ComplianceAsCode · Mab879 · Jan 6, 2026 · Jan 2, 2026 · Jan 2, 2026 · Jan 2, 2026
diff --git a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/ansible/shared.yml
@@ -6,4 +6,11 @@
 
 {{{ ansible_instantiate_variables("var_logind_session_timeout") }}}
 
-{{{ ansible_ini_file_set("/etc/systemd/logind.conf", "Login", "StopIdleSessionSec", "{{ var_logind_session_timeout }}") }}}
+{{% if product in ["sle15", "sle16"] %}}
+# create drop-in in the /etc/systemd/logind.conf.d/ directory
+{{% set logind_conf_file = "/etc/systemd/logind.conf.d/oscap-idle-sessions.conf" %}}
+{{% else %}}
+{{% set logind_conf_file = "/etc/systemd/logind.conf" %}}
+{{% endif %}}
+
+{{{ ansible_ini_file_set(logind_conf_file, "Login", "StopIdleSessionSec", "{{ var_logind_session_timeout }}") }}}
diff --git a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/bash/shared.sh
@@ -2,4 +2,12 @@
 
 {{{ bash_instantiate_variables("var_logind_session_timeout") }}}
 
-{{{ bash_ini_file_set("/etc/systemd/logind.conf", "Login", "StopIdleSessionSec", "$var_logind_session_timeout", rule_id=rule_id) }}}
+{{% if product in ["sle15", "sle16"] %}}
+# create drop-in in the /etc/systemd/logind.conf.d/ directory
+{{% set logind_conf_file = "/etc/systemd/logind.conf.d/oscap-idle-sessions.conf" %}}
+{{% else %}}
+{{% set logind_conf_file = "/etc/systemd/logind.conf" %}}
+{{% endif %}}
+
+
+{{{ bash_ini_file_set(logind_conf_file, "Login", "StopIdleSessionSec", "$var_logind_session_timeout", rule_id=rule_id) }}}
diff --git a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/oval/shared.xml
@@ -1,12 +1,39 @@
+{{% if product in ["sle15", "sle16"] %}}
+{{% set logind_conf_file = "/etc/systemd/logind.conf.d/" %}}
+{{% else %}}
+{{% set logind_conf_file = "/etc/systemd/logind.conf" %}}
+{{% endif %}}
+
 <def-group>
   <definition class="compliance" id="logind_session_timeout" version="1">
+    {{% if product in ["sle15", "sle16"] %}}
+    {{{ oval_metadata("Ensure 'StopIdleSessionSec' is configured with desired value in section 'Login' in {{{ logind_conf_file }}}", rule_title=rule_title) }}}
+    <criteria comment="logind is configured correctly and configuration file exists" operator="AND">
+      <criterion comment="Check the StopIdleSessionSec in {{{ logind_conf_file }}}" test_ref="test_logind_session_timeout_drop_in"/>
+    </criteria>
+    {{% else %}}
     {{{ oval_metadata("Ensure 'StopIdleSessionSec' is configured with desired value in section 'Login' in /etc/systemd/logind.conf", rule_title=rule_title) }}}
     <criteria comment="logind is configured correctly and configuration file exists" operator="AND">
       <criterion comment="Check the StopIdleSessionSec in /etc/systemd/logind.conf" test_ref="test_logind_session_timeout"/>
       <criterion comment="test if configuration file /etc/systemd/logind.conf exists for logind_session_timeout" test_ref="test_logind_session_timeout_config_file_exists"/>
     </criteria>
+    {{% endif %}}
   </definition>
 
+
+  <ind:textfilecontent54_test check="all" check_existence="all_exist"
+  comment="tests the value of StopIdleSessionSec setting in the {{{ logind_conf_file }}} file"
+  id="test_logind_session_timeout_drop_in" version="1">
+    <ind:object object_ref="obj_logind_session_timeout_drop_in"/>
+    <ind:state state_ref="state_logind_session_timeout"/>
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="obj_logind_session_timeout_drop_in" version="1">
+    <ind:path>{{{ logind_conf_file }}}</ind:path>
+    <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
+    <ind:pattern operation="pattern match">^\s*\[Login\].*(?:\n\s*[^[\s].*)*\n^\s*StopIdleSessionSec[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#)</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
   <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of StopIdleSessionSec setting in the /etc/systemd/logind.conf file" id="test_logind_session_timeout" version="1">
     <ind:object object_ref="obj_logind_session_timeout"/>
     <ind:state state_ref="state_logind_session_timeout"/>
@@ -17,13 +44,13 @@
   </unix:file_test>
 
   <ind:textfilecontent54_object id="obj_logind_session_timeout" version="1">
-    <ind:filepath>/etc/systemd/logind.conf</ind:filepath>
+    <ind:filepath>{{{ logind_conf_file }}}</ind:filepath>
     <ind:pattern operation="pattern match">^\s*\[Login\].*(?:\n\s*[^[\s].*)*\n^\s*StopIdleSessionSec[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#)</ind:pattern>
     <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
   <unix:file_object id="obj_logind_session_timeout_config_file" comment="The configuration file /etc/systemd/logind.conf for logind_session_timeout" version="1">
-    <unix:filepath operation="pattern match">^/etc/systemd/logind.conf</unix:filepath>
+    <unix:filepath operation="pattern match">^{{{ logind_conf_file }}}</unix:filepath>
   </unix:file_object>
 
