+      <criterion
+          comment="test if configuration file /etc/sudoers exists for {{{ rule_id }}}"
+          test_ref="test_{{{ rule_id }}}_config_file_exists"/>
+      {{% endif %}}
     </criteria>
   </definition>
 
@@ -18,14 +23,18 @@
   </ind:textfilecontent54_test>
 
   <ind:textfilecontent54_object id="obj_sudo_timestamp_timeout" version="1">
-    <ind:filepath operation="pattern match">^\/etc\/(sudoers|sudoers\.d\/.*)$</ind:filepath>  
+    <ind:filepath operation="pattern match">^\/etc\/(sudoers|sudoers\.d\/.*)$</ind:filepath>
     <ind:pattern operation="pattern match">^[\s]*Defaults[\s]+timestamp_timeout[\s]*=\s*[+]?(\d*\.\d+|\d+\.\d*|\d+)$</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
    <ind:textfilecontent54_object id="obj_sudo_timestamp_timeout_no_signs" version="1">
-    <ind:filepath operation="pattern match">^\/etc\/(sudoers|sudoers\.d\/.*)$</ind:filepath>  
+    <ind:filepath operation="pattern match">^\/etc\/(sudoers|sudoers\.d\/.*)$</ind:filepath>
     <ind:pattern operation="pattern match">^[\s]*Defaults[\s]+timestamp_timeout[\s]*=\s*[\-](\d*\.\d+|\d+\.\d*|\d+)$</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
-  </ind:textfilecontent54_object> 
+  </ind:textfilecontent54_object>
+  {{% if product in [ 'sle16', 'slmicro6' ] %}}
+  {{{ oval_config_file_exists_test('/etc/sudoers', rule_id=rule_id) }}}
+  {{{ oval_config_file_exists_object('/etc/sudoers', rule_id=rule_id) }}}
+  {{% endif %}}
 </def-group>
@@ -1,6 +1,9 @@
 #!/bin/bash
 # packages = sudo
 
+{{% if product in [ 'sle16', 'slmicro6' ] %}}
+touch /etc/sudoers
+{{% endif %}}
 # Remove Defaults timestamp_timeout from sudoers
 if grep -q 'timestamp_timeout' /etc/sudoers; then
 	sed -i '/.*timestamp_timeout.*/d' /etc/sudoers

@@ -1,6 +1,9 @@
 #!/bin/bash
 # packages = sudo
 
+{{% if product in [ 'sle16', 'slmicro6' ] %}}
+touch /etc/sudoers
+{{% endif %}}
 # Remove Defaults timestamp_timeout from sudoers
 if grep -q 'timestamp_timeout' /etc/sudoers; then
 	sed -i '/.*timestamp_timeout.*/d' /etc/sudoers

@@ -1,6 +1,9 @@
 #!/bin/bash
 # packages = sudo
 
+{{% if product in [ 'sle16', 'slmicro6' ] %}}
+touch /etc/sudoers
+{{% endif %}}
 # Remove Defaults timestamp_timeout from sudoers
 if grep -q 'timestamp_timeout' /etc/sudoers; then
 	sed -i '/.*timestamp_timeout.*/d' /etc/sudoers

@@ -1,6 +1,9 @@
 #!/bin/bash
 # packages = sudo
 
+{{% if product in [ 'sle16', 'slmicro6' ] %}}
+touch /etc/sudoers
+{{% endif %}}
 # Remove Defaults timestamp_timeout from sudoers
 if grep -q 'timestamp_timeout' /etc/sudoers; then
 	sed -i '/.*timestamp_timeout.*/d' /etc/sudoers

@@ -1,6 +1,9 @@
 #!/bin/bash
 # packages = sudo
 
+{{% if product in [ 'sle16', 'slmicro6' ] %}}
+touch /etc/sudoers
+{{% endif %}}
 # Remove Defaults timestamp_timeout from sudoers
 if grep -q 'timestamp_timeout' /etc/sudoers; then
 	sed -i '/.*timestamp_timeout.*/d' /etc/sudoers

@@ -0,0 +1,8 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+# packages = sudo
+
+if [ -e "/etc/sudoers" ] ; then
+    rm "/etc/sudoers"
+fi
+echo "Defaults timestamp_timeout=3" >> /etc/sudoers.d/00-complianceascode-test.conf
@@ -1,6 +1,9 @@
 #!/bin/bash
 # packages = sudo
 
+{{% if product in [ 'sle16', 'slmicro6' ] %}}
+touch /etc/sudoers
+{{% endif %}}
 if grep -q 'timestamp_timeout' /etc/sudoers; then
 	sed -i '/.*timestamp_timeout.*/d' /etc/sudoers
 fi
@@ -1,6 +1,9 @@
 #!/bin/bash
 # packages = sudo
 
+{{% if product in [ 'sle16', 'slmicro6' ] %}}
+touch /etc/sudoers
+{{% endif %}}
 # Remove Defaults timestamp_timeout from /etc/sudoers
 if grep -q 'timestamp_timeout' /etc/sudoers; then
 	sed -i '/.*timestamp_timeout.*/d' /etc/sudoers

@@ -1,6 +1,9 @@
 #!/bin/bash
 # packages = sudo
 
+{{% if product in [ 'sle16', 'slmicro6' ] %}}
+touch /etc/sudoers
+{{% endif %}}
 # Remove Defaults timestamp_timeout from sudoers
 if grep -q 'timestamp_timeout' /etc/sudoers; then
 	sed -i '/.*timestamp_timeout.*/d' /etc/sudoers

diff --git a/linux_os/guide/system/software/sudo/sudoers_no_command_negation/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_no_command_negation/oval/shared.xml
@@ -3,6 +3,11 @@
      {{{ oval_metadata("Check that sudoers doesn't contain command negations", rule_title=rule_title) }}}
      <criteria operator="AND">
 	     <criterion comment="Make sure that no command in user spec contains negation" test_ref="test_{{{ rule_id }}}" />
+      {{% if product in [ 'sle16', 'slmicro6' ] %}}
+      <criterion
+          comment="test if configuration file /etc/sudoers exists for {{{ rule_id }}}"
+          test_ref="test_{{{ rule_id }}}_config_file_exists"/>
+      {{% endif %}}
      </criteria>
   </definition>
 
@@ -23,4 +28,8 @@
     <ind:pattern operation="pattern match">^(?:\s*[^#=]+)=(?:\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,!\n][^,\n]+,)*\s*(?:\([^\)]+\))?\s*(?!\s*\()(!\S+).*</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
+  {{% if product in [ 'sle16', 'slmicro6' ] %}}
+  {{{ oval_config_file_exists_test('/etc/sudoers', rule_id=rule_id) }}}
+  {{{ oval_config_file_exists_object('/etc/sudoers', rule_id=rule_id) }}}
+  {{% endif %}}
 </def-group>
@@ -0,0 +1,9 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+# packages = sudo
+# remediation = none
+
+if [ -e "/etc/sudoers" ] ; then
+    rm "/etc/sudoers"
+fi
+echo 'nobody ALL=/bin/ls, (bob !alice) /bin/dog, /bin/cat !arg' > /etc/sudoers.d/foo
diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja
@@ -847,6 +847,9 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul
   with_items:
     - { path: /etc/sudoers }
     - "{{ sudoers.files }}"
+{{% if product in [ 'sle16', 'slmicro6' ] %}}
+  when: not ansible_check_mode
+{{% endif %}}
 {{%- endmacro -%}}