From f5250601f32ce6feb7e64e1b063914043c9a1220 Mon Sep 17 00:00:00 2001
From: Alexandre Skrzyniarz <alexandre.skrzyniarz@laposte.net>
Date: Thu, 4 Apr 2024 18:01:17 +0200
Subject: [PATCH] add an account_password_pam_faillock template

rewrite accounts_passwords_pam_faillock_interval and
accounts_passwords_pam_faillock_unlock_time to use this new template.
---
 .../ansible/shared.yml                        |   7 -
 .../bash/shared.sh                            |   6 -
 .../oval/debian.xml                           |   1 -
 .../oval/shared.xml                           | 285 ----------------
 .../oval/ubuntu.xml                           | 195 -----------
 .../rule.yml                                  |  10 +
 .../ansible/shared.yml                        |   7 -
 .../bash/shared.sh                            |   6 -
 .../oval/debian.xml                           |   1 -
 .../oval/openeuler.xml                        | 285 ----------------
 .../oval/shared.xml                           | 285 ----------------
 .../oval/ubuntu.xml                           | 195 -----------
 .../rule.yml                                  |  10 +
 .../ansible.template                          |   7 +
 .../bash.template                             |   6 +
 .../oval.template                             | 315 ++++++++++++++++++
 .../template.yml                              |   4 +
 .../tests/authselect_modified_pam.fail.sh     |  12 +
 .../conflicting_settings_authselect.fail.sh   |  30 ++
 .../pam_faillock_conflicting_settings.fail.sh |  16 +
 .../tests/pam_faillock_disabled.fail.sh       |  15 +
 ...am_faillock_expected_faillock_conf.pass.sh |  10 +
 .../pam_faillock_expected_pam_files.pass.sh   |   6 +
 ...pam_faillock_lenient_faillock_conf.fail.sh |  10 +
 .../pam_faillock_lenient_pam_files.fail.sh    |   6 +
 ...ck_multiple_pam_unix_faillock_conf.fail.sh |  18 +
 ...illock_multiple_pam_unix_pam_files.fail.sh |  12 +
 ...am_faillock_not_required_pam_files.fail.sh |  24 ++
 ...am_faillock_stricter_faillock_conf.pass.sh |  10 +
 .../pam_faillock_stricter_pam_files.pass.sh   |   6 +
 .../tests/ubuntu_commented_values.fail.sh     |   9 +
 .../tests/ubuntu_common.sh                    |  50 +++
 .../tests/ubuntu_correct.pass.sh              |   6 +
 .../tests/ubuntu_correct_pamd.pass.sh         |   7 +
 .../tests/ubuntu_empty_faillock_conf.fail.sh  |   8 +
 .../tests/ubuntu_missing_pamd.fail.sh         |   9 +
 .../tests/ubuntu_multiple_pam_unix.fail.sh    |  11 +
 .../tests/ubuntu_wrong_value.fail.sh          |   6 +
 38 files changed, 633 insertions(+), 1273 deletions(-)
 delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/ansible/shared.yml
 delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/bash/shared.sh
 delete mode 120000 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/oval/debian.xml
 delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/oval/shared.xml
 delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/oval/ubuntu.xml
 delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/ansible/shared.yml
 delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh
 delete mode 120000 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/debian.xml
 delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/openeuler.xml
 delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/shared.xml
 delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/ubuntu.xml
 create mode 100644 shared/templates/pam_account_password_faillock/ansible.template
 create mode 100644 shared/templates/pam_account_password_faillock/bash.template
 create mode 100644 shared/templates/pam_account_password_faillock/oval.template
 create mode 100644 shared/templates/pam_account_password_faillock/template.yml
 create mode 100644 shared/templates/pam_account_password_faillock/tests/authselect_modified_pam.fail.sh
 create mode 100644 shared/templates/pam_account_password_faillock/tests/conflicting_settings_authselect.fail.sh
 create mode 100644 shared/templates/pam_account_password_faillock/tests/pam_faillock_conflicting_settings.fail.sh
 create mode 100644 shared/templates/pam_account_password_faillock/tests/pam_faillock_disabled.fail.sh
 create mode 100644 shared/templates/pam_account_password_faillock/tests/pam_faillock_expected_faillock_conf.pass.sh
 create mode 100644 shared/templates/pam_account_password_faillock/tests/pam_faillock_expected_pam_files.pass.sh
 create mode 100644 shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_faillock_conf.fail.sh
 create mode 100644 shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_pam_files.fail.sh
 create mode 100644 shared/templates/pam_account_password_faillock/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh
 create mode 100644 shared/templates/pam_account_password_faillock/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh
 create mode 100644 shared/templates/pam_account_password_faillock/tests/pam_faillock_not_required_pam_files.fail.sh
 create mode 100644 shared/templates/pam_account_password_faillock/tests/pam_faillock_stricter_faillock_conf.pass.sh
 create mode 100644 shared/templates/pam_account_password_faillock/tests/pam_faillock_stricter_pam_files.pass.sh
