Blob Blame History Raw
From c5f46d9166d0629740deb3cc5c45d3925345df09 Mon Sep 17 00:00:00 2001
From: Guang Yee <guang.yee@suse.com>
Date: Mon, 11 Jan 2021 12:55:43 -0800
Subject: [PATCH] Enable checks and remediations for the following SLES-12
 STIGs:

 - SLES-12-010030 'banner_etc_issue'
 - SLES-12-010120 'accounts_max_concurrent_login_sessions'
 - SLES-12-010450 'encrypt_partitions'
 - SLES-12-010460 'dir_perms_world_writable_sticky_bits'
 - SLES-12-010500 'package_aide_installed'
 - SLES-12-010550 'ensure_gpgcheck_globally_activated'
 - SLES-12-010580 'kernel_module_usb-storage_disabled'
 - SLES-12-010599 'package_MFEhiplsm_installed'
 - SLES-12-010690 'no_files_unowned_by_user'
 - SLES-12-030000 'package_telnet-server_removed'
 - SLES-12-030010 'ftp_present_banner'
 - SLES-12-030050 'sshd_enable_warning_banner'
 - SLES-12-030110 'sshd_set_loglevel_verbose'
 - SLES-12-030130 'sshd_print_last_log'
 - SLES-12-030210 'file_permissions_sshd_pub_key'
 - SLES-12-030220 'file_permissions_sshd_private_key'
 - SLES-12-030230 'sshd_enable_strictmodes'
 - SLES-12-030240 'sshd_use_priv_separation'
 - SLES-12-030250 'sshd_disable_compression'
 - SLES-12-030340 'auditd_audispd_encrypt_sent_records'
 - SLES-12-030360 'sysctl_net_ipv4_conf_all_accept_source_route'
 - SLES-12-030361 'sysctl_net_ipv6_conf_all_accept_source_route'
 - SLES-12-030370 'sysctl_net_ipv4_conf_default_accept_source_route'
 - SLES-12-030420 'sysctl_net_ipv4_conf_default_send_redirects'
---
 .../ftp_present_banner/rule.yml               |  1 +
 .../package_telnet-server_removed/rule.yml    |  1 +
 .../rule.yml                                  |  1 +
 .../file_permissions_sshd_pub_key/rule.yml    |  1 +
 .../ansible/shared.yml                        |  2 +-
 .../sshd_disable_compression/rule.yml         |  1 +
 .../sshd_enable_strictmodes/rule.yml          |  1 +
 .../sshd_enable_warning_banner/rule.yml       |  1 +
 .../ssh_server/sshd_print_last_log/rule.yml   |  1 +
 .../sshd_set_loglevel_verbose/rule.yml        |  1 +
 .../sshd_use_priv_separation/rule.yml         |  1 +
 .../banner_etc_issue/ansible/shared.yml       |  2 +-
 .../banner_etc_issue/rule.yml                 |  4 ++-
 .../ansible/shared.yml                        |  2 +-
 .../rule.yml                                  |  2 ++
 .../ansible/shared.yml                        |  2 +-
 .../rule.yml                                  |  4 ++-
 .../rule.yml                                  |  4 ++-
 .../rule.yml                                  |  4 ++-
 .../rule.yml                                  |  4 ++-
 .../rule.yml                                  |  4 ++-
 .../bash/shared.sh                            |  2 +-
 .../rule.yml                                  |  2 ++
 .../files/no_files_unowned_by_user/rule.yml   |  4 ++-
 .../rule.yml                                  |  4 ++-
 .../encrypt_partitions/rule.yml               |  8 +++++-
 .../package_MFEhiplsm_installed/rule.yml      |  2 ++
 .../aide/package_aide_installed/rule.yml      |  3 +++
 .../ansible/sle12.yml                         | 13 ++++++++++
 .../rule.yml                                  |  8 +++++-
 shared/applicability/general.yml              |  4 +++
 .../oval/installed_env_has_zypper_package.xml | 25 +++++++++++++++++++
 .../kernel_module_disabled/ansible.template   | 12 +++++++--
 .../kernel_module_disabled/bash.template      |  9 ++++++-
 .../kernel_module_disabled/oval.template      |  5 ++++
 sle12/product.yml                             |  1 +
 sle12/profiles/stig.profile                   | 25 +++++++++++++++++++
 37 files changed, 153 insertions(+), 18 deletions(-)
 create mode 100644 linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/ansible/sle12.yml
 create mode 100644 shared/checks/oval/installed_env_has_zypper_package.xml

