From 6ad26f8dc172b5a025fd0384d0f481306233643e Mon Sep 17 00:00:00 2001
From: Alexandre Skrzyniarz <alexandre.skrzyniarz@laposte.net>
Date: Wed, 3 Apr 2024 12:16:31 +0200
Subject: [PATCH] rewrite accounts_passwords_pam_faillock_deny rule to use
 pam_account_password_faillock template

---
 .../ansible/shared.yml                        |   7 -
 .../bash/shared.sh                            |   6 -
 .../oval/debian.xml                           |   1 -
 .../oval/openeuler.xml                        | 291 ------------------
 .../oval/shared.xml                           | 291 ------------------
 .../oval/ubuntu.xml                           | 201 ------------
 .../rule.yml                                  |  11 +
 7 files changed, 11 insertions(+), 797 deletions(-)
 delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/ansible/shared.yml
 delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh
 delete mode 120000 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/debian.xml
 delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/openeuler.xml
 delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/shared.xml
 delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/ubuntu.xml

diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/ansible/shared.yml
deleted file mode 100644
index 8ab749d4f7c3..000000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/ansible/shared.yml
+++ /dev/null
@@ -1,7 +0,0 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
-# reboot = false
-# strategy = restrict
-# complexity = low
-# disruption = low
-{{{ ansible_pam_faillock_enable() }}}
-{{{ ansible_pam_faillock_parameter_value("deny", "var_accounts_passwords_pam_faillock_deny") }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh
deleted file mode 100644
index b30f58f3f882..000000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh
+++ /dev/null
@@ -1,6 +0,0 @@
-# platform = multi_platform_all
-
-{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_deny") }}}
-
-{{{ bash_pam_faillock_enable() }}}
-{{{ bash_pam_faillock_parameter_value("deny", "$var_accounts_passwords_pam_faillock_deny") }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/debian.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/debian.xml
deleted file mode 120000
index 70f08ba8db12..000000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/debian.xml
+++ /dev/null
@@ -1 +0,0 @@
-ubuntu.xml
\ No newline at end of file
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/openeuler.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/openeuler.xml
deleted file mode 100644
index 0abb80d8d5de..000000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/openeuler.xml
+++ /dev/null
@@ -1,291 +0,0 @@
-<def-group>
-  <definition class="compliance" id="{{{ rule_id }}}" version="5">
-    {{{ oval_metadata("Lockout account after failed login attempts") }}}
-    <criteria operator="AND" comment="Check the proper configuration of pam_faillock.so">
-      <criteria operator="AND" comment="Check if pam_faillock.so is properly enabled">
-        <!-- pam_unix.so is a control module present in all realistic scenarios and also used
-             as reference for the correct position of pam_faillock.so in auth section. If the
-             system is properly configured, it must appear only once in auth section. -->
-        <criteria operator="AND"
-                  comment="Count occurrences of pam_unix.so in system-auth and password-auth">
-          <criterion test_ref="test_accounts_passwords_pam_faillock_deny_system_pam_unix_auth"
-                     comment="pam_unix.so appears only once in auth section of system-auth"/>
-          <criterion test_ref="test_accounts_passwords_pam_faillock_deny_password_pam_unix_auth"
-                     comment="pam_unix.so appears only once in auth section of password-auth"/>
-        </criteria>
-
-        <!-- pam_faillock.so parameters can be defined directly in pam files or, in newer
-             versions, in /etc/security/faillock.conf. The last is the recommended option when
-             available. Also, is the option used by auselect tool. However, regardless the
-             approach, a minimal declaration is common in pam files. -->
-        <criteria operator="AND" comment="Check common definition of pam_faillock.so">
-          <criterion
-              test_ref="test_accounts_passwords_pam_faillock_deny_system_pam_faillock_auth"
-              comment="pam_faillock.so is properly defined in auth section of system-auth"/>
-          <criterion
-              test_ref="test_accounts_passwords_pam_faillock_deny_system_pam_faillock_account"
-              comment="pam_faillock.so is properly defined in account section of system-auth"/>
-          <criterion
-              test_ref="test_accounts_passwords_pam_faillock_deny_password_pam_faillock_auth"
-              comment="pam_faillock.so is properly defined in auth section of password-auth"/>
-          <criterion
-              test_ref="test_accounts_passwords_pam_faillock_deny_password_pam_faillock_account"
-              comment="pam_faillock.so is properly defined in account section of password-auth"/>
-        </criteria>
-      </criteria>
-
-      <!-- pam_faillock.so parameters should be defined in /etc/security/faillock.conf whenever
-           possible. But due to backwards compatibility, they are also allowed in pam files
-           directly. In case they are defined in both places, pam files have precedence and this
-           may confuse the assessment. The following tests ensure only one option is used. Note
-           that if faillock.conf is available, authselect tool only manage parameters on it -->
-      <criteria operator="OR" comment="Check expected value for pam_faillock.so deny parameter">
-        <criteria operator="AND"
-                  comment="Check expected pam_faillock.so deny parameter in pam files">
-          <criterion
-                test_ref="test_accounts_passwords_pam_faillock_deny_parameter_pamd_system"
-                comment="Check the deny parameter in auth section of system-auth file"/>
-          <criterion
-                test_ref="test_accounts_passwords_pam_faillock_deny_parameter_pamd_password"
-                comment="Check the deny parameter in auth section of password-auth file"/>
-          <criterion
-                test_ref="test_accounts_passwords_pam_faillock_deny_parameter_no_faillock_conf"
-                comment="Ensure /etc/security/faillock.conf is not used together with pam files"/>
-        </criteria>
-        <criteria operator="AND"
-                  comment="Check expected pam_faillock.so deny parameter in faillock.conf">
-          <criterion
-                test_ref="test_accounts_passwords_pam_faillock_deny_parameter_no_pamd_system"
-                comment="Check the deny parameter is not present system-auth file"/>
-          <criterion
-                test_ref="test_accounts_passwords_pam_faillock_deny_parameter_no_pamd_password"
-                comment="Check the deny parameter is not present password-auth file"/>
-          <criterion
-                test_ref="test_accounts_passwords_pam_faillock_deny_parameter_faillock_conf"
-                comment="Ensure the deny parameter is present in /etc/security/faillock.conf"/>
-        </criteria>
-      </criteria>
-    </criteria>
-  </definition>
-
-  <!-- The following tests demand complex regex which are necessary more than once.
