ComplianceAsCode · teacup-on-rockingchair · Feb 23, 2026 · May 24, 2026 · May 24, 2026 · May 24, 2026
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/oval/shared.xml
@@ -6,14 +6,31 @@
 <def-group>
   <definition class="compliance" id="{{{ rule_id }}}" version="1">
     {{{ oval_metadata("One of the following parameters of the sshd configuration file is set:  AllowUsers, DenyUsers, AllowGroups, DenyGroups.", rule_title=rule_title) }}}
+    {{% if product in [ 'sle16', 'slmicro6' ] %}}
+    <criteria operator="AND">
+        <criterion comment="test if SSH main configuration {{{ sshd_main_config }}} exists for {{{ rule_id }}}"
+            test_ref="test_{{{ rule_id }}}_config_file_exists"/>
+        <criteria operator="OR">
+            <criterion test_ref="test_allow_user_is_configured" />
+            <criterion test_ref="test_allow_group_is_configured" />
+            <criterion test_ref="test_deny_user_is_configured" />
+            <criterion test_ref="test_deny_group_is_configured" />
+        </criteria>
+    </criteria>
+    {{% else %}}
     <criteria operator="OR">
       <criterion test_ref="test_allow_user_is_configured" />
       <criterion test_ref="test_allow_group_is_configured" />
       <criterion test_ref="test_deny_user_is_configured" />
       <criterion test_ref="test_deny_group_is_configured" />
     </criteria>
+    {{% endif %}}
   </definition>
 
+  {{% if product in [ 'sle16', 'slmicro6' ] %}}
+  {{{ oval_config_file_exists_test(sshd_main_config, rule_id=rule_id) }}}
+  {{{ oval_config_file_exists_object(sshd_main_config, rule_id=rule_id) }}}
+  {{% endif %}}
   <ind:textfilecontent54_test id="test_allow_user_is_configured" version="1" check="all"
     check_existence="only_one_exists" comment="Check if there is an AllowUsers entry">
     <ind:object object_ref="obj_allow_user" />

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/oval/sle16.xml b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/oval/sle16.xml
@@ -1,4 +1,4 @@
 #!/bin/bash
 
 source common.sh
-echo "AllowGroups testgroup1 testgroup2 testgroup3" >> /etc/ssh/sshd_config
+echo "AllowGroups testgroup1 testgroup2 testgroup3" >> "{{{ sshd_main_config_file }}}"
@@ -1,4 +1,5 @@
 #!/bin/bash
 # platform = SUSE Linux Enterprise 16
 source common.sh
-echo "AllowGroups group" >> /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
+touch "{{{ sshd_main_config_file }}}"
+echo "AllowGroups group" >> "{{{ sshd_config_dir }}}/01-complianceascode-reinforce-os-defaults.conf"
@@ -0,0 +1,5 @@
+#!/bin/bash
+# remediation = none
+# platform = SUSE Linux Enterprise 16
+source common.sh
+echo "AllowGroups group" >> "{{{ sshd_config_dir }}}/01-complianceascode-reinforce-os-defaults.conf"
@@ -1,4 +1,4 @@
 #!/bin/bash
 
 source common.sh
-echo "AllowUsers testuser1 testuser2 testuser3" >> /etc/ssh/sshd_config
+echo "AllowUsers testuser1 testuser2 testuser3" >> "{{{ sshd_main_config_file }}}"
@@ -1,5 +1,5 @@
 #!/bin/bash
 
 source common.sh
-echo "AllowUsers testuser1 testuser2 testuser3" >> /etc/ssh/sshd_config
-echo "AllowGroups testgroup1 testgroup2 testgroup3" >> /etc/ssh/sshd_config
+echo "AllowUsers testuser1 testuser2 testuser3" >> "{{{ sshd_main_config_file }}}"
+echo "AllowGroups testgroup1 testgroup2 testgroup3" >> "{{{ sshd_main_config_file }}}"
@@ -1,15 +1,15 @@
 #!/bin/bash
 
-declare -a SSHD_PATHS=("/etc/ssh/sshd_config")
-{{% if product == 'sle16' %}}
-SSHD_PATHS+=("/usr/etc/ssh/sshd_config" /usr/etc/ssh/sshd_config.d/* /etc/ssh/sshd_config.d/*)
+declare -a SSHD_PATHS=("{{{ sshd_main_config_file }}}")
+{{% if product in [ 'sle16', 'slmicro6' ] %}}
+SSHD_PATHS+=("{{{ sshd_config_dir }}}/*")
 {{% endif %}}
 # clean up configurations
 sed -i '/^(Allow|Deny)(Users|Groups).*/d' "${SSHD_PATHS[@]}"
 