diff --git a/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_present_banner/rule.yml b/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_present_banner/rule.yml
index 35ba09b0d0..3590a085b6 100644
--- a/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_present_banner/rule.yml
+++ b/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_present_banner/rule.yml
@@ -19,6 +19,7 @@ severity: medium
 
 identifiers:
     cce@rhel7: CCE-80248-8
+    cce@sle12: CCE-83059-6
 
 references:
     stigid@sle12: SLES-12-030010
diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
index 317eecdc3d..619b3f0b7d 100644
--- a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
@@ -27,6 +27,7 @@ severity: high
 identifiers:
     cce@rhel7: CCE-27165-0
     cce@rhel8: CCE-82182-7
+    cce@sle12: CCE-83084-4
 
 references:
     stigid@ol7: OL07-00-021710
diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml
index 2e52219ece..d460411667 100644
--- a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml
+++ b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml
@@ -18,6 +18,7 @@ severity: medium
 identifiers:
     cce@rhel7: CCE-27485-2
     cce@rhel8: CCE-82424-3
+    cce@sle12: CCE-83058-8
 
 references:
     stigid@ol7: OL07-00-040420
diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml
index e59ddc0770..b9e07d71af 100644
--- a/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml
+++ b/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml
@@ -13,6 +13,7 @@ severity: medium
 identifiers:
     cce@rhel7: CCE-27311-0
     cce@rhel8: CCE-82428-4
+    cce@sle12: CCE-83057-0 
 
 references:
     stigid@ol7: OL07-00-040410
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/ansible/shared.yml
index e07e436d60..f8d422c6c4 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/ansible/shared.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
 # reboot = false
 # strategy = restrict
 # complexity = low
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml
index fe7e67c1c2..f8eec6a074 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml
@@ -21,6 +21,7 @@ severity: medium
 identifiers:
     cce@rhel7: CCE-80224-9
     cce@rhel8: CCE-80895-6
+    cce@sle12: CCE-83062-0
 
 references:
     stigid@ol7: OL07-00-040470
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml
index 22b98c71a2..601f6a0ca2 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml
@@ -18,6 +18,7 @@ severity: medium
 identifiers:
     cce@rhel7: CCE-80222-3
     cce@rhel8: CCE-80904-6
+    cce@sle12: CCE-83060-4  
 
 references:
     stigid@ol7: OL07-00-040450
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml
index 2199d61ca9..c93ef6340f 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml
@@ -20,6 +20,7 @@ severity: medium
 identifiers:
     cce@rhel7: CCE-27314-4
     cce@rhel8: CCE-80905-3
+    cce@sle12: CCE-83066-1
 
 references:
     stigid@ol7: OL07-00-040170
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml
index a0b8ed38ae..0ce5da30b2 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml
@@ -17,6 +17,7 @@ severity: medium
 identifiers:
     cce@rhel7: CCE-80225-6
     cce@rhel8: CCE-82281-7
+    cce@sle12: CCE-83083-6
 
 references:
     stigid@ol7: OL07-00-040360
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml
index 28ce48de8e..2180398855 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml
@@ -22,6 +22,7 @@ severity: medium
 identifiers:
     cce@rhel7: CCE-82419-3
     cce@rhel8: CCE-82420-1
+    cce@sle12: CCE-83077-8
 
 references:
     srg: SRG-OS-000032-GPOS-00013
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml
index 14d1acfd22..d65ddb6cd1 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml
@@ -18,6 +18,7 @@ severity: medium
 identifiers:
     cce@rhel7: CCE-80223-1
     cce@rhel8: CCE-80908-7
+    cce@sle12: CCE-83061-2 
 
 references:
     stigid@ol7: OL07-00-040460
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
index f3a0c85ea5..ff6b6eab42 100644
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle
 # reboot = false
 # strategy = unknown
 # complexity = low
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml
index a86ede70f8..637d8ee528 100644
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,sle12
 
 title: 'Modify the System Login Banner'
 