-       These variables make simpler the usage of regex patterns. -->
-  <constant_variable id="var_accounts_passwords_pam_faillock_deny_pam_unix_regex"
-                datatype="string" version="1"
-                comment="regex to identify pam_unix.so in auth section of pam files">
-    <value>^[\s]*auth\N+pam_unix\.so</value>
-  </constant_variable>
-
-  <constant_variable id="var_accounts_passwords_pam_faillock_deny_pam_faillock_auth_regex"
-                datatype="string" version="1"
-                comment="regex to identify pam_faillock.so entries in auth section of pam files">
-    <value>^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)?(?=.*?\bnew_authtok_reqd=done\b)?(?=.*?\bdefault=ignore\b)?.*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=die\b)?.*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail</value>
-  </constant_variable>
-
-  <constant_variable id="var_accounts_passwords_pam_faillock_deny_pam_faillock_account_regex"
-                datatype="string" version="1"
-                comment="regex to identify pam_faillock.so entry in account section of pam files">
-    <value>^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_unix\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_faillock\.so</value>
-  </constant_variable>
-
-  <constant_variable
-              id="var_accounts_passwords_pam_faillock_deny_pam_faillock_deny_parameter_regex"
-              datatype="string" version="1"
-              comment="regex to identify pam_faillock.so deny entry in auth section of pam files">
-    <value>^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*deny=([0-9]+)</value>
-  </constant_variable>
-
-  <constant_variable
-              id="var_accounts_passwords_pam_faillock_deny_faillock_conf_deny_parameter_regex"
-              datatype="string" version="1"
-              comment="regex to identify deny entry in /etc/security/faillock.conf">
-    <value>^[\s]*deny[\s]*=[\s]*([0-9]+)</value>
-  </constant_variable>
-
-  <!-- Check occurrences of pam_unix.so in auth section of system-auth file -->
-  <ind:textfilecontent54_object version="1"
-        id="object_accounts_passwords_pam_faillock_deny_system_pam_unix_auth"
-        comment="Get the second and subsequent occurrences of pam_unix.so in auth section of system-auth">
-    <ind:filepath operation="pattern match">^/etc/pam.d/system-auth$</ind:filepath>
-    <ind:pattern operation="pattern match"
-                 var_ref="var_accounts_passwords_pam_faillock_deny_pam_unix_regex"/>
-    <!-- It is not expected to find a second instance of this pattern -->
-    <ind:instance datatype="int" operation="greater than">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test check="all" check_existence="none_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_deny_system_pam_unix_auth"
-        comment="No more than one pam_unix.so is expected in auth section of system-auth">
-    <ind:object object_ref="object_accounts_passwords_pam_faillock_deny_system_pam_unix_auth"/>
-  </ind:textfilecontent54_test>
-
-  <!-- Check occurrences of pam_unix.so in auth section in password-auth -->
-  <ind:textfilecontent54_object version="1"
-        id="object_accounts_passwords_pam_faillock_deny_password_pam_unix_auth"
-        comment="Get the second and subsequent occurrences of pam_unix.so in auth section of password-auth">
-    <ind:filepath operation="pattern match">^/etc/pam.d/password-auth$</ind:filepath>
-    <ind:pattern operation="pattern match"
-                 var_ref="var_accounts_passwords_pam_faillock_deny_pam_unix_regex"/>
-    <ind:instance datatype="int" operation="greater than">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test check="all" check_existence="none_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_deny_password_pam_unix_auth"
-        comment="No more than one pam_unix.so is expected in auth section of password-auth">
-    <ind:object object_ref="object_accounts_passwords_pam_faillock_deny_password_pam_unix_auth"/>
-  </ind:textfilecontent54_test>
-
-  <!-- Check common definition of pam_faillock.so in system-auth -->
-  <ind:textfilecontent54_object version="1"
-        id="object_accounts_passwords_pam_faillock_deny_system_pam_faillock_auth"
-        comment="Check common definition of pam_faillock.so in auth section of system-auth">
-    <ind:filepath operation="pattern match">^/etc/pam.d/system-auth$</ind:filepath>
-    <ind:pattern operation="pattern match"
-                 var_ref="var_accounts_passwords_pam_faillock_deny_pam_faillock_auth_regex"/>
-    <ind:instance datatype="int" operation="equals">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test check="all" check_existence="only_one_exists" version="1"
-        id="test_accounts_passwords_pam_faillock_deny_system_pam_faillock_auth"
-        comment="One and only one occurrence is expected in auth section of system-auth">
-    <ind:object
-        object_ref="object_accounts_passwords_pam_faillock_deny_system_pam_faillock_auth"/>
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_object version="1"
-        id="object_accounts_passwords_pam_faillock_deny_system_pam_faillock_account"
-        comment="Check common definition of pam_faillock.so in account section of system-auth">
-    <ind:filepath operation="pattern match">^/etc/pam.d/system-auth$</ind:filepath>
-    <ind:pattern operation="pattern match"
-                 var_ref="var_accounts_passwords_pam_faillock_deny_pam_faillock_account_regex"/>
-    <ind:instance datatype="int" operation="equals">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test check="all" check_existence="only_one_exists" version="1"
-        id="test_accounts_passwords_pam_faillock_deny_system_pam_faillock_account"
-        comment="One and only one occurrence is expected in auth section of system-auth">
-    <ind:object
-        object_ref="object_accounts_passwords_pam_faillock_deny_system_pam_faillock_account"/>
-  </ind:textfilecontent54_test>
-
-  <!-- Check common definition of pam_faillock.so in password-auth -->
-  <ind:textfilecontent54_object version="1"