 create mode 100644 shared/templates/pam_account_password_faillock/tests/ubuntu_commented_values.fail.sh
 create mode 100644 shared/templates/pam_account_password_faillock/tests/ubuntu_common.sh
 create mode 100644 shared/templates/pam_account_password_faillock/tests/ubuntu_correct.pass.sh
 create mode 100644 shared/templates/pam_account_password_faillock/tests/ubuntu_correct_pamd.pass.sh
 create mode 100644 shared/templates/pam_account_password_faillock/tests/ubuntu_empty_faillock_conf.fail.sh
 create mode 100644 shared/templates/pam_account_password_faillock/tests/ubuntu_missing_pamd.fail.sh
 create mode 100644 shared/templates/pam_account_password_faillock/tests/ubuntu_multiple_pam_unix.fail.sh
 create mode 100644 shared/templates/pam_account_password_faillock/tests/ubuntu_wrong_value.fail.sh

diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/ansible/shared.yml
deleted file mode 100644
index 039fc5191822..000000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/ansible/shared.yml
+++ /dev/null
@@ -1,7 +0,0 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
-# reboot = false
-# strategy = restrict
-# complexity = low
-# disruption = low
-{{{ ansible_pam_faillock_enable() }}}
-{{{ ansible_pam_faillock_parameter_value("fail_interval", "var_accounts_passwords_pam_faillock_fail_interval") }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/bash/shared.sh
deleted file mode 100644
index 289690e3d525..000000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/bash/shared.sh
+++ /dev/null
@@ -1,6 +0,0 @@
-# platform = multi_platform_all
-
-{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_fail_interval") }}}
-
-{{{ bash_pam_faillock_enable() }}}
-{{{ bash_pam_faillock_parameter_value("fail_interval", "$var_accounts_passwords_pam_faillock_fail_interval") }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/oval/debian.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/oval/debian.xml
deleted file mode 120000
index 70f08ba8db12..000000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/oval/debian.xml
+++ /dev/null
@@ -1 +0,0 @@
-ubuntu.xml
\ No newline at end of file
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/oval/shared.xml
deleted file mode 100644
index 1e22214cf84d..000000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/oval/shared.xml
+++ /dev/null
@@ -1,285 +0,0 @@
-<def-group>
-  <definition class="compliance" id="{{{ rule_id }}}" version="3">
-    {{{ oval_metadata("The number of allowed failed logins should be set correctly.") }}}
-    <criteria operator="AND" comment="Check the proper configuration of pam_faillock.so">
-      <criteria operator="AND" comment="Check if pam_faillock.so is properly enabled">
-        <!-- pam_unix.so is a control module present in all realistic scenarios and also used
-             as reference for the correct position of pam_faillock.so in auth section. If the
-             system is properly configured, it must appear only once in auth section. -->
-        <criteria operator="AND"
-                  comment="Count occurrences of pam_unix.so in system-auth and password-auth">
-          <criterion test_ref="test_accounts_passwords_pam_faillock_interval_system_pam_unix_auth"
-                     comment="pam_unix.so appears only once in auth section of system-auth"/>
-          <criterion test_ref="test_accounts_passwords_pam_faillock_interval_password_pam_unix_auth"
-                     comment="pam_unix.so appears only once in auth section of password-auth"/>
-        </criteria>
-
-        <!-- pam_faillock.so parameters can be defined directly in pam files or, in newer
-             versions, in /etc/security/faillock.conf. The last is the recommended option when
-             available. Also, is the option used by auselect tool. However, regardless the
-             approach, a minimal declaration is common in pam files. -->
-        <criteria operator="AND" comment="Check common definition of pam_faillock.so">
-          <criterion
-              test_ref="test_accounts_passwords_pam_faillock_interval_system_pam_faillock_auth"
-              comment="pam_faillock.so is properly defined in auth section of system-auth"/>
-          <criterion
-              test_ref="test_accounts_passwords_pam_faillock_interval_system_pam_faillock_account"
-              comment="pam_faillock.so is properly defined in account section of system-auth"/>
-          <criterion
-              test_ref="test_accounts_passwords_pam_faillock_interval_password_pam_faillock_auth"
-              comment="pam_faillock.so is properly defined in auth section of password-auth"/>
-          <criterion
-              test_ref="test_accounts_passwords_pam_faillock_interval_password_pam_faillock_account"
-              comment="pam_faillock.so is properly defined in account section of password-auth"/>
-        </criteria>
-      </criteria>
-
-      <!-- pam_faillock.so parameters should be defined in /etc/security/faillock.conf whenever
-           possible. But due to backwards compatibility, they are also allowed in pam files
-           directly. In case they are defined in both places, pam files have precedence and this
-           may confuse the assessment. The following tests ensure only one option is used. Note