@@ -52,6 +52,7 @@ identifiers:
     cce@rhel7: CCE-27303-7
     cce@rhel8: CCE-80763-6
     cce@rhcos4: CCE-82555-4
+    cce@sle12: CCE-83054-7
 
 references:
     stigid@ol7: OL07-00-010050
@@ -64,6 +65,7 @@ references:
     srg: SRG-OS-000023-GPOS-00006,SRG-OS-000024-GPOS-00007
     vmmsrg: SRG-OS-000023-VMM-000060,SRG-OS-000024-VMM-000070
     stigid@rhel7: RHEL-07-010050
+    stigid@sle12: SLES-12-010030
     isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.5,SR 1.7,SR 1.8,SR 1.9'
     isa-62443-2009: 4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9
     cobit5: DSS05.04,DSS05.10,DSS06.10
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml
index 9d50a9d20c..536ac29569 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel
+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle
 # reboot = false
 # strategy = restrict
 # complexity = low
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml
index e598f4e8cb..32412aa482 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml
@@ -20,6 +20,7 @@ severity: low
 identifiers:
     cce@rhel7: CCE-82041-5
     cce@rhel8: CCE-80955-8
+    cce@sle12: CCE-83065-3
 
 references:
     stigid@ol7: OL07-00-040000
@@ -30,6 +31,7 @@ references:
     srg: SRG-OS-000027-GPOS-00008
     vmmsrg: SRG-OS-000027-VMM-000080
     stigid@rhel7: RHEL-07-040000
+    stigid@sle12: SLES-12-010120
     isa-62443-2013: 'SR 3.1,SR 3.8'
     isa-62443-2009: 4.3.3.4
     cobit5: DSS01.05,DSS05.02
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/ansible/shared.yml
index 23bcdf8641..007b23ba24 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4
+# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_sle
 # reboot = false
 # complexity = low
 # disruption = low
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml
index 4c27eb11fd..1943a00fb2 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12
 
 title: 'Encrypt Audit Records Sent With audispd Plugin'
 
@@ -26,6 +26,7 @@ severity: medium
 identifiers:
     cce@rhel7: CCE-80540-8
     cce@rhel8: CCE-80926-9
+    cce@sle12: CCE-83063-8 
 
 references:
     stigid@ol7: OL07-00-030310
@@ -33,6 +34,7 @@ references:
     nist: AU-9(3),CM-6(a)
     srg: SRG-OS-000342-GPOS-00133,SRG-OS-000479-GPOS-00224
     stigid@rhel7: RHEL-07-030310
+    stigid@sle12: SLES-12-030340 
     ospp: FAU_GEN.1.1.c
 
 ocil_clause: 'audispd is not encrypting audit records when sent over the network'
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml
index a3f78cb910..8767a5226f 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
+prodtype: rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12
 
 title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces'
 
@@ -22,6 +22,7 @@ identifiers:
     cce@rhel7: CCE-80179-5
     cce@rhel8: CCE-81013-5
     cce@rhcos4: CCE-82480-5
+    cce@sle12: CCE-83078-6 
 
 references:
     stigid@ol7: OL07-00-040830
@@ -33,6 +34,7 @@ references:
     nist-csf: DE.AE-1,ID.AM-3,PR.AC-5,PR.DS-5,PR.PT-4
     srg: SRG-OS-000480-GPOS-00227
     stigid@rhel7: RHEL-07-040830
+    stigid@sle12: SLES-12-030361  
     isa-62443-2013: 'SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 7.1,SR 7.6'
     isa-62443-2009: 4.2.3.4,4.3.3.4,4.4.3.3
     cobit5: APO01.06,APO13.01,DSS01.05,DSS03.01,DSS05.02,DSS05.04,DSS05.07,DSS06.02
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml
index 0cd3dbc143..7bc4e3b9b7 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,sle12
 
 title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces'
 