-        id="object_accounts_passwords_pam_faillock_deny_password_pam_faillock_auth"
-        comment="Check common definition of pam_faillock.so in auth section of password-auth">
-    <ind:filepath operation="pattern match">^/etc/pam.d/password-auth$</ind:filepath>
-    <ind:pattern operation="pattern match"
-                 var_ref="var_accounts_passwords_pam_faillock_deny_pam_faillock_auth_regex"/>
-    <ind:instance datatype="int" operation="equals">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test check="all" check_existence="only_one_exists" version="1"
-        id="test_accounts_passwords_pam_faillock_deny_password_pam_faillock_auth"
-        comment="One and only one occurrence is expected in auth section of password-auth">
-    <ind:object
-        object_ref="object_accounts_passwords_pam_faillock_deny_password_pam_faillock_auth"/>
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_object version="1"
-        id="object_accounts_passwords_pam_faillock_deny_password_pam_faillock_account"
-        comment="Check common definition of pam_faillock.so in account section of password-auth">
-    <ind:filepath operation="pattern match">^/etc/pam.d/password-auth$</ind:filepath>
-    <ind:pattern operation="pattern match"
-                 var_ref="var_accounts_passwords_pam_faillock_deny_pam_faillock_account_regex"/>
-    <ind:instance datatype="int" operation="equals">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test check="all" check_existence="only_one_exists" version="1"
-        id="test_accounts_passwords_pam_faillock_deny_password_pam_faillock_account"
-        comment="One and only one occurrence is expected in auth section of password-auth">
-    <ind:object
-        object_ref="object_accounts_passwords_pam_faillock_deny_password_pam_faillock_account"/>
-  </ind:textfilecontent54_test>
-
-  <!-- boundaries to test the parameter value -->
-  <!-- Specify the required external variable & create corresponding state from it -->
-  <external_variable id="var_accounts_passwords_pam_faillock_deny" datatype="int"
-                     comment="number of failed login attempts allowed" version="1"/>
-
-  <ind:textfilecontent54_state version="1"
-        id="state_accounts_passwords_pam_faillock_deny_parameter_upper_bound">
-    <ind:subexpression datatype="int" operation="less than or equal"
-                       var_ref="var_accounts_passwords_pam_faillock_deny"/>
-  </ind:textfilecontent54_state>
-
-  <ind:textfilecontent54_state version="1"
-        id="state_accounts_passwords_pam_faillock_deny_parameter_lower_bound">
-    <ind:subexpression datatype="int" operation="greater than">0</ind:subexpression>
-  </ind:textfilecontent54_state>
-
-  <!-- Check the pam_faillock.so deny parameter in system-auth -->
-  <ind:textfilecontent54_object version="1"
-        id="object_accounts_passwords_pam_faillock_deny_parameter_pamd_system"
-        comment="Get the pam_faillock.so deny parameter from system-auth file">
-    <ind:filepath operation="pattern match">^/etc/pam.d/system-auth$</ind:filepath>
-    <ind:pattern operation="pattern match"
-            var_ref="var_accounts_passwords_pam_faillock_deny_pam_faillock_deny_parameter_regex"/>
-    <ind:instance datatype="int" operation="equals">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test check="all" check_existence="all_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_deny_parameter_pamd_system"
-        comment="Check the expected deny value in system-auth">
-    <ind:object object_ref="object_accounts_passwords_pam_faillock_deny_parameter_pamd_system"/>
-    <ind:state state_ref="state_accounts_passwords_pam_faillock_deny_parameter_upper_bound"/>
-    <ind:state state_ref="state_accounts_passwords_pam_faillock_deny_parameter_lower_bound"/>
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_test check="all" check_existence="none_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_deny_parameter_no_pamd_system"
-        comment="Check the absence of deny parameter in system-auth">
-    <ind:object object_ref="object_accounts_passwords_pam_faillock_deny_parameter_pamd_system"/>
-  </ind:textfilecontent54_test>
-
-  <!-- Check the pam_faillock.so deny parameter in password-auth -->
-  <ind:textfilecontent54_object version="1"
-        id="object_accounts_passwords_pam_faillock_deny_parameter_pamd_password"
-        comment="Get the pam_faillock.so deny parameter from password-auth file">
-    <ind:filepath operation="pattern match">^/etc/pam.d/password-auth$</ind:filepath>
-    <ind:pattern operation="pattern match"
-            var_ref="var_accounts_passwords_pam_faillock_deny_pam_faillock_deny_parameter_regex"/>
-    <ind:instance datatype="int" operation="equals">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test check="all" check_existence="all_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_deny_parameter_pamd_password"
-        comment="Check the expected deny value in password-auth">
-    <ind:object object_ref="object_accounts_passwords_pam_faillock_deny_parameter_pamd_password"/>
-    <ind:state state_ref="state_accounts_passwords_pam_faillock_deny_parameter_upper_bound"/>
-    <ind:state state_ref="state_accounts_passwords_pam_faillock_deny_parameter_lower_bound"/>
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_test check="all" check_existence="none_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_deny_parameter_no_pamd_password"
-        comment="Check the absence of deny parameter in password-auth">
-    <ind:object object_ref="object_accounts_passwords_pam_faillock_deny_parameter_pamd_password"/>
-  </ind:textfilecontent54_test>
-
-  <!-- Check pam_faillock.so deny parameter in /etc/security/faillock.conf -->
-  <ind:textfilecontent54_object version="1"
-      id="object_accounts_passwords_pam_faillock_deny_parameter_faillock_conf"
-      comment="Check the expected pam_faillock.so deny parameter in /etc/security/faillock.conf">
-    <ind:filepath operation="pattern match">^/etc/security/faillock.conf$</ind:filepath>
-    <ind:pattern operation="pattern match"
