From ff1ff4703c7c2c833bb7097624787f449ed5faf1 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Sun, 17 May 2026 13:05:43 +0300
Subject: [PATCH 1/3] Simplify the pam_options template for sle16

- remove the special case for sle16 in OVAL, if file is missing test will FAIL
---
 shared/templates/pam_options/ansible.template |  8 +--
 shared/templates/pam_options/bash.template    |  6 +-
 shared/templates/pam_options/oval.template    | 68 -------------------
 3 files changed, 4 insertions(+), 78 deletions(-)

diff --git a/shared/templates/pam_options/ansible.template b/shared/templates/pam_options/ansible.template
index 8da6a86a3fbc..fa54befe28f0 100644
--- a/shared/templates/pam_options/ansible.template
+++ b/shared/templates/pam_options/ansible.template
@@ -11,12 +11,8 @@
 # for now.
 
 {{% if product == 'sle16' %}}
-- name: Copy default /usr/lib/pam.d/{{ '{{{ PATH }}}' | basename }} to {{{ PATH }}}
-  ansible.builtin.copy:
-    src: /usr/lib/pam.d/{{ '{{{ PATH }}}' | basename }}
-    dest: {{{ PATH }}}
-    force: no
-    mode: '0644'
+{{% set PAM_VENDOR_FILE = "/usr/lib/pam.d/" + PATH.split('/') | last %}}
+{{{ ansible_copy_distro_defaults(PAM_VENDOR_FILE, PATH, rule_title=rule_title) }}}
 {{% endif %}}
 
 - name: Set control_flag fact
diff --git a/shared/templates/pam_options/bash.template b/shared/templates/pam_options/bash.template
index a3b4ca92863a..ec3c95b30124 100644
--- a/shared/templates/pam_options/bash.template
+++ b/shared/templates/pam_options/bash.template
@@ -10,11 +10,9 @@ declare -a ARGS=()
 declare -a NEW_ARGS=()
 declare -a DEL_ARGS=()
 
-{{% if product == 'sle16' %}}
+{{% if product in ["sle16", "slmicro6"] %}}
 PAM_DEFAULTS_FILE_NAME="/usr/lib/pam.d/$(basename "{{{ PATH }}}")"
-if ! [ -e "{{{ PATH }}}" ] ; then
-    cp "${PAM_DEFAULTS_FILE_NAME}" "{{{ PATH }}}"
-fi
+{{{ bash_copy_distro_defaults("${PAM_DEFAULTS_FILE_NAME}", PATH) }}}
 {{% endif %}}
 
 {{% for arg in ARGUMENTS -%}}
diff --git a/shared/templates/pam_options/oval.template b/shared/templates/pam_options/oval.template
index 9751c025adb6..89cf521f3016 100644
--- a/shared/templates/pam_options/oval.template
+++ b/shared/templates/pam_options/oval.template
@@ -4,37 +4,9 @@
    {{% set MATCH_CONTROL_FLAG = '\S+' %}}
 {{% endif %}}
 