@@ -22,6 +22,7 @@ identifiers:
     cce@rhel7: CCE-27434-0
     cce@rhel8: CCE-81011-9
     cce@rhcos4: CCE-82478-9
+    cce@sle12: CCE-83064-6 
 
 references:
     stigid@ol7: OL07-00-040610
@@ -33,6 +34,7 @@ references:
     nist-csf: DE.AE-1,DE.CM-1,ID.AM-3,PR.AC-5,PR.DS-4,PR.DS-5,PR.IP-1,PR.PT-3,PR.PT-4
     srg: SRG-OS-000480-GPOS-00227
     stigid@rhel7: RHEL-07-040610
+    stigid@sle12: SLES-12-030360
     isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.2,SR 7.1,SR 7.2,SR 7.6'
     isa-62443-2009: 4.2.3.4,4.3.3.4,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3,4.4.3.3
     cobit5: APO01.06,APO13.01,BAI04.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS01.05,DSS03.01,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.06
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml
index c48ec8de3d..f7ee2e9818 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,sle12
 
 title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default'
 
@@ -22,6 +22,7 @@ identifiers:
     cce@rhel7: CCE-80162-1
     cce@rhel8: CCE-80920-2
     cce@rhcos4: CCE-82479-7
+    cce@sle12: CCE-83079-4  
 
 references:
     stigid@ol7: OL07-00-040620
@@ -34,6 +35,7 @@ references:
     nist-csf: DE.AE-1,DE.CM-1,ID.AM-3,PR.AC-5,PR.DS-4,PR.DS-5,PR.IP-1,PR.PT-3,PR.PT-4
     srg: SRG-OS-000480-GPOS-00227
     stigid@rhel7: RHEL-07-040620
+    stigid@sle12: SLES-12-030370 
     isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.2,SR 7.1,SR 7.2,SR 7.6'
     isa-62443-2009: 4.2.3.4,4.3.3.4,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3,4.4.3.3
     cobit5: APO01.06,APO13.01,BAI04.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS01.05,DSS03.01,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.06
diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml
index ddf6b07758..861c3485f3 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,sle12
 
 title: 'Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default'
 
@@ -19,6 +19,7 @@ identifiers:
     cce@rhel7: CCE-80999-6
     cce@rhel8: CCE-80921-0
     cce@rhcos4: CCE-82485-4
+    cce@sle12: CCE-83086-9 
 
 references:
     stigid@ol7: OL07-00-040650
@@ -31,6 +32,7 @@ references:
     nist-csf: DE.AE-1,DE.CM-1,ID.AM-3,PR.AC-5,PR.DS-4,PR.DS-5,PR.IP-1,PR.PT-3,PR.PT-4
     srg: SRG-OS-000480-GPOS-00227
     stigid@rhel7: RHEL-07-040650
+    stigid@sle12: SLES-12-030420 
     isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.2,SR 7.1,SR 7.2,SR 7.6'
     isa-62443-2009: 4.2.3.4,4.3.3.4,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3,4.4.3.3
     cobit5: APO01.06,APO13.01,BAI04.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS01.05,DSS03.01,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.06
diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh
index 0a829df187..e49942d1cc 100644
--- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh
+++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = Red Hat Virtualization 4,multi_platform_rhel
+# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_sle
 df --local -P | awk '{if (NR!=1) print $6}' \
 | xargs -I '{}' find '{}' -xdev -type d \
 \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null \
diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml
index d04df8df86..5bb3cf3713 100644
--- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml
+++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml
@@ -34,6 +34,7 @@ identifiers:
     cce@rhel7: CCE-80130-8
     cce@rhel8: CCE-80783-4
     cce@rhcos4: CCE-82753-5
+    cce@sle12: CCE-83047-1
 
 references:
     cis@rhe8: 1.1.21
@@ -46,6 +47,7 @@ references:
     iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
     cis-csc: 12,13,14,15,16,18,3,5
     cis@sle15: 1.1.22
+    stigid@sle12: SLES-12-010460 
 
 ocil_clause: 'any world-writable directories are missing the sticky bit'
 
diff --git a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml
index e664cf9215..faab0b8822 100644
--- a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml
+++ b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,wrlinux1019
 
 title: 'Ensure All Files Are Owned by a User'
 
