From f5ed84126d03cbaf9267048eb11bc41e2256ebf7 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Fri, 2 Jan 2026 12:11:49 +0200
Subject: [PATCH 1/5] Add support for sle 15/16 for the logind_session_timeout
 rule

---
 .../accounts/accounts-physical/logind_session_timeout/rule.yml | 3 +++
 shared/references/cce-sle15-avail.txt                          | 1 -
 shared/references/cce-sle16-avail.txt                          | 1 -
 3 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/rule.yml b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/rule.yml
index 0998625c41b5..0a3c6db76c18 100644
--- a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/rule.yml
@@ -20,11 +20,14 @@ severity: medium
 platforms:
     - os_linux[rhel]>=8.7 and os_linux[rhel]!=9.0
     - os_linux[ol]>=8.7
+    - os_linux[sles]>=15
 
 identifiers:
     cce@rhel8: CCE-90784-0
     cce@rhel9: CCE-90785-7
     cce@rhel10: CCE-88334-8
+    cce@sle15: CCE-92692-3
+    cce@sle16: CCE-96699-4
 
 references:
     cis-csc: 1,12,13,14,15,16,18,3,5,7,8
diff --git a/shared/references/cce-sle15-avail.txt b/shared/references/cce-sle15-avail.txt
index 4e7c6ead4ea4..41808cb6dcdc 100644
--- a/shared/references/cce-sle15-avail.txt
+++ b/shared/references/cce-sle15-avail.txt
@@ -73,4 +73,3 @@ CCE-92688-1
 CCE-92689-9
 CCE-92690-7
 CCE-92691-5
-CCE-92692-3
diff --git a/shared/references/cce-sle16-avail.txt b/shared/references/cce-sle16-avail.txt
index d65c5b74c7e5..9c06bcbea80e 100644
--- a/shared/references/cce-sle16-avail.txt
+++ b/shared/references/cce-sle16-avail.txt
@@ -979,4 +979,3 @@ CCE-96695-2
 CCE-96696-0
 CCE-96697-8
 CCE-96698-6
-CCE-96699-4

From d78079423169d3bfe74bd89a058aed4c52aa2163 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Fri, 2 Jan 2026 12:12:39 +0200
Subject: [PATCH 2/5] Add logind_session_timeout rule for sle15/16 relevant
 profiles

---
 products/sle15/profiles/anssi_bp28_enhanced.profile     | 1 -
 products/sle15/profiles/anssi_bp28_high.profile         | 1 -
 products/sle15/profiles/anssi_bp28_intermediary.profile | 1 -
 products/sle16/profiles/base.profile                    | 1 +
 4 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/products/sle15/profiles/anssi_bp28_enhanced.profile b/products/sle15/profiles/anssi_bp28_enhanced.profile
index 524e733a55be..ecd54b8d3f83 100644
--- a/products/sle15/profiles/anssi_bp28_enhanced.profile
+++ b/products/sle15/profiles/anssi_bp28_enhanced.profile
@@ -74,7 +74,6 @@ selections:
     - accounts_password_pam_pwhistory_remember
 
     # The following rules are not applicable to SLE 15
-    - '!logind_session_timeout'
     - '!ldap_client_start_tls'
     - '!audit_rules_mac_modification_etc_selinux'
     - '!no_nis_in_nsswitch'
diff --git a/products/sle15/profiles/anssi_bp28_high.profile b/products/sle15/profiles/anssi_bp28_high.profile
index 0cb8cabe646f..9f6751e4eebf 100644
--- a/products/sle15/profiles/anssi_bp28_high.profile
+++ b/products/sle15/profiles/anssi_bp28_high.profile
@@ -99,7 +99,6 @@ selections:
     - accounts_password_pam_pwhistory_remember
 
     # The following rules are not applicable to SLE 15
-    - '!logind_session_timeout'
     - '!ldap_client_start_tls'
     - '!ldap_client_tls_cacertpath'
     - '!service_chronyd_enabled'
diff --git a/products/sle15/profiles/anssi_bp28_intermediary.profile b/products/sle15/profiles/anssi_bp28_intermediary.profile
index a74522ff4c84..a5f7082561aa 100644
--- a/products/sle15/profiles/anssi_bp28_intermediary.profile
+++ b/products/sle15/profiles/anssi_bp28_intermediary.profile
@@ -69,7 +69,6 @@ selections:
     - accounts_password_pam_pwhistory_remember
 