-          var_ref="var_accounts_passwords_pam_faillock_deny_faillock_conf_deny_parameter_regex"/>
-    <ind:instance datatype="int" operation="equals">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test check="all" check_existence="all_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_deny_parameter_faillock_conf"
-        comment="Check the expected deny value in in /etc/security/faillock.conf">
-    <ind:object object_ref="object_accounts_passwords_pam_faillock_deny_parameter_faillock_conf"/>
-    <ind:state state_ref="state_accounts_passwords_pam_faillock_deny_parameter_upper_bound"/>
-    <ind:state state_ref="state_accounts_passwords_pam_faillock_deny_parameter_lower_bound"/>
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_test check="all" check_existence="none_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_deny_parameter_no_faillock_conf"
-        comment="Check the absence of deny parameter in /etc/security/faillock.conf">
-    <ind:object object_ref="object_accounts_passwords_pam_faillock_deny_parameter_faillock_conf"/>
-  </ind:textfilecontent54_test>
-</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/shared.xml
deleted file mode 100644
index 4c3b56ba06c2..000000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/shared.xml
+++ /dev/null
@@ -1,291 +0,0 @@
-<def-group>
-  <definition class="compliance" id="{{{ rule_id }}}" version="5">
-    {{{ oval_metadata("Lockout account after failed login attempts") }}}
-    <criteria operator="AND" comment="Check the proper configuration of pam_faillock.so">
-      <criteria operator="AND" comment="Check if pam_faillock.so is properly enabled">
-        <!-- pam_unix.so is a control module present in all realistic scenarios and also used
-             as reference for the correct position of pam_faillock.so in auth section. If the
-             system is properly configured, it must appear only once in auth section. -->
-        <criteria operator="AND"
-                  comment="Count occurrences of pam_unix.so in system-auth and password-auth">
-          <criterion test_ref="test_accounts_passwords_pam_faillock_deny_system_pam_unix_auth"
-                     comment="pam_unix.so appears only once in auth section of system-auth"/>
-          <criterion test_ref="test_accounts_passwords_pam_faillock_deny_password_pam_unix_auth"
-                     comment="pam_unix.so appears only once in auth section of password-auth"/>
-        </criteria>
-
-        <!-- pam_faillock.so parameters can be defined directly in pam files or, in newer
-             versions, in /etc/security/faillock.conf. The last is the recommended option when
-             available. Also, is the option used by auselect tool. However, regardless the
-             approach, a minimal declaration is common in pam files. -->
-        <criteria operator="AND" comment="Check common definition of pam_faillock.so">
-          <criterion
-              test_ref="test_accounts_passwords_pam_faillock_deny_system_pam_faillock_auth"
-              comment="pam_faillock.so is properly defined in auth section of system-auth"/>
-          <criterion
-              test_ref="test_accounts_passwords_pam_faillock_deny_system_pam_faillock_account"
-              comment="pam_faillock.so is properly defined in account section of system-auth"/>
-          <criterion
-              test_ref="test_accounts_passwords_pam_faillock_deny_password_pam_faillock_auth"
-              comment="pam_faillock.so is properly defined in auth section of password-auth"/>
-          <criterion
-              test_ref="test_accounts_passwords_pam_faillock_deny_password_pam_faillock_account"
-              comment="pam_faillock.so is properly defined in account section of password-auth"/>
-        </criteria>
-      </criteria>
-
-      <!-- pam_faillock.so parameters should be defined in /etc/security/faillock.conf whenever
-           possible. But due to backwards compatibility, they are also allowed in pam files
-           directly. In case they are defined in both places, pam files have precedence and this
-           may confuse the assessment. The following tests ensure only one option is used. Note
-           that if faillock.conf is available, authselect tool only manage parameters on it -->
-      <criteria operator="OR" comment="Check expected value for pam_faillock.so deny parameter">
-        <criteria operator="AND"
-                  comment="Check expected pam_faillock.so deny parameter in pam files">
-          <criterion
-                test_ref="test_accounts_passwords_pam_faillock_deny_parameter_pamd_system"
-                comment="Check the deny parameter in auth section of system-auth file"/>
-          <criterion
-                test_ref="test_accounts_passwords_pam_faillock_deny_parameter_pamd_password"
-                comment="Check the deny parameter in auth section of password-auth file"/>
-          <criterion
-                test_ref="test_accounts_passwords_pam_faillock_deny_parameter_no_faillock_conf"
-                comment="Ensure /etc/security/faillock.conf is not used together with pam files"/>
-        </criteria>
-        <criteria operator="AND"
-                  comment="Check expected pam_faillock.so deny parameter in faillock.conf">
-          <criterion
-                test_ref="test_accounts_passwords_pam_faillock_deny_parameter_no_pamd_system"
-                comment="Check the deny parameter is not present system-auth file"/>
-          <criterion
-                test_ref="test_accounts_passwords_pam_faillock_deny_parameter_no_pamd_password"
-                comment="Check the deny parameter is not present password-auth file"/>
-          <criterion
-                test_ref="test_accounts_passwords_pam_faillock_deny_parameter_faillock_conf"
-                comment="Ensure the deny parameter is present in /etc/security/faillock.conf"/>
-        </criteria>
-      </criteria>
-    </criteria>
-  </definition>
-
-  <!-- The following tests demand complex regex which are necessary more than once.