@@ -24,6 +24,7 @@ severity: medium
 identifiers:
     cce@rhel7: CCE-80134-0
     cce@rhel8: CCE-83499-4
+    cce@sle12: CCE-83072-9
 
 references:
     stigid@ol7: OL07-00-020320
@@ -40,6 +41,7 @@ references:
     iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.2,A.12.5.1,A.12.6.2,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.1,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
     cis-csc: 11,12,13,14,15,16,18,3,5,9
     cis@sle15: 6.1.11
+    stigid@sle12: SLES-12-010690
 
 ocil_clause: 'files exist that are not owned by a valid user'
 
diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml
index c78b570efb..24e77cc74e 100644
--- a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml
+++ b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,wrlinux1019
 
 title: 'Disable Modprobe Loading of USB Storage Driver'
 
@@ -22,6 +22,7 @@ identifiers:
     cce@rhel7: CCE-27277-3
     cce@rhel8: CCE-80835-2
     cce@rhcos4: CCE-82719-6
+    cce@sle12: CCE-83069-5
 
 references:
     stigid@ol7: OL07-00-020100
@@ -39,6 +40,7 @@ references:
     cis-csc: 1,12,15,16,5
     cis@rhel8: 1.1.23
     cis@sle15: 1.1.3
+    stigid@sle12: SLES-12-010580
 
 {{{ complete_ocil_entry_module_disable(module="usb-storage") }}}
 
diff --git a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
index 80d1856778..fe370a4323 100644
--- a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
+++ b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: ol7,ol8,rhel7,rhel8,rhv4,rhcos4
+prodtype: ol7,ol8,rhel7,rhel8,rhv4,rhcos4,sle12
 
 title: 'Encrypt Partitions'
 
@@ -14,6 +14,7 @@ description: |-
     option is selected the system will prompt for a passphrase to use in
     decrypting the partition. The passphrase will subsequently need to be entered manually
     every time the system boots.
+    {{% if product != "sle12" %}}
     <br /><br />
     For automated/unattended installations, it is possible to use Kickstart by adding
     the <tt>--encrypted</tt> and <tt>--passphrase=</tt> options to the definition of each partition to be
@@ -26,11 +27,14 @@ description: |-
     <br /><br />
     By default, the <tt>Anaconda</tt> installer uses <tt>aes-xts-plain64</tt> cipher
     with a minimum <tt>512</tt> bit key size which should be compatible with FIPS enabled.
+    {{% endif %}}
     <br /><br />
     Detailed information on encrypting partitions using LUKS or LUKS ciphers can be found on
     the {{{ full_name }}} Documentation web site:<br />
     {{% if product in ["ol7", "ol8"] %}}
         {{{ weblink(link="https://docs.oracle.com/cd/E52668_01/E54670/html/ol7-encrypt-sec.html") }}}.
+    {{% elif product == "sle12" %}}
+        {{{ weblink(link="https://www.suse.com/documentation/sled-12/book_security/data/sec_security_cryptofs_y2.html") }}}
     {{% else %}}
         {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Encryption.html") }}}.
     {{% endif %}}
@@ -45,6 +49,7 @@ severity: high
 identifiers:
     cce@rhel7: CCE-27128-8
     cce@rhel8: CCE-80789-1
+    cce@sle12: CCE-83046-3
 
 references:
     cui: 3.13.16
@@ -58,6 +63,7 @@ references:
     isa-62443-2013: 'SR 3.4,SR 4.1,SR 5.2'
     cobit5: APO01.06,BAI02.01,BAI06.01,DSS04.07,DSS05.03,DSS05.04,DSS05.07,DSS06.02,DSS06.06
     cis-csc: 13,14
+    stigid@sle12: SLES-12-010450
 
 ocil_clause: 'partitions do not have a type of crypto_LUKS'
 
diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/package_MFEhiplsm_installed/rule.yml b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/package_MFEhiplsm_installed/rule.yml
index f96cfc925b..c0bf1ee908 100644
--- a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/package_MFEhiplsm_installed/rule.yml
+++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/package_MFEhiplsm_installed/rule.yml
@@ -18,6 +18,7 @@ severity: medium
 