     # The following rules are not applicable to SLE 15
-    - '!logind_session_timeout'
     - '!ldap_client_start_tls'
     - '!ldap_client_tls_cacertpath'
     - '!no_nis_in_nsswitch'
diff --git a/products/sle16/profiles/base.profile b/products/sle16/profiles/base.profile
index 3de62b8b8209..f67df059b40b 100644
--- a/products/sle16/profiles/base.profile
+++ b/products/sle16/profiles/base.profile
@@ -23,3 +23,4 @@ selections:
     - grub2_nosmep_argument_absent
     - grub2_audit_argument
     - directory_access_var_log_audit
+    - logind_session_timeout

From f1670161d72faeae64d5750737ce1b37483901f4 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Fri, 2 Jan 2026 12:14:40 +0200
Subject: [PATCH 3/5] Add specifics for sle15/sle16 for logind_session_timeout
 rule

---
 .../logind_session_timeout/ansible/shared.yml          |  9 ++++++++-
 .../logind_session_timeout/bash/shared.sh              | 10 +++++++++-
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/ansible/shared.yml
index 32a220c947aa..13dbf9ec612f 100644
--- a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/ansible/shared.yml
@@ -6,4 +6,11 @@
 
 {{{ ansible_instantiate_variables("var_logind_session_timeout") }}}
 
-{{{ ansible_ini_file_set("/etc/systemd/logind.conf", "Login", "StopIdleSessionSec", "{{ var_logind_session_timeout }}") }}}
+{{% if product in ["sle15", "sle16"] %}}
+# create drop-in in the /etc/systemd/logind.conf.d/ directory
+{{% set logind_conf_file = "/etc/systemd/logind.conf.d/oscap-idle-sessions.conf" %}}
+{{% else %}}
+{{% set logind_conf_file = "/etc/systemd/logind.conf" %}}
+{{% endif %}}
+
+{{{ ansible_ini_file_set(logind_conf_file, "Login", "StopIdleSessionSec", "{{ var_logind_session_timeout }}") }}}
diff --git a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/bash/shared.sh
index b8ee61e2e8a1..72a2ca90de7e 100644
--- a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/bash/shared.sh
@@ -2,4 +2,12 @@
 
 {{{ bash_instantiate_variables("var_logind_session_timeout") }}}
 
-{{{ bash_ini_file_set("/etc/systemd/logind.conf", "Login", "StopIdleSessionSec", "$var_logind_session_timeout", rule_id=rule_id) }}}
+{{% if product in ["sle15", "sle16"] %}}
+# create drop-in in the /etc/systemd/logind.conf.d/ directory
+{{% set logind_conf_file = "/etc/systemd/logind.conf.d/oscap-idle-sessions.conf" %}}
+{{% else %}}
+{{% set logind_conf_file = "/etc/systemd/logind.conf" %}}
+{{% endif %}}
+
+
+{{{ bash_ini_file_set(logind_conf_file, "Login", "StopIdleSessionSec", "$var_logind_session_timeout", rule_id=rule_id) }}}

From 29b8e1322dd4693c24ffcd5144bca883895dc896 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Fri, 2 Jan 2026 12:15:58 +0200
Subject: [PATCH 4/5] Use variable for the configuration logind configuration