-       These variables make simpler the usage of regex patterns. -->
-  <constant_variable id="var_accounts_passwords_pam_faillock_deny_pam_unix_regex"
-                datatype="string" version="1"
-                comment="regex to identify pam_unix.so in auth section of pam files">
-    <value>^[\s]*auth\N+pam_unix\.so</value>
-  </constant_variable>
-
-  <constant_variable id="var_accounts_passwords_pam_faillock_deny_pam_faillock_auth_regex"
-                datatype="string" version="1"
-                comment="regex to identify pam_faillock.so entries in auth section of pam files">
-    <value>^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail</value>
-  </constant_variable>
-
-  <constant_variable id="var_accounts_passwords_pam_faillock_deny_pam_faillock_account_regex"
-                datatype="string" version="1"
-                comment="regex to identify pam_faillock.so entry in account section of pam files">
-    <value>^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so</value>
-  </constant_variable>
-
-  <constant_variable
-              id="var_accounts_passwords_pam_faillock_deny_pam_faillock_deny_parameter_regex"
-              datatype="string" version="1"
-              comment="regex to identify pam_faillock.so deny entry in auth section of pam files">
-    <value>^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*deny=([0-9]+)</value>
-  </constant_variable>
-
-  <constant_variable
-              id="var_accounts_passwords_pam_faillock_deny_faillock_conf_deny_parameter_regex"
-              datatype="string" version="1"
-              comment="regex to identify deny entry in /etc/security/faillock.conf">
-    <value>^[\s]*deny[\s]*=[\s]*([0-9]+)</value>
-  </constant_variable>
-
-  <!-- Check occurrences of pam_unix.so in auth section of system-auth file -->
-  <ind:textfilecontent54_object version="1"
-        id="object_accounts_passwords_pam_faillock_deny_system_pam_unix_auth"
-        comment="Get the second and subsequent occurrences of pam_unix.so in auth section of system-auth">
-    <ind:filepath operation="pattern match">^/etc/pam.d/system-auth$</ind:filepath>
-    <ind:pattern operation="pattern match"
-                 var_ref="var_accounts_passwords_pam_faillock_deny_pam_unix_regex"/>
-    <!-- It is not expected to find a second instance of this pattern -->
-    <ind:instance datatype="int" operation="greater than">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test check="all" check_existence="none_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_deny_system_pam_unix_auth"
-        comment="No more than one pam_unix.so is expected in auth section of system-auth">
-    <ind:object object_ref="object_accounts_passwords_pam_faillock_deny_system_pam_unix_auth"/>
-  </ind:textfilecontent54_test>
-
-  <!-- Check occurrences of pam_unix.so in auth section in password-auth -->
-  <ind:textfilecontent54_object version="1"
-        id="object_accounts_passwords_pam_faillock_deny_password_pam_unix_auth"
-        comment="Get the second and subsequent occurrences of pam_unix.so in auth section of password-auth">
-    <ind:filepath operation="pattern match">^/etc/pam.d/password-auth$</ind:filepath>
-    <ind:pattern operation="pattern match"
-                 var_ref="var_accounts_passwords_pam_faillock_deny_pam_unix_regex"/>
-    <ind:instance datatype="int" operation="greater than">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test check="all" check_existence="none_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_deny_password_pam_unix_auth"
-        comment="No more than one pam_unix.so is expected in auth section of password-auth">
-    <ind:object object_ref="object_accounts_passwords_pam_faillock_deny_password_pam_unix_auth"/>
-  </ind:textfilecontent54_test>
-
-  <!-- Check common definition of pam_faillock.so in system-auth -->
-  <ind:textfilecontent54_object version="1"
-        id="object_accounts_passwords_pam_faillock_deny_system_pam_faillock_auth"
-        comment="Check common definition of pam_faillock.so in auth section of system-auth">
-    <ind:filepath operation="pattern match">^/etc/pam.d/system-auth$</ind:filepath>
-    <ind:pattern operation="pattern match"
-                 var_ref="var_accounts_passwords_pam_faillock_deny_pam_faillock_auth_regex"/>
-    <ind:instance datatype="int" operation="equals">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test check="all" check_existence="only_one_exists" version="1"
-        id="test_accounts_passwords_pam_faillock_deny_system_pam_faillock_auth"
-        comment="One and only one occurrence is expected in auth section of system-auth">
-    <ind:object
-        object_ref="object_accounts_passwords_pam_faillock_deny_system_pam_faillock_auth"/>
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_object version="1"
-        id="object_accounts_passwords_pam_faillock_deny_system_pam_faillock_account"
-        comment="Check common definition of pam_faillock.so in account section of system-auth">
-    <ind:filepath operation="pattern match">^/etc/pam.d/system-auth$</ind:filepath>
-    <ind:pattern operation="pattern match"
-                 var_ref="var_accounts_passwords_pam_faillock_deny_pam_faillock_account_regex"/>
-    <ind:instance datatype="int" operation="equals">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test check="all" check_existence="only_one_exists" version="1"
-        id="test_accounts_passwords_pam_faillock_deny_system_pam_faillock_account"
-        comment="One and only one occurrence is expected in auth section of system-auth">
-    <ind:object
-        object_ref="object_accounts_passwords_pam_faillock_deny_system_pam_faillock_account"/>
-  </ind:textfilecontent54_test>
-
-  <!-- Check common definition of pam_faillock.so in password-auth -->
-  <ind:textfilecontent54_object version="1"
-        id="object_accounts_passwords_pam_faillock_deny_password_pam_faillock_auth"
-        comment="Check common definition of pam_faillock.so in auth section of password-auth">
-    <ind:filepath operation="pattern match">^/etc/pam.d/password-auth$</ind:filepath>
-    <ind:pattern operation="pattern match"
-                 var_ref="var_accounts_passwords_pam_faillock_deny_pam_faillock_auth_regex"/>
-    <ind:instance datatype="int" operation="equals">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test check="all" check_existence="only_one_exists" version="1"
-        id="test_accounts_passwords_pam_faillock_deny_password_pam_faillock_auth"
-        comment="One and only one occurrence is expected in auth section of password-auth">
-    <ind:object
-        object_ref="object_accounts_passwords_pam_faillock_deny_password_pam_faillock_auth"/>