 identifiers:
     cce@rhel7: CCE-80368-4
+    cce@sle12: CCE-83071-1
 
 references:
     disa: CCI-000366,CCI-001263
@@ -31,6 +32,7 @@ references:
     iso27001-2013: 'A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.1,A.12.1.2,A.12.4.1,A.12.4.3,A.12.5.1,A.12.6.1,A.12.6.2,A.13.1.1,A.13.1.2,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.7,A.14.2.8,A.15.2.1,A.16.1.1,A.16.1.2,A.16.1.3,A.16.1.4,A.16.1.5,A.16.1.6,A.16.1.7,A.18.1.4,A.18.2.2,A.18.2.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5,Clause 16.1.2,Clause 7.4'
     cis-csc: 1,11,12,13,14,15,16,18,19,2,3,4,5,6,7,8,9
     stigid@rhel7: RHEL-07-020019
+    stigid@sle12: SLES-12-010599 
 
 ocil_clause: 'the HBSS HIPS module is not installed'
 
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
index 699992b48c..23e939bbec 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
@@ -14,6 +14,7 @@ severity: medium
 identifiers:
     cce@rhel7: CCE-27096-7
     cce@rhel8: CCE-80844-4
+    cce@sle12: CCE-83048-9
 
 references:
     cis@rhel8: 1.4.1
@@ -30,6 +31,8 @@ references:
     srg: SRG-OS-000363-GPOS-00150
     cis@sle15: 1.4.1
     ism: 1034,1288,1341,1417
+    stigid@sle12: SLES-12-010500
+    disa@sle12: CCI-002699
 
 ocil_clause: 'the package is not installed'
 
diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/ansible/sle12.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/ansible/sle12.yml
new file mode 100644
index 0000000000..6fca48166a
--- /dev/null
+++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/ansible/sle12.yml
@@ -0,0 +1,13 @@
+# platform = multi_platform_sle
+# reboot = false
+# strategy = unknown
+# complexity = low
+# disruption = medium
+- name: Ensure GPG check is globally activated (zypper)
+  ini_file:
+    dest: /etc/zypp/zypp.conf
+    section: main
+    option: gpgcheck
+    value: 1
+    no_extra_spaces: yes
+    create: False
diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml
index 24cef5499c..1f86aff1e9 100644
--- a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml
+++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15
 
 title: 'Ensure gpgcheck Enabled In Main {{{ pkg_manager }}} Configuration'
 
@@ -33,6 +33,7 @@ severity: high
 identifiers:
     cce@rhel7: CCE-26989-4
     cce@rhel8: CCE-80790-9
+    cce@sle12: CCE-83068-7
 
 references:
     stigid@ol7: OL07-00-020050
@@ -54,6 +55,7 @@ references:
     iso27001-2013: A.11.2.4,A.12.1.2,A.12.2.1,A.12.5.1,A.12.6.2,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4
     cis-csc: 11,2,3,9
     anssi: BP28(R15)
+    stigid@sle12: SLES-12-010550
 
 ocil_clause: 'GPG checking is not enabled'
 
@@ -66,4 +68,8 @@ ocil: |-
     <tt>gpgcheck</tt> line or a setting of <tt>0</tt> indicates that it is
     disabled.
 
+{{% if product == 'sle12' %}}
+platform: zypper
+{{% else %}}
 platform: yum
+{{% endif %}}
diff --git a/shared/applicability/general.yml b/shared/applicability/general.yml
index a6581fd713..7382b7dd30 100644
--- a/shared/applicability/general.yml
+++ b/shared/applicability/general.yml
@@ -74,3 +74,7 @@ cpes:
       title: "Package yum is installed"
       check_id: installed_env_has_yum_package
 