---
 .../logind_session_timeout/oval/shared.xml    | 31 +++++++++++++++++--
 1 file changed, 29 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/oval/shared.xml
index 10212f6702a1..e4466d9b0c9b 100644
--- a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/oval/shared.xml
@@ -1,12 +1,39 @@
+{{% if product in ["sle15", "sle16"] %}}
+{{% set logind_conf_file = "/etc/systemd/logind.conf.d/" %}}
+{{% else %}}
+{{% set logind_conf_file = "/etc/systemd/logind.conf" %}}
+{{% endif %}}
+
 <def-group>
   <definition class="compliance" id="logind_session_timeout" version="1">
+    {{% if product in ["sle15", "sle16"] %}}
+    {{{ oval_metadata("Ensure 'StopIdleSessionSec' is configured with desired value in section 'Login' in {{{ logind_conf_file }}}", rule_title=rule_title) }}}
+    <criteria comment="logind is configured correctly and configuration file exists" operator="AND">
+      <criterion comment="Check the StopIdleSessionSec in {{{ logind_conf_file }}}" test_ref="test_logind_session_timeout_drop_in"/>
+    </criteria>
+    {{% else %}}
     {{{ oval_metadata("Ensure 'StopIdleSessionSec' is configured with desired value in section 'Login' in /etc/systemd/logind.conf", rule_title=rule_title) }}}
     <criteria comment="logind is configured correctly and configuration file exists" operator="AND">
       <criterion comment="Check the StopIdleSessionSec in /etc/systemd/logind.conf" test_ref="test_logind_session_timeout"/>
       <criterion comment="test if configuration file /etc/systemd/logind.conf exists for logind_session_timeout" test_ref="test_logind_session_timeout_config_file_exists"/>
     </criteria>
+    {{% endif %}}
   </definition>
 
+
+  <ind:textfilecontent54_test check="all" check_existence="all_exist"
+  comment="tests the value of StopIdleSessionSec setting in the {{{ logind_conf_file }}} file"
+  id="test_logind_session_timeout_drop_in" version="1">
+    <ind:object object_ref="obj_logind_session_timeout_drop_in"/>
+    <ind:state state_ref="state_logind_session_timeout"/>
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="obj_logind_session_timeout_drop_in" version="1">
+    <ind:path>{{{ logind_conf_file }}}</ind:path>
+    <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
+    <ind:pattern operation="pattern match">^\s*\[Login\].*(?:\n\s*[^[\s].*)*\n^\s*StopIdleSessionSec[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#)</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
   <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of StopIdleSessionSec setting in the /etc/systemd/logind.conf file" id="test_logind_session_timeout" version="1">
     <ind:object object_ref="obj_logind_session_timeout"/>
     <ind:state state_ref="state_logind_session_timeout"/>
@@ -17,13 +44,13 @@
   </unix:file_test>
 
   <ind:textfilecontent54_object id="obj_logind_session_timeout" version="1">
-    <ind:filepath>/etc/systemd/logind.conf</ind:filepath>
+    <ind:filepath>{{{ logind_conf_file }}}</ind:filepath>
     <ind:pattern operation="pattern match">^\s*\[Login\].*(?:\n\s*[^[\s].*)*\n^\s*StopIdleSessionSec[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#)</ind:pattern>
     <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
   <unix:file_object id="obj_logind_session_timeout_config_file" comment="The configuration file /etc/systemd/logind.conf for logind_session_timeout" version="1">
-    <unix:filepath operation="pattern match">^/etc/systemd/logind.conf</unix:filepath>
+    <unix:filepath operation="pattern match">^{{{ logind_conf_file }}}</unix:filepath>
   </unix:file_object>
 
   <ind:textfilecontent54_state id="state_logind_session_timeout" version="1">

From 5579c54bd523f5b508f9f6c5f1556444a8d5e129 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Fri, 2 Jan 2026 12:17:22 +0200
Subject: [PATCH 5/5] Adapt tests in logind_session_timeout

---
 .../logind_session_timeout/tests/common.sh            | 11 +++++++++++
 .../logind_session_timeout/tests/correct.pass.sh      |  3 ++-
 .../tests/correct_not_directly_after_section.pass.sh  |  3 ++-
 .../tests/correct_value_no_section.fail.sh            |  3 ++-
 .../tests/correct_value_wrong_section.fail.sh         |  3 ++-
 .../logind_session_timeout/tests/file_missing.fail.sh |  3 ++-
 .../logind_session_timeout/tests/incorrect.fail.sh    |  3 ++-
 .../tests/not_configured.fail.sh                      |  5 +++--
 8 files changed, 26 insertions(+), 8 deletions(-)
 create mode 100644 linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/tests/common.sh

diff --git a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/tests/common.sh b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/tests/common.sh
new file mode 100644
index 000000000000..441b663d9240
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/tests/common.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+# this file prepares unified test environment used by other scenarios
+# These should be tuned per product to match defaults
+
+{{% if product in ["sle15", "sle16"] %}}
+LOGIND_CONF_FILE="/etc/systemd/logind.conf.d/oscap-idle-sessions.conf"
+mkdir -p /etc/systemd/logind.conf.d/
+{{% else %}}
+LOGIND_CONF_FILE="/etc/systemd/logind.conf"
+{{% endif %}}
diff --git a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/tests/correct.pass.sh
index 6a359582afec..374d101c3589 100644
--- a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/tests/correct.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/tests/correct.pass.sh
@@ -1,7 +1,8 @@
 #!/bin/bash
 # variables = var_logind_session_timeout = 5_minutes
+source common.sh
 