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_object version="1"
-        id="object_accounts_passwords_pam_faillock_deny_password_pam_faillock_account"
-        comment="Check common definition of pam_faillock.so in account section of password-auth">
-    <ind:filepath operation="pattern match">^/etc/pam.d/password-auth$</ind:filepath>
-    <ind:pattern operation="pattern match"
-                 var_ref="var_accounts_passwords_pam_faillock_deny_pam_faillock_account_regex"/>
-    <ind:instance datatype="int" operation="equals">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test check="all" check_existence="only_one_exists" version="1"
-        id="test_accounts_passwords_pam_faillock_deny_password_pam_faillock_account"
-        comment="One and only one occurrence is expected in auth section of password-auth">
-    <ind:object
-        object_ref="object_accounts_passwords_pam_faillock_deny_password_pam_faillock_account"/>
-  </ind:textfilecontent54_test>
-
-  <!-- boundaries to test the parameter value -->
-  <!-- Specify the required external variable & create corresponding state from it -->
-  <external_variable id="var_accounts_passwords_pam_faillock_deny" datatype="int"
-                     comment="number of failed login attempts allowed" version="1"/>
-
-  <ind:textfilecontent54_state version="1"
-        id="state_accounts_passwords_pam_faillock_deny_parameter_upper_bound">
-    <ind:subexpression datatype="int" operation="less than or equal"
-                       var_ref="var_accounts_passwords_pam_faillock_deny"/>
-  </ind:textfilecontent54_state>
-
-  <ind:textfilecontent54_state version="1"
-        id="state_accounts_passwords_pam_faillock_deny_parameter_lower_bound">
-    <ind:subexpression datatype="int" operation="greater than">0</ind:subexpression>
-  </ind:textfilecontent54_state>
-
-  <!-- Check the pam_faillock.so deny parameter in system-auth -->
-  <ind:textfilecontent54_object version="1"
-        id="object_accounts_passwords_pam_faillock_deny_parameter_pamd_system"
-        comment="Get the pam_faillock.so deny parameter from system-auth file">
-    <ind:filepath operation="pattern match">^/etc/pam.d/system-auth$</ind:filepath>
-    <ind:pattern operation="pattern match"
-            var_ref="var_accounts_passwords_pam_faillock_deny_pam_faillock_deny_parameter_regex"/>
-    <ind:instance datatype="int" operation="equals">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test check="all" check_existence="all_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_deny_parameter_pamd_system"
-        comment="Check the expected deny value in system-auth">
-    <ind:object object_ref="object_accounts_passwords_pam_faillock_deny_parameter_pamd_system"/>
-    <ind:state state_ref="state_accounts_passwords_pam_faillock_deny_parameter_upper_bound"/>
-    <ind:state state_ref="state_accounts_passwords_pam_faillock_deny_parameter_lower_bound"/>
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_test check="all" check_existence="none_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_deny_parameter_no_pamd_system"
-        comment="Check the absence of deny parameter in system-auth">
-    <ind:object object_ref="object_accounts_passwords_pam_faillock_deny_parameter_pamd_system"/>
-  </ind:textfilecontent54_test>
-
-  <!-- Check the pam_faillock.so deny parameter in password-auth -->
-  <ind:textfilecontent54_object version="1"
-        id="object_accounts_passwords_pam_faillock_deny_parameter_pamd_password"
-        comment="Get the pam_faillock.so deny parameter from password-auth file">
-    <ind:filepath operation="pattern match">^/etc/pam.d/password-auth$</ind:filepath>
-    <ind:pattern operation="pattern match"
-            var_ref="var_accounts_passwords_pam_faillock_deny_pam_faillock_deny_parameter_regex"/>
-    <ind:instance datatype="int" operation="equals">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test check="all" check_existence="all_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_deny_parameter_pamd_password"
-        comment="Check the expected deny value in password-auth">
-    <ind:object object_ref="object_accounts_passwords_pam_faillock_deny_parameter_pamd_password"/>
-    <ind:state state_ref="state_accounts_passwords_pam_faillock_deny_parameter_upper_bound"/>
-    <ind:state state_ref="state_accounts_passwords_pam_faillock_deny_parameter_lower_bound"/>
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_test check="all" check_existence="none_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_deny_parameter_no_pamd_password"
-        comment="Check the absence of deny parameter in password-auth">
-    <ind:object object_ref="object_accounts_passwords_pam_faillock_deny_parameter_pamd_password"/>
-  </ind:textfilecontent54_test>
-
-  <!-- Check pam_faillock.so deny parameter in /etc/security/faillock.conf -->
-  <ind:textfilecontent54_object version="1"
-      id="object_accounts_passwords_pam_faillock_deny_parameter_faillock_conf"
-      comment="Check the expected pam_faillock.so deny parameter in /etc/security/faillock.conf">
-    <ind:filepath operation="pattern match">^/etc/security/faillock.conf$</ind:filepath>
-    <ind:pattern operation="pattern match"
-          var_ref="var_accounts_passwords_pam_faillock_deny_faillock_conf_deny_parameter_regex"/>
-    <ind:instance datatype="int" operation="equals">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test check="all" check_existence="all_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_deny_parameter_faillock_conf"
-        comment="Check the expected deny value in in /etc/security/faillock.conf">
-    <ind:object object_ref="object_accounts_passwords_pam_faillock_deny_parameter_faillock_conf"/>
-    <ind:state state_ref="state_accounts_passwords_pam_faillock_deny_parameter_upper_bound"/>
-    <ind:state state_ref="state_accounts_passwords_pam_faillock_deny_parameter_lower_bound"/>
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_test check="all" check_existence="none_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_deny_parameter_no_faillock_conf"
-        comment="Check the absence of deny parameter in /etc/security/faillock.conf">
-    <ind:object object_ref="object_accounts_passwords_pam_faillock_deny_parameter_faillock_conf"/>
-  </ind:textfilecontent54_test>
-</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/ubuntu.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/ubuntu.xml
deleted file mode 100644
index 443a85b29346..000000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/ubuntu.xml
+++ /dev/null
@@ -1,201 +0,0 @@
-{{# Very similar OVAL is used in several rules, differing primarily in faillock.so parameter. #}}