-{{% if product == 'sle16' %}}
-{{% set PAM_VENDOR_FILE = "/usr/lib/pam.d/" + PATH.split('/') | last %}}
-{{% endif %}}
-
 <def-group>
   <definition class="compliance" id="{{{ _RULE_ID }}}" version="3">
     {{{ oval_metadata("Configure PAM module", rule_title=rule_title) }}}
-{{% if product == 'sle16' %}}
-    <criteria comment="PAM options properly configured" operator="OR">
-      <criteria operator="AND" comment="Make sure arguments are properly configured in {{{ PAM_VENDOR_FILE }}}">
-            <criterion comment="test if configuration file {{{ PATH }}} exists for {{{ rule_id }}}" test_ref="test_{{{ rule_id }}}_config_file_exists" negate="true"/>
-        {{% for arg in ARGUMENTS %}}
-        {{% if arg['variable']|length %}}
-            <criterion test_ref="test_pam_vendor_{{{ TYPE|lower }}}_{{{ MODULE|lower|replace('.so', '') }}}_{{{ arg['variable']|lower }}}" comment="Verify {{{ arg['variable'] }}} is set to the desired state" />
-        {{% else %}}
-            <criterion test_ref="test_pam_vendor_{{{ TYPE|lower }}}_{{{ MODULE|lower|replace('.so', '') }}}_{{{ arg['argument']|lower }}}" comment="Verify {{{ arg['argument'] }}} is set to the desired state" />
-        {{% endif %}}
-        {{% endfor %}}
-      </criteria>
-        <criteria operator="AND" comment="Make sure arguments are properly configured in {{{ PATH }}}">
-            {{{ oval_config_file_exists_criterion(PATH, rule_id=rule_id) }}}
-        {{% for arg in ARGUMENTS %}}
-        {{% if arg['variable']|length %}}
-            <criterion test_ref="test_pam_{{{ TYPE|lower }}}_{{{ MODULE|lower|replace('.so', '') }}}_{{{ arg['variable']|lower }}}" comment="Verify {{{ arg['variable'] }}} is set to the desired state" />
-        {{% else %}}
-            <criterion test_ref="test_pam_{{{ TYPE|lower }}}_{{{ MODULE|lower|replace('.so', '') }}}_{{{ arg['argument']|lower }}}" comment="Verify {{{ arg['argument'] }}} is set to the desired state" />
-        {{% endif %}}
-        {{% endfor %}}
-      </criteria>
-    </criteria>
-{{% else %}}
     <criteria operator="AND" comment="Make sure arguments are properly configured in {{{ PATH }}}">
     {{% for arg in ARGUMENTS %}}
     {{% if arg['variable']|length %}}
@@ -44,14 +16,8 @@
     {{% endif %}}
     {{% endfor %}}
     </criteria>
-{{% endif %}}
   </definition>
 
-{{% if product == 'sle16' %}}
-{{{ oval_config_file_exists_test(PATH, rule_id=rule_id) }}}
-{{{ oval_config_file_exists_object(PATH, rule_id=rule_id) }}}
-{{% endif %}}
-
 {{% for arg in ARGUMENTS %}}
 {{% if arg['variable']|length %}}
 {{% if arg['variable_name'] %}}
@@ -81,22 +47,6 @@
 
   <external_variable comment="PAM external variable {{{ pam_variable_name }}}" datatype="int" id="{{{ pam_variable_name }}}" version="1" />
 