   <ind:textfilecontent54_state id="state_logind_session_timeout" version="1">

diff --git a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/rule.yml b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/rule.yml
@@ -20,11 +20,14 @@ severity: medium
 platforms:
     - os_linux[rhel]>=8.7 and os_linux[rhel]!=9.0
     - os_linux[ol]>=8.7
+    - os_linux[sles]>=15
 
 identifiers:
     cce@rhel8: CCE-90784-0
     cce@rhel9: CCE-90785-7
     cce@rhel10: CCE-88334-8
+    cce@sle15: CCE-92692-3
+    cce@sle16: CCE-96699-4
 
 references:
     cis-csc: 1,12,13,14,15,16,18,3,5,7,8

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+# this file prepares unified test environment used by other scenarios
+# These should be tuned per product to match defaults
+
+{{% if product in ["sle15", "sle16"] %}}
+LOGIND_CONF_FILE="/etc/systemd/logind.conf.d/oscap-idle-sessions.conf"
+mkdir -p /etc/systemd/logind.conf.d/
+{{% else %}}
+LOGIND_CONF_FILE="/etc/systemd/logind.conf"
+{{% endif %}}
@@ -1,7 +1,8 @@
 #!/bin/bash
 # variables = var_logind_session_timeout = 5_minutes
+source common.sh
 
-cat > /etc/systemd/logind.conf << EOM
+cat > "$LOGIND_CONF_FILE" << EOM
 [Login]
 StopIdleSessionSec=300
 EOM
@@ -1,7 +1,8 @@
 #!/bin/bash
 # variables = var_logind_session_timeout = 5_minutes
+source common.sh
 
-cat > /etc/systemd/logind.conf << EOM
+cat > "$LOGIND_CONF_FILE" << EOM
 [Login]
 SomeOtherValue=123
 StopIdleSessionSec=300

@@ -1,4 +1,5 @@
 #!/bin/bash
 # variables = var_logind_session_timeout = 5_minutes
+source common.sh
 
-echo "StopIdleSessionSec=300" > /etc/systemd/logind.conf
+echo "StopIdleSessionSec=300" > "$LOGIND_CONF_FILE"
@@ -1,7 +1,8 @@
 #!/bin/bash
 # variables = var_logind_session_timeout = 5_minutes
+source common.sh
 
-cat > /etc/systemd/logind.conf << EOM
+cat > "$LOGIND_CONF_FILE" << EOM
 [Logind]
 StopIdleSessionSec=300
 EOM
@@ -1,3 +1,4 @@
 #!/bin/bash
+source common.sh
 
-rm -f /etc/systemd/logind.conf
+rm -f "$LOGIND_CONF_FILE"
@@ -1,7 +1,8 @@
 #!/bin/bash
 # variables = var_logind_session_timeout = 5_minutes
+source common.sh
 
-cat > /etc/systemd/logind.conf << EOM
+cat > "$LOGIND_CONF_FILE" << EOM
 [Login]
 StopIdleSessionSec=310
 EOM
@@ -1,7 +1,8 @@
 #!/bin/bash
 # variables = var_logind_session_timeout = 5_minutes
+source common.sh
 
 mkdir -p /etc/systemd
-touch /etc/systemd/logind.conf
+touch "$LOGIND_CONF_FILE"
 
-sed -i '/^.*StopIdleSessionSec.*$/d' /etc/systemd/logind.conf
+sed -i '/^.*StopIdleSessionSec.*$/d' "$LOGIND_CONF_FILE"
@@ -74,7 +74,6 @@ selections:
     - accounts_password_pam_pwhistory_remember
 
     # The following rules are not applicable to SLE 15
-    - '!logind_session_timeout'
     - '!ldap_client_start_tls'
     - '!audit_rules_mac_modification_etc_selinux'
     - '!no_nis_in_nsswitch'

@@ -99,7 +99,6 @@ selections:
     - accounts_password_pam_pwhistory_remember
 
     # The following rules are not applicable to SLE 15
-    - '!logind_session_timeout'
     - '!ldap_client_start_tls'
     - '!ldap_client_tls_cacertpath'
     - '!service_chronyd_enabled'

@@ -69,7 +69,6 @@ selections:
     - accounts_password_pam_pwhistory_remember
 
     # The following rules are not applicable to SLE 15
-    - '!logind_session_timeout'
     - '!ldap_client_start_tls'
     - '!ldap_client_tls_cacertpath'
     - '!no_nis_in_nsswitch'
@@ -23,3 +23,4 @@ selections:
     - grub2_nosmep_argument_absent
     - grub2_audit_argument
     - directory_access_var_log_audit
+    - logind_session_timeout
diff --git a/shared/references/cce-sle15-avail.txt b/shared/references/cce-sle15-avail.txt
@@ -73,4 +73,3 @@ CCE-92688-1
 CCE-92689-9
 CCE-92690-7
 CCE-92691-5
-CCE-92692-3
diff --git a/shared/references/cce-sle16-avail.txt b/shared/references/cce-sle16-avail.txt
@@ -979,4 +979,3 @@ CCE-96695-2
 CCE-96696-0
 CCE-96697-8
 CCE-96698-6
-CCE-96699-4