-{{# For transferability, we define the parameter and corresponding regular expressions in jinja. #}}
-{{# The rules should ideally use a single template. #}}
-
-{{% set prm_name = "deny" %}}
-{{% set prm_regex_conf = "^[\s]*deny[\s]*=[\s]*([0-9]+)" %}}
-{{% set prm_regex_pamd = "^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*deny=([0-9]+)" %}}
-{{% set ext_variable = "var_accounts_passwords_pam_faillock_deny" %}}
-{{% set description = "Lockout account after failed login attempts." %}}
-
-<def-group>
-  <definition class="compliance" id="{{{ rule_id }}}" version="2">
-    {{{ oval_metadata(description) }}}
-    <criteria operator="AND" comment="Check the proper configuration of pam_faillock.so">
-      <criteria operator="AND" comment="Check if pam_faillock.so is properly enabled">
-        <!-- pam_unix.so is a control module present in all realistic scenarios and also used
-             as reference for the correct position of pam_faillock.so in auth section. If the
-             system is properly configured, it must appear only once in auth section. -->
-        <criterion test_ref="test_accounts_passwords_pam_faillock_{{{ prm_name }}}_common_pam_unix_auth"
-            comment="pam_unix.so appears only once in auth section of common-auth"/>
-        <criterion test_ref="test_accounts_passwords_pam_faillock_{{{ prm_name }}}_common_pam_faillock_auth"
-            comment="pam_faillock.so is properly defined in auth section of common-auth"/>
-        <criterion test_ref="test_accounts_passwords_pam_faillock_{{{ prm_name }}}_common_pam_faillock_account"
-            comment="pam_faillock.so is properly defined in common-account"/>
-      </criteria>
-
-      <!-- pam_faillock.so parameters should be defined in /etc/security/faillock.conf whenever
-           possible. But due to backwards compatibility, they are also allowed in pam files
-           directly. In case they are defined in both places, pam files have precedence and this
-           may confuse the assessment. The following tests ensure only one option is used. -->
-      <criteria operator="OR" comment="Check expected value for pam_faillock.so {{{ prm_name }}} parameter">
-        <criteria operator="AND"
-            comment="Check expected pam_faillock.so {{{ prm_name }}} parameter in pam files">
-          <criterion test_ref="test_accounts_passwords_pam_faillock_{{{ prm_name }}}_parameter_pamd_common"
-              comment="Check the {{{ prm_name }}} parameter is present common-auth file"/>
-          <criterion test_ref="test_accounts_passwords_pam_faillock_{{{ prm_name }}}_parameter_no_faillock_conf"
-              comment="Ensure the {{{ prm_name }}} parameter is not present in /etc/security/faillock.conf"/>
-        </criteria>
-        <criteria operator="AND"
-            comment="Check expected pam_faillock.so {{{ prm_name }}} parameter in faillock.conf">
-          <criterion test_ref="test_accounts_passwords_pam_faillock_{{{ prm_name }}}_parameter_no_pamd_common"
-              comment="Check the {{{ prm_name }}} parameter is not present common-auth file"/>
-          <criterion test_ref="test_accounts_passwords_pam_faillock_{{{ prm_name }}}_parameter_faillock_conf"
-              comment="Ensure the {{{ prm_name }}} parameter is present in /etc/security/faillock.conf"/>
-        </criteria>
-      </criteria>
-    </criteria>
-  </definition>
-
-  <!-- The following tests demand complex regex which are necessary more than once.
-       These variables make simpler the usage of regex patterns. -->
-  <constant_variable id="var_accounts_passwords_pam_faillock_{{{ prm_name }}}_pam_unix_regex"
-                datatype="string" version="1"
-                comment="regex to identify pam_unix.so in auth section of pam files">
-    <value>^\s*auth.*pam_unix\.so</value>
-  </constant_variable>
-
-  <constant_variable id="var_accounts_passwords_pam_faillock_{{{ prm_name }}}_pam_faillock_auth_regex"
-                datatype="string" version="1"
-                comment="regex to identify pam_faillock.so entries in auth section of pam files">
-      <value>^\s*auth\s+required\s+pam_faillock\.so.*preauth.*[\s\S]*^\s*auth.*pam_unix\.so[\s\S]*^\s*auth\s+\[default=die\]\s+pam_faillock\.so\s+authfail[\s\S]*^\s*auth\s+sufficient\s+pam_faillock\.so\s+authsucc</value>
-  </constant_variable>
-
-  <constant_variable id="var_accounts_passwords_pam_faillock_{{{ prm_name }}}_pam_faillock_account_regex"
-                datatype="string" version="1"
-                comment="regex to identify pam_faillock.so entry in account section of pam files">
-    <value>^\s*account\s+required\s+pam_faillock\.so\s*(#.*)?$</value>
-  </constant_variable>
-
-  <constant_variable
-    id="var_accounts_passwords_pam_faillock_{{{ prm_name }}}_pam_faillock_{{{ prm_name }}}_parameter_regex"
-    datatype="string" version="1"
-    comment="regex to identify pam_faillock.so {{{ prm_name }}} entry in auth section of pam files">
-    <value>{{{ prm_regex_pamd }}}</value>
-  </constant_variable>
-
-  <constant_variable
-              id="var_accounts_passwords_pam_faillock_{{{ prm_name }}}_faillock_conf_{{{ prm_name }}}_parameter_regex"
-              datatype="string" version="1"
-              comment="regex to identify {{{ prm_name }}} entry in /etc/security/faillock.conf">
-    <value>{{{ prm_regex_conf }}}</value>
-  </constant_variable>
-
-  <!-- Check occurrences of pam_unix.so in auth section of common-auth file -->
-  <ind:textfilecontent54_test check="all" check_existence="none_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_{{{ prm_name }}}_common_pam_unix_auth"
-        comment="No more than one pam_unix.so is expected in auth section of common-auth">
-    <ind:object object_ref="object_accounts_passwords_pam_faillock_{{{ prm_name }}}_common_pam_unix_auth"/>
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_object version="1"
-        id="object_accounts_passwords_pam_faillock_{{{ prm_name }}}_common_pam_unix_auth"
-        comment="Get the second and subsequent occurrences of pam_unix.so in auth section of common-auth">
-    <ind:filepath>/etc/pam.d/common-auth</ind:filepath>
-    <ind:pattern operation="pattern match"
-                 var_ref="var_accounts_passwords_pam_faillock_{{{ prm_name }}}_pam_unix_regex"/>
-    <ind:instance datatype="int" operation="greater than">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <!-- Check common definition of pam_faillock.so in common-auth -->
-  <ind:textfilecontent54_test check="all" check_existence="only_one_exists" version="1"
-        id="test_accounts_passwords_pam_faillock_{{{ prm_name }}}_common_pam_faillock_auth"
-        comment="One and only one occurrence is expected in auth section of common-auth">
-    <ind:object