+  - zypper:
+      name: "cpe:/a:zypper"
+      title: "Package zypper is installed"
+      check_id: installed_env_has_zypper_package
diff --git a/shared/checks/oval/installed_env_has_zypper_package.xml b/shared/checks/oval/installed_env_has_zypper_package.xml
new file mode 100644
index 0000000000..cf14e6af3c
--- /dev/null
+++ b/shared/checks/oval/installed_env_has_zypper_package.xml
@@ -0,0 +1,25 @@
+<def-group>
+  <definition class="inventory"
+  id="installed_env_has_zypper_package" version="1">
+    <metadata>
+      <title>Package zypper is installed</title>
+      <affected family="unix">
+        <platform>multi_platform_sle</platform>
+      </affected>
+      <description>Checks if package zypper is installed.</description>
+      <reference ref_id="cpe:/a:zypper" source="CPE" />
+    </metadata>
+    <criteria>
+      <criterion comment="Package zypper is installed" test_ref="test_env_has_zypper_installed" />
+    </criteria>
+  </definition>
+
+  <linux:rpminfo_test check="all" check_existence="at_least_one_exists"
+  id="test_env_has_zypper_installed" version="1"
+  comment="system has package zypper installed">
+    <linux:object object_ref="obj_env_has_zypper_installed" />
+  </linux:rpminfo_test>
+  <linux:rpminfo_object id="obj_env_has_zypper_installed" version="1">
+    <linux:name>zypper</linux:name>
+  </linux:rpminfo_object>
+</def-group>
diff --git a/shared/templates/kernel_module_disabled/ansible.template b/shared/templates/kernel_module_disabled/ansible.template
index 47deee6e54..c4a83ad325 100644
--- a/shared/templates/kernel_module_disabled/ansible.template
+++ b/shared/templates/kernel_module_disabled/ansible.template
@@ -1,12 +1,20 @@
-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu
+# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
 # reboot = true
 # strategy = disable
 # complexity = low
 # disruption = medium
+{{% if product == "sle12" %}}
+- name: Ensure kernel module '{{{ KERNMODULE }}}' is disabled
+  lineinfile:
+    create: yes
+    dest: "/etc/modprobe.d/50-blacklist.conf"
+    regexp: '^blacklist {{{ KERNMODULE }}}$'
+    line: "blacklist {{{ KERNMODULE }}}"
+{{% else %}}
 - name: Ensure kernel module '{{{ KERNMODULE }}}' is disabled
   lineinfile:
     create: yes
     dest: "/etc/modprobe.d/{{{ KERNMODULE }}}.conf"
     regexp: '{{{ KERNMODULE }}}'
     line: "install {{{ KERNMODULE }}} /bin/true"
-
+{{% endif %}}
diff --git a/shared/templates/kernel_module_disabled/bash.template b/shared/templates/kernel_module_disabled/bash.template
index 42c0830b5f..f70a9925cd 100644
--- a/shared/templates/kernel_module_disabled/bash.template
+++ b/shared/templates/kernel_module_disabled/bash.template
@@ -1,11 +1,18 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
 # reboot = true
 # strategy = disable
 # complexity = low
 # disruption = medium
+{{% if product == "sle12" %}}
+if ! LC_ALL=C grep -q -m 1 "^blacklist {{{ KERNMODULE }}}$" /etc/modprobe.d/50-blacklist.conf ; then
+        echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/50-blacklist.conf
+        echo "blacklist {{{ KERNMODULE }}}" >> /etc/modprobe.d/50-blacklist.conf
+fi
+{{% else %}}
 if LC_ALL=C grep -q -m 1 "^install {{{ KERNMODULE }}}" /etc/modprobe.d/{{{ KERNMODULE }}}.conf ; then
 	sed -i 's/^install {{{ KERNMODULE }}}.*/install {{{ KERNMODULE }}} /bin/true/g' /etc/modprobe.d/{{{ KERNMODULE }}}.conf
 else
 	echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/{{{ KERNMODULE }}}.conf
 	echo "install {{{ KERNMODULE }}} /bin/true" >> /etc/modprobe.d/{{{ KERNMODULE }}}.conf
 fi
+{{% endif %}}
diff --git a/shared/templates/kernel_module_disabled/oval.template b/shared/templates/kernel_module_disabled/oval.template
index e5a7aaa8b4..737ae3c796 100644
--- a/shared/templates/kernel_module_disabled/oval.template
+++ b/shared/templates/kernel_module_disabled/oval.template
@@ -54,9 +54,14 @@
 