-           that if faillock.conf is available, authselect tool only manage parameters on this file
-      -->
-      <criteria operator="OR"
-                comment="Check expected value for pam_faillock.so fail_interval parameter">
-        <criteria operator="AND"
-                  comment="Check expected pam_faillock.so fail_interval parameter in pam files">
-          <criterion
-              test_ref="test_accounts_passwords_pam_faillock_interval_parameter_pamd_system"
-              comment="Check the fail_interval parameter in auth section of system-auth file"/>
-          <criterion
-              test_ref="test_accounts_passwords_pam_faillock_interval_parameter_pamd_password"
-              comment="Check the fail_interval parameter in auth section of password-auth file"/>
-          <criterion
-              test_ref="test_accounts_passwords_pam_faillock_interval_parameter_no_faillock_conf"
-              comment="Ensure /etc/security/faillock.conf is not used together with pam files"/>
-        </criteria>
-        <criteria operator="AND"
-              comment="Check expected pam_faillock.so fail_interval parameter in faillock.conf">
-          <criterion
-              test_ref="test_accounts_passwords_pam_faillock_interval_parameter_no_pamd_system"
-              comment="Check the fail_interval parameter is not present system-auth file"/>
-          <criterion
-              test_ref="test_accounts_passwords_pam_faillock_interval_parameter_no_pamd_password"
-              comment="Check the fail_interval parameter is not present password-auth file"/>
-          <criterion
-              test_ref="test_accounts_passwords_pam_faillock_interval_parameter_faillock_conf"
-          comment="Ensure the fail_interval parameter is present in /etc/security/faillock.conf"/>
-        </criteria>
-      </criteria>
-    </criteria>
-  </definition>
-
-  <!-- The following tests demand complex regex which are necessary more than once.
-       These variables make simpler the usage of regex patterns. -->
-  <constant_variable id="var_accounts_passwords_pam_faillock_interval_pam_unix_regex"
-                datatype="string" version="1"
-                comment="regex to identify pam_unix.so in auth section of pam files">
-    <value>^[\s]*auth\N+pam_unix\.so</value>
-  </constant_variable>
-
-  <constant_variable id="var_accounts_passwords_pam_faillock_interval_pam_faillock_auth_regex"
-                datatype="string" version="1"
-                comment="regex to identify pam_faillock.so entries in auth section of pam files">
-    <value>^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail</value>
-  </constant_variable>
-
-  <constant_variable id="var_accounts_passwords_pam_faillock_interval_pam_faillock_account_regex"
-                datatype="string" version="1"
-                comment="regex to identify pam_faillock.so entry in account section of pam files">
-    <value>^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so</value>
-  </constant_variable>
-
-  <constant_variable
-    id="var_accounts_passwords_pam_faillock_interval_pam_faillock_fail_interval_parameter_regex"
-    datatype="string" version="1"
-    comment="regex to identify pam_faillock.so fail_interval entry in auth section of pam files">
-    <value>^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*fail_interval=([0-9]+)</value>
-  </constant_variable>
-
-  <constant_variable
-              id="var_accounts_passwords_pam_faillock_interval_faillock_conf_fail_interval_parameter_regex"
-              datatype="string" version="1"
-              comment="regex to identify fail_interval entry in /etc/security/faillock.conf">
-    <value>^[\s]*fail_interval[\s]*=[\s]*([0-9]+)</value>
-  </constant_variable>
-
-  <!-- Check occurrences of pam_unix.so in auth section of system-auth file -->
-  <ind:textfilecontent54_object version="1"
-        id="object_accounts_passwords_pam_faillock_interval_system_pam_unix_auth"
-        comment="Get the second and subsequent occurrences of pam_unix.so in auth section of system-auth">
-    <ind:filepath operation="pattern match">^/etc/pam.d/system-auth$</ind:filepath>
-    <ind:pattern operation="pattern match"
-                 var_ref="var_accounts_passwords_pam_faillock_interval_pam_unix_regex"/>
-    <!-- It is not expected to find a second instance of this pattern -->
-    <ind:instance datatype="int" operation="greater than">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test check="all" check_existence="none_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_interval_system_pam_unix_auth"
-        comment="No more than one pam_unix.so is expected in auth section of system-auth">
-    <ind:object object_ref="object_accounts_passwords_pam_faillock_interval_system_pam_unix_auth"/>
-  </ind:textfilecontent54_test>
-
-  <!-- Check occurrences of pam_unix.so in auth section in password-auth -->
-  <ind:textfilecontent54_object version="1"
-        id="object_accounts_passwords_pam_faillock_interval_password_pam_unix_auth"
-        comment="Get the second and subsequent occurrences of pam_unix.so in auth section of password-auth">
-    <ind:filepath operation="pattern match">^/etc/pam.d/password-auth$</ind:filepath>
-    <ind:pattern operation="pattern match"
-                 var_ref="var_accounts_passwords_pam_faillock_interval_pam_unix_regex"/>
-    <ind:instance datatype="int" operation="greater than">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test check="all" check_existence="none_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_interval_password_pam_unix_auth"
-        comment="No more than one pam_unix.so is expected in auth section of password-auth">
-    <ind:object object_ref="object_accounts_passwords_pam_faillock_interval_password_pam_unix_auth"/>
-  </ind:textfilecontent54_test>
-
-  <!-- Check common definition of pam_faillock.so in system-auth -->
-  <ind:textfilecontent54_object version="1"
-        id="object_accounts_passwords_pam_faillock_interval_system_pam_faillock_auth"
-        comment="Check common definition of pam_faillock.so in auth section of system-auth">
-    <ind:filepath operation="pattern match">^/etc/pam.d/system-auth$</ind:filepath>
-    <ind:pattern operation="pattern match"
-                 var_ref="var_accounts_passwords_pam_faillock_interval_pam_faillock_auth_regex"/>
-    <ind:instance datatype="int" operation="equals">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test check="all" check_existence="all_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_interval_system_pam_faillock_auth"
-        comment="One and only one occurrence is expected in auth section of system-auth">
-    <ind:object
-        object_ref="object_accounts_passwords_pam_faillock_interval_system_pam_faillock_auth"/>
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_object version="1"
-        id="object_accounts_passwords_pam_faillock_interval_system_pam_faillock_account"
-        comment="Check common definition of pam_faillock.so in account section of system-auth">
-    <ind:filepath operation="pattern match">^/etc/pam.d/system-auth$</ind:filepath>
-    <ind:pattern operation="pattern match"
-                 var_ref="var_accounts_passwords_pam_faillock_interval_pam_faillock_account_regex"/>
-    <ind:instance datatype="int" operation="equals">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test check="all" check_existence="all_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_interval_system_pam_faillock_account"
-        comment="One and only one occurrence is expected in auth section of system-auth">
-    <ind:object
-        object_ref="object_accounts_passwords_pam_faillock_interval_system_pam_faillock_account"/>
-  </ind:textfilecontent54_test>
-
-  <!-- Check common definition of pam_faillock.so in password-auth -->
-  <ind:textfilecontent54_object version="1"
-        id="object_accounts_passwords_pam_faillock_interval_password_pam_faillock_auth"
-        comment="Check common definition of pam_faillock.so in auth section of password-auth">
-    <ind:filepath operation="pattern match">^/etc/pam.d/password-auth$</ind:filepath>
-    <ind:pattern operation="pattern match"
-                 var_ref="var_accounts_passwords_pam_faillock_interval_pam_faillock_auth_regex"/>
-    <ind:instance datatype="int" operation="equals">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test check="all" check_existence="all_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_interval_password_pam_faillock_auth"
-        comment="One and only one occurrence is expected in auth section of password-auth">
-    <ind:object
-        object_ref="object_accounts_passwords_pam_faillock_interval_password_pam_faillock_auth"/>
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_object version="1"
-        id="object_accounts_passwords_pam_faillock_interval_password_pam_faillock_account"
-        comment="Check common definition of pam_faillock.so in account section of password-auth">
-    <ind:filepath operation="pattern match">^/etc/pam.d/password-auth$</ind:filepath>
-    <ind:pattern operation="pattern match"
-                 var_ref="var_accounts_passwords_pam_faillock_interval_pam_faillock_account_regex"/>
-    <ind:instance datatype="int" operation="equals">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test check="all" check_existence="all_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_interval_password_pam_faillock_account"
-        comment="One and only one occurrence is expected in auth section of password-auth">
-    <ind:object
-        object_ref="object_accounts_passwords_pam_faillock_interval_password_pam_faillock_account"/>
-  </ind:textfilecontent54_test>
-
-  <!-- boundaries to test the parameter value -->
-  <!-- Specify the required external variable & create corresponding state from it -->
-  <external_variable id="var_accounts_passwords_pam_faillock_fail_interval" datatype="int"
-                     comment="number of failed login attempts allowed" version="1"/>
-
-  <ind:textfilecontent54_state version="1"
-        id="state_accounts_passwords_pam_faillock_interval_parameter_lower_bound">
-    <ind:subexpression datatype="int" operation="greater than or equal"
-                       var_ref="var_accounts_passwords_pam_faillock_fail_interval"/>
-  </ind:textfilecontent54_state>
-
-  <!-- Check the pam_faillock.