-# restore to defaults for sle16
-{{% if product == 'sle16' %}}
-if [ -e "/etc/ssh/sshd_config" ] ; then
-    rm /etc/ssh/sshd_config
+# restore to defaults for sle16 and slmicro6
+{{% if product in [ 'sle16', 'slmicro6' ] %}}
+if [ -e "{{{ sshd_main_config_file }}}" ] ; then
+    rm "{{{ sshd_main_config_file }}}"
 fi
 {{% endif %}}
@@ -3,5 +3,5 @@
 # platform = SUSE Linux Enterprise 16
 source common.sh
 
-touch /etc/ssh/sshd_config
+touch "{{{ sshd_main_config_file }}}"
 echo "DenyGroups testgroup" >> /usr/etc/ssh/sshd_config
@@ -1,4 +1,4 @@
 #!/bin/bash
 
 source common.sh
-echo "DenyGroups testgroup1 testgroup2 testgroup3" >> /etc/ssh/sshd_config
+echo "DenyGroups testgroup1 testgroup2 testgroup3" >> "{{{ sshd_main_config_file }}}"
@@ -1,4 +1,4 @@
 #!/bin/bash
 
 source common.sh
-echo "DenyUsers testuser1 testuser2 testuser3" >> /etc/ssh/sshd_config
+echo "DenyUsers testuser1 testuser2 testuser3" >> "{{{ sshd_main_config_file }}}"
@@ -1,5 +1,5 @@
 #!/bin/bash
 
 source common.sh
-echo "DenyUsers testuser1 testuser2 testuser3" >> /etc/ssh/sshd_config
-echo "DenyGroups testgroup1 testgroup2 testgroup3" >> /etc/ssh/sshd_config
+echo "DenyUsers testuser1 testuser2 testuser3" >> "{{{ sshd_main_config_file }}}"
+echo "DenyGroups testgroup1 testgroup2 testgroup3" >> "{{{ sshd_main_config_file }}}"
@@ -2,5 +2,5 @@
 # remediation = none
 
 source common.sh
-echo "AllowGroups " >> /etc/ssh/sshd_config
-echo "DenyGroups " >> /etc/ssh/sshd_config
+echo "AllowGroups " >> "{{{ sshd_main_config_file }}}"
+echo "DenyGroups " >> "{{{ sshd_main_config_file }}}"
@@ -2,5 +2,5 @@
 # remediation = none
 
 source common.sh
-echo "AllowUsers " >> /etc/ssh/sshd_config
-echo "DenyUsers " >> /etc/ssh/sshd_config
+echo "AllowUsers " >> "{{{ sshd_main_config_file }}}"
+echo "DenyUsers " >> "{{{ sshd_main_config_file }}}"
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/oval/shared.xml
@@ -29,6 +29,10 @@
         definition_ref="package_openssh-server_installed" />
         {{% endif %}}
         <criteria comment="ClientAliveInterval is configured correctly" operator="AND">
+          {{%- if product in ["sle16", "slmicro6"] %}}
+          <criterion comment="test if configuration file {{{ sshd_main_config }}} exists for {{{ rule_id }}}"
+              test_ref="test_{{{ rule_id }}}_config_file_exists"/>
+          {{%- endif %}}
           <criterion comment="Check ClientAliveInterval in /etc/ssh/sshd_config"
           test_ref="test_sshd_idle_timeout" />
           {{%- if sshd_distributed_config == "true" %}}
@@ -48,6 +52,10 @@
     </criteria>
   </definition>
 
+  {{%- if product in ["sle16", "slmicro6"] %}}
+  {{{ oval_config_file_exists_test(sshd_main_config, rule_id=rule_id) }}}
+  {{{ oval_config_file_exists_object(sshd_main_config, rule_id=rule_id) }}}
+  {{%- endif %}}
   <ind:textfilecontent54_test check="all" check_existence="any_exist"
   comment="timeout is configured" id="test_sshd_idle_timeout" version="1">
     <ind:object object_ref="object_sshd_idle_timeout" />