   <ind:textfilecontent54_object id="obj_kernmod_{{{ KERNMODULE }}}_disabled"
   version="1" comment="kernel module {{{ KERNMODULE }}} disabled">
+    {{% if product == "sle12" %}}
+    <ind:filepath>/etc/modprobe.d/50-blacklist.conf</ind:filepath>
+    <ind:pattern operation="pattern match">^blacklist\s+{{{ KERNMODULE }}}$</ind:pattern>
+    {{% else %}}
     <ind:path>/etc/modprobe.d</ind:path>
     <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
     <ind:pattern operation="pattern match">^\s*install\s+{{{ KERNMODULE }}}\s+(/bin/false|/bin/true)$</ind:pattern>
+    {{% endif %}}
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
diff --git a/sle12/product.yml b/sle12/product.yml
index e465a6d687..d83ad88c21 100644
--- a/sle12/product.yml
+++ b/sle12/product.yml
@@ -9,6 +9,7 @@ profiles_root: "./profiles"
 init_system: "systemd"
 
 pkg_manager: "zypper"
+pkg_manager_config_file: "/etc/zypp/zypp.conf"
 oval_feed_url: "https://support.novell.com/security/oval/suse.linux.enterprise.12.xml"
 
 cpes_root: "../shared/applicability"
diff --git a/sle12/profiles/stig.profile b/sle12/profiles/stig.profile
index 6cf3339569..15c4f70336 100644
--- a/sle12/profiles/stig.profile
+++ b/sle12/profiles/stig.profile
@@ -12,34 +12,59 @@ selections:
     - account_temp_expire_date
     - accounts_have_homedir_login_defs
     - accounts_logon_fail_delay
+    - accounts_max_concurrent_login_sessions
     - accounts_maximum_age_login_defs
+    - accounts_minimum_age_login_defs
     - accounts_no_uid_except_zero
     - accounts_password_set_max_life_existing
     - accounts_password_set_min_life_existing
     - accounts_umask_etc_login_defs
+    - auditd_audispd_encrypt_sent_records
     - auditd_data_disk_full_action
     - auditd_data_retention_action_mail_acct
     - auditd_data_retention_space_left
+    - banner_etc_issue
     - banner_etc_motd
+    - dir_perms_world_writable_sticky_bits
     - disable_ctrlaltdel_reboot
+    - encrypt_partitions
+    - ensure_gpgcheck_globally_activated
+    - file_permissions_sshd_private_key
+    - file_permissions_sshd_pub_key
+    - ftp_present_banner
     - gnome_gdm_disable_automatic_login
     - grub2_password
     - grub2_uefi_password
     - installed_OS_is_vendor_supported
+    - kernel_module_usb-storage_disabled
     - no_empty_passwords
+    - no_files_unowned_by_user
     - no_host_based_files
     - no_user_host_based_files
+    - package_MFEhiplsm_installed
+    - package_aide_installed
     - package_audit-audispd-plugins_installed
     - package_audit_installed
+    - package_telnet-server_removed
     - postfix_client_configure_mail_alias
     - security_patches_up_to_date
     - service_auditd_enabled
     - set_password_hashing_algorithm_logindefs
+    - sshd_disable_compression
     - sshd_disable_empty_passwords
     - sshd_disable_user_known_hosts
     - sshd_do_not_permit_user_env
+    - sshd_enable_strictmodes
+    - sshd_enable_warning_banner
     - sshd_enable_x11_forwarding
+    - sshd_print_last_log
     - sshd_set_idle_timeout
     - sshd_set_keepalive
+    - sshd_set_loglevel_verbose
+    - sshd_use_priv_separation
     - sudo_remove_no_authenticate
     - sudo_remove_nopasswd
+    - sysctl_net_ipv4_conf_all_accept_source_route
+    - sysctl_net_ipv4_conf_default_accept_source_route
+    - sysctl_net_ipv4_conf_default_send_redirects
+    - sysctl_net_ipv6_conf_all_accept_source_route