-        object_ref="object_accounts_passwords_pam_faillock_{{{ prm_name }}}_common_pam_faillock_auth"/>
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_object version="1"
-        id="object_accounts_passwords_pam_faillock_{{{ prm_name }}}_common_pam_faillock_auth"
-        comment="Check common definition of pam_faillock.so in auth section of common-auth">
-    <ind:filepath>/etc/pam.d/common-auth</ind:filepath>
-    <ind:pattern operation="pattern match"
-                 var_ref="var_accounts_passwords_pam_faillock_{{{ prm_name }}}_pam_faillock_auth_regex"/>
-    <ind:instance datatype="int" operation="equals">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <!-- Check common definition of pam_faillock.so in common-account -->
-  <ind:textfilecontent54_test check="all" check_existence="only_one_exists" version="1"
-        id="test_accounts_passwords_pam_faillock_{{{ prm_name }}}_common_pam_faillock_account"
-        comment="One and only one occurrence is expected in common-account">
-    <ind:object
-        object_ref="object_accounts_passwords_pam_faillock_{{{ prm_name }}}_common_pam_faillock_account"/>
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_object version="1"
-        id="object_accounts_passwords_pam_faillock_{{{ prm_name }}}_common_pam_faillock_account"
-        comment="Check common definition of pam_faillock.so in account section of common-account">
-    <ind:filepath>/etc/pam.d/common-account</ind:filepath>
-    <ind:pattern operation="pattern match"
-                 var_ref="var_accounts_passwords_pam_faillock_{{{ prm_name }}}_pam_faillock_account_regex"/>
-    <ind:instance datatype="int" operation="equals">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-
-  <!-- boundaries to test the parameter value -->
-  <!-- Specify the required external variable & create corresponding state from it -->
-  <external_variable id="{{{ ext_variable }}}" datatype="int"
-                     comment="number of failed login attempts allowed" version="1"/>
-
-  <ind:textfilecontent54_state version="1"
-        id="state_accounts_passwords_pam_faillock_{{{ prm_name }}}_parameter_upper_bound">
-    <ind:subexpression datatype="int" operation="less than or equal"
-          var_ref="{{{ ext_variable }}}"/>
-  </ind:textfilecontent54_state>
-
-  <ind:textfilecontent54_state version="1"
-        id="state_accounts_passwords_pam_faillock_{{{ prm_name }}}_parameter_lower_bound">
-    <ind:subexpression datatype="int" operation="greater than">0</ind:subexpression>
-  </ind:textfilecontent54_state>
-
-  <!-- Check absence of {{{ prm_name }}} parameter in common-auth -->
-  <ind:textfilecontent54_test check="all" check_existence="none_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_{{{ prm_name }}}_parameter_no_pamd_common"
-        comment="Check the absence of {{{ prm_name }}} parameter in common-auth">
-    <ind:object object_ref="object_accounts_passwords_pam_faillock_{{{ prm_name }}}_parameter_pamd_common"/>
-  </ind:textfilecontent54_test>
-
-  <!-- Check expected value of {{{ prm_name }}} parameter in common-auth -->
-  <ind:textfilecontent54_test check="all" check_existence="all_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_{{{ prm_name }}}_parameter_pamd_common"
-        comment="Check the expected {{{ prm_name }}} value in common-auth">
-    <ind:object object_ref="object_accounts_passwords_pam_faillock_{{{ prm_name }}}_parameter_pamd_common"/>
-    <ind:state state_ref="state_accounts_passwords_pam_faillock_{{{ prm_name }}}_parameter_upper_bound"/>
-    <ind:state state_ref="state_accounts_passwords_pam_faillock_{{{ prm_name }}}_parameter_lower_bound"/>
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_object version="1"
-        id="object_accounts_passwords_pam_faillock_{{{ prm_name }}}_parameter_pamd_common"
-        comment="Get the pam_faillock.so {{{ prm_name }}} parameter from common-auth file">
-    <ind:filepath>/etc/pam.d/common-auth</ind:filepath>
-    <ind:pattern operation="pattern match"
-                 var_ref="var_accounts_passwords_pam_faillock_{{{ prm_name }}}_pam_faillock_{{{ prm_name }}}_parameter_regex"/>
-    <ind:instance datatype="int" operation="equals">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-
-  <!-- Check absence of {{{ prm_name }}} parameter in /etc/security/faillock.conf -->
-  <ind:textfilecontent54_test check="all" check_existence="none_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_{{{ prm_name }}}_parameter_no_faillock_conf"
-        comment="Check the absence of {{{ prm_name }}} parameter in /etc/security/faillock.conf">
-    <ind:object object_ref="object_accounts_passwords_pam_faillock_{{{ prm_name }}}_parameter_faillock_conf"/>
-  </ind:textfilecontent54_test>
-
-  <!-- Check expected value of {{{ prm_name }}} parameter in /etc/security/faillock.conf -->
-  <ind:textfilecontent54_test check="all" check_existence="all_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_{{{ prm_name }}}_parameter_faillock_conf"
-        comment="Check the expected {{{ prm_name }}} value in /etc/security/faillock.conf">
-    <ind:object object_ref="object_accounts_passwords_pam_faillock_{{{ prm_name }}}_parameter_faillock_conf"/>
-    <ind:state state_ref="state_accounts_passwords_pam_faillock_{{{ prm_name }}}_parameter_upper_bound"/>
-    <ind:state state_ref="state_accounts_passwords_pam_faillock_{{{ prm_name }}}_parameter_lower_bound"/>
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_object version="1"
-      id="object_accounts_passwords_pam_faillock_{{{ prm_name }}}_parameter_faillock_conf"
-      comment="Check the expected pam_faillock.so {{{ prm_name }}} parameter in /etc/security/faillock.conf">
-    <ind:filepath>/etc/security/faillock.conf</ind:filepath>
-    <ind:pattern operation="pattern match"
-          var_ref="var_accounts_passwords_pam_faillock_{{{ prm_name }}}_faillock_conf_{{{ prm_name }}}_parameter_regex"/>
-    <ind:instance datatype="int" operation="equals">1</ind:instance>
-  </ind:textfilecontent54_object>
-</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
index eeb26a045b79..dd724d1625d9 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
@@ -129,3 +129,14 @@ warnings:
 
 srg_requirement: |-
     {{{ full_name }}} must automatically lock an account when three unsuccessful logon attempts occur.
+
+template:
+  name: pam_account_password_faillock
+  vars:
+    prm_name: deny
+    prm_regex_conf: ^[\s]*deny[\s]*=[\s]*([0-9]+)
+    prm_regex_pamd: ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*deny=([0-9]+)
+    ext_variable: var_accounts_passwords_pam_faillock_deny
+    description: Lockout account after failed login attempts.
+    variable_upper_bound: use_ext_variable
+    variable_lower_bound: 0