-{{% if product == 'sle16' %}}
-  <ind:textfilecontent54_test id="test_pam_vendor_{{{ TYPE|lower }}}_{{{ MODULE|lower|replace('.so', '') }}}_{{{ arg['variable']|lower }}}"
-  check="all"
-  comment="Verify {{{ arg['variable'] }}} configuation of {{{ MODULE }}}" version="1">
-    <ind:object object_ref="object_pam_vendor_{{{ TYPE|lower }}}_{{{ MODULE|lower|replace('.so', '') }}}_{{{ arg['variable']|lower }}}" />
-    <ind:state state_ref="state_pam_{{{ TYPE|lower }}}_{{{ MODULE|lower|replace('.so', '') }}}_{{{ arg['variable']|lower }}}" />
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_object id="object_pam_vendor_{{{ TYPE|lower }}}_{{{ MODULE|lower|replace('.so', '') }}}_{{{ arg['variable']|lower }}}" comment="Check {{{ arg['variable'] }}} configuration of PAM {{{ MODULE }}} module" version="1">
-    <ind:filepath>{{{ PAM_VENDOR_FILE }}}</ind:filepath>
-    <ind:pattern operation="pattern match">^\s*{{{ TYPE }}}\s+{{{ MATCH_CONTROL_FLAG }}}\s+{{{ MODULE }}}.*\s{{{ arg['variable'] }}}=(-?[a-zA-Z0-9]+)(?:\s+.*)?</ind:pattern>
-    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-  </ind:textfilecontent54_object>
-{{% endif %}}
-
-
 {{% else %}}
   <ind:textfilecontent54_test id="test_pam_{{{ TYPE|lower }}}_{{{ MODULE|lower|replace('.so', '') }}}_{{{ arg['argument']|lower }}}"
   check="all" check_existence={{% if arg['remove_argument']|length %}}"none_exist"{{% else %}}"all_exist"{{% endif %}}
@@ -113,24 +63,6 @@
 {{% endif %}}
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
-
-{{% if product == 'sle16' %}}
-  <ind:textfilecontent54_test id="test_pam_vendor_{{{ TYPE|lower }}}_{{{ MODULE|lower|replace('.so', '') }}}_{{{ arg['argument']|lower }}}"
-  check="all" check_existence={{% if arg['remove_argument']|length %}}"none_exist"{{% else %}}"all_exist"{{% endif %}}
-  comment="Verify {{{ arg['argument'] }}} configuation of {{{ MODULE }}}" version="1">
-    <ind:object object_ref="object_pam_vendor_{{{ TYPE|lower }}}_{{{ MODULE|lower|replace('.so', '') }}}_{{{ arg['argument']|lower }}}" />
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_object id="object_pam_vendor_{{{ TYPE|lower }}}_{{{ MODULE|lower|replace('.so', '') }}}_{{{ arg['argument']|lower }}}" comment="Check {{{ arg['argument'] }}} configuration of PAM {{{ MODULE }}} module" version="1">
-    <ind:filepath>{{{ PAM_VENDOR_FILE }}}</ind:filepath>
-{{% if arg['argument_match']|length %}}
-    <ind:pattern operation="pattern match">^\s*{{{ TYPE }}}(?:(?!\n)\s)+{{{ MATCH_CONTROL_FLAG }}}(?:(?!\n)\s)+{{{ MODULE }}}((?!\n)\s[^\n]+)?(?!\n)\s+{{{ arg['argument'] }}}={{{ arg['argument_match'] }}}((\s+\S+)*\s*\\*\s*)$</ind:pattern>
-{{% else %}}
-    <ind:pattern operation="pattern match">^\s*{{{ TYPE }}}(?:(?!\n)\s)+{{{ MATCH_CONTROL_FLAG }}}(?:(?!\n)\s)+{{{ MODULE }}}((?!\n)\s[^\n]+)?(?!\n)\s+{{{ arg['argument'] }}}((\s+\S+)*\s*\\*\s*)$</ind:pattern>
-{{% endif %}}
-    <ind:instance datatype="int">1</ind:instance>
-  </ind:textfilecontent54_object>
-{{% endif %}}
 {{% endif %}}
 {{% endfor %}}
 </def-group>

From e55d92f2ba4fa5a5b55876d261de1ad3b9fb1f31 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Sun, 17 May 2026 13:09:11 +0300
Subject: [PATCH 2/3] add preserve option when copy distro defaults to /etc for
 bash and ansible

---
 shared/macros/10-ansible.jinja | 2 +-
 shared/macros/10-bash.jinja    | 5 +++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja
index 4ef924893f5f..a740bd51d488 100644
--- a/shared/macros/10-ansible.jinja
+++ b/shared/macros/10-ansible.jinja
@@ -2555,7 +2555,7 @@ copied onto /etc/ssh/sshd_config, if /etc/ssh/sshd_config does not exist
     src: {{{ source }}}
     dest: {{{ destination }}}
     force: no
-    mode: '0600'
+    mode: 'preserve'
     remote_src: yes
 {{%- endmacro %}}
 
diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja
index 49ad72ecbb40..5fa5c8f0618b 100644
--- a/shared/macros/10-bash.jinja
+++ b/shared/macros/10-bash.jinja
@@ -2595,6 +2595,7 @@ if [ -e "{{{ pam_file }}}" ] ; then
 else
     echo "{{{ pam_file }}} was not found" >&2
 fi
+
 {{%- endmacro -%}}
 