-cat > /etc/systemd/logind.conf << EOM
+cat > "$LOGIND_CONF_FILE" << EOM
 [Login]
 StopIdleSessionSec=300
 EOM
diff --git a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/tests/correct_not_directly_after_section.pass.sh b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/tests/correct_not_directly_after_section.pass.sh
index d7424e473348..e42bc83f74e1 100644
--- a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/tests/correct_not_directly_after_section.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/tests/correct_not_directly_after_section.pass.sh
@@ -1,7 +1,8 @@
 #!/bin/bash
 # variables = var_logind_session_timeout = 5_minutes
+source common.sh
 
-cat > /etc/systemd/logind.conf << EOM
+cat > "$LOGIND_CONF_FILE" << EOM
 [Login]
 SomeOtherValue=123
 StopIdleSessionSec=300
diff --git a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/tests/correct_value_no_section.fail.sh b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/tests/correct_value_no_section.fail.sh
index 7d8d41e9e99e..4ae0ebea3d4c 100644
--- a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/tests/correct_value_no_section.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/tests/correct_value_no_section.fail.sh
@@ -1,4 +1,5 @@
 #!/bin/bash
 # variables = var_logind_session_timeout = 5_minutes
+source common.sh
 
-echo "StopIdleSessionSec=300" > /etc/systemd/logind.conf
+echo "StopIdleSessionSec=300" > "$LOGIND_CONF_FILE"
diff --git a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/tests/correct_value_wrong_section.fail.sh b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/tests/correct_value_wrong_section.fail.sh
index 586257803bf2..d8d06769b6af 100644
--- a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/tests/correct_value_wrong_section.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/tests/correct_value_wrong_section.fail.sh
@@ -1,7 +1,8 @@
 #!/bin/bash
 # variables = var_logind_session_timeout = 5_minutes
+source common.sh
 
-cat > /etc/systemd/logind.conf << EOM
+cat > "$LOGIND_CONF_FILE" << EOM
 [Logind]
 StopIdleSessionSec=300
 EOM
diff --git a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/tests/file_missing.fail.sh b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/tests/file_missing.fail.sh
index d92323203105..c3538f2b77ea 100644
--- a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/tests/file_missing.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/tests/file_missing.fail.sh
@@ -1,3 +1,4 @@
 #!/bin/bash
+source common.sh
 
-rm -f /etc/systemd/logind.conf
+rm -f "$LOGIND_CONF_FILE"
diff --git a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/tests/incorrect.fail.sh b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/tests/incorrect.fail.sh
index 56d31b701588..4eb9bc09ca4d 100644
--- a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/tests/incorrect.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/tests/incorrect.fail.sh
@@ -1,7 +1,8 @@
 #!/bin/bash
 # variables = var_logind_session_timeout = 5_minutes
+source common.sh
 
-cat > /etc/systemd/logind.conf << EOM
+cat > "$LOGIND_CONF_FILE" << EOM
 [Login]
 StopIdleSessionSec=310
 EOM
diff --git a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/tests/not_configured.fail.sh b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/tests/not_configured.fail.sh
index 918998f0a92d..2b5b09d442d4 100644
--- a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/tests/not_configured.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/tests/not_configured.fail.sh
@@ -1,7 +1,8 @@
 #!/bin/bash
 # variables = var_logind_session_timeout = 5_minutes
+source common.sh
 
 mkdir -p /etc/systemd
-touch /etc/systemd/logind.conf
+touch "$LOGIND_CONF_FILE"
 
-sed -i '/^.*StopIdleSessionSec.*$/d' /etc/systemd/logind.conf
+sed -i '/^.*StopIdleSessionSec.*$/d' "$LOGIND_CONF_FILE"