 
@@ -2837,9 +2838,9 @@ chmod 0600 {{{ sshd_config_dir }}}/{{{ hardening_config_basename }}}
 #}}
 {{% macro bash_copy_distro_defaults(source, destination) -%}}
 
-{{% if  product in ["sle16", "slmicro6"] %}}
+{{% if product in ["sle16", "slmicro6"] %}}
 if ! [ -e "{{{ destination }}}" ] ; then
-    cp "{{{ source }}}" "{{{ destination }}}"
+    cp -p "{{{ source }}}" "{{{ destination }}}"
 fi
 {{% endif %}}
 {{%- endmacro %}}

From 771f554e0fbcb73e55cf0d5466296b87c2d64ac9 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Sun, 17 May 2026 13:16:57 +0300
Subject: [PATCH 3/3] Fixed tests to match latest behaviour in pam_options

- Fix tests for use_pam_wheel_group_for_su and set_password_hashing_algorithm_commonauth
- Add test for accounts_password_pam_pwhistory_remember
---
 .../tests/common_password_authok_missing.fail.sh           | 6 ++++++
 .../tests/common_password_correct_value.pass.sh            | 6 ++++++
 .../tests/common_password_greater_value.pass.sh            | 6 ++++++
 .../tests/common_password_less_value.fail.sh               | 6 ++++++
 .../tests/common_password_missing.fail.sh                  | 7 +++++++
 .../tests/common_password_remember_missing.fail.sh         | 6 ++++++
 .../tests/common-auth-missing.fail.sh                      | 6 ++++++
 .../tests/common-auth.pam_unix_not_sha512.fail.sh          | 4 ++--
 ...fail.sh => common-auth.pam_unix_not_sufficient.fail.sh} | 2 +-
 .../tests/common-auth.pass.sh                              | 4 ++--
 .../tests/line_not_there.fail.sh                           | 4 ++++
 11 files changed, 52 insertions(+), 5 deletions(-)
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/common_password_authok_missing.fail.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/common_password_correct_value.pass.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/common_password_greater_value.pass.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/common_password_less_value.fail.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/common_password_missing.fail.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/common_password_remember_missing.fail.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_commonauth/tests/common-auth-missing.fail.sh
 rename linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_commonauth/tests/{common-auth.pam_unix_not_required.fail.sh => common-auth.pam_unix_not_sufficient.fail.sh} (59%)

diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/common_password_authok_missing.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/common_password_authok_missing.fail.sh
new file mode 100644
index 000000000000..57ba80fda554
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/common_password_authok_missing.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = multi_platform_sle
+# packages = pam
+# variables = var_password_pam_remember=4
+
+echo "password requisite pam_pwhistory.so remember=4" > /etc/pam.d/common-password
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/common_password_correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/common_password_correct_value.pass.sh
new file mode 100644
index 000000000000..8a860dec450c
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/common_password_correct_value.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = multi_platform_sle
+# packages = pam
+# variables = var_password_pam_remember=4
+
+echo "password requisite pam_pwhistory.so remember=4 use_authtok" > /etc/pam.d/common-password
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/common_password_greater_value.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/common_password_greater_value.pass.sh
new file mode 100644
index 000000000000..a824cc4f2d12
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/common_password_greater_value.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = multi_platform_sle
+# packages = pam
+# variables = var_password_pam_remember=4
+
+echo "password requisite pam_pwhistory.so remember=10 use_authtok" > /etc/pam.d/common-password
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/common_password_less_value.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/common_password_less_value.fail.sh
new file mode 100644
index 000000000000..1a1a85117d86
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/common_password_less_value.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = multi_platform_sle
+# packages = pam
+# variables = var_password_pam_remember=4
+
+echo "password requisite pam_pwhistory.so remember=1 use_authtok" > /etc/pam.d/common-password
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/common_password_missing.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/common_password_missing.fail.sh
new file mode 100644
index 000000000000..f599292b836c
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/common_password_missing.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+# packages = pam
+
+if [ -e "/etc/pam.d/common-password" ] ; then
+    rm "/etc/pam.d/common-password"
+fi
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/common_password_remember_missing.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/common_password_remember_missing.fail.sh
new file mode 100644
index 000000000000..69464b5db000
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/common_password_remember_missing.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = multi_platform_sle
+# packages = pam
+# variables = var_password_pam_remember=4
+
+echo "password requisite pam_pwhistory.so use_authtok" > /etc/pam.d/common-password
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_commonauth/tests/common-auth-missing.fail.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_commonauth/tests/common-auth-missing.fail.sh
new file mode 100644
index 000000000000..d72b296fd04e
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_commonauth/tests/common-auth-missing.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+
+if [ -e "/etc/pam.d/common-auth" ] ; then
+    rm "/etc/pam.d/common-auth"
+fi
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_commonauth/tests/common-auth.pam_unix_not_sha512.fail.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_commonauth/tests/common-auth.pam_unix_not_sha512.fail.sh
index 783e038cef8e..dea2666d2a4d 100644
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_commonauth/tests/common-auth.pam_unix_not_sha512.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_commonauth/tests/common-auth.pam_unix_not_sha512.fail.sh
@@ -1,4 +1,4 @@
 #!/bin/bash
-# platform = SUSE Linux Enterprise 15
+# platform = SUSE Linux Enterprise 15, SUSE Linux Enterprise 16
 
-echo "auth	required 	pam_unix.so	try_first_pass" > /etc/pam.d/common-auth
+echo "auth	sufficient 	pam_unix.so	try_first_pass" > /etc/pam.d/common-auth
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_commonauth/tests/common-auth.pam_unix_not_required.fail.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_commonauth/tests/common-auth.pam_unix_not_sufficient.fail.sh
similarity index 59%
rename from linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_commonauth/tests/common-auth.pam_unix_not_required.fail.sh
rename to linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_commonauth/tests/common-auth.pam_unix_not_sufficient.fail.sh
index 3a8ec66a07d8..86d38fbdf108 100644
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_commonauth/tests/common-auth.pam_unix_not_required.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_commonauth/tests/common-auth.pam_unix_not_sufficient.fail.sh
@@ -1,4 +1,4 @@
 #!/bin/bash
-# platform = SUSE Linux Enterprise 15
+# platform = SUSE Linux Enterprise 15, SUSE Linux Enterprise 16
 
 echo "auth	optional 	pam_unix.so	try_first_pass sha512" > /etc/pam.d/common-auth
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_commonauth/tests/common-auth.pass.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_commonauth/tests/common-auth.pass.sh
index 273189d6a9d8..b7eb97585b3b 100644
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_commonauth/tests/common-auth.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_commonauth/tests/common-auth.pass.sh
@@ -1,4 +1,4 @@
 #!/bin/bash
-# platform = SUSE Linux Enterprise 15
+# platform = SUSE Linux Enterprise 15, SUSE Linux Enterprise 16
 
-echo "auth	required 	pam_unix.so	try_first_pass sha512" > /etc/pam.d/common-auth
+echo "auth	sufficient 	pam_unix.so	try_first_pass sha512" > /etc/pam.d/common-auth
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/tests/line_not_there.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/tests/line_not_there.fail.sh
index 22103e143e61..1334d633e31a 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/tests/line_not_there.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/tests/line_not_there.fail.sh
@@ -1,5 +1,9 @@
 #!/bin/bash
 # variables = var_pam_wheel_group_for_su=sugroup
 
+{{% if product in ["sle16", "slmicro6"] %}}
+touch /etc/pam.d/su
+{{% endif %}}
+
 #clean possible lines
 sed -Ei '/^auth\b.*\brequired\b.*\bpam_wheel\.so/d' /etc/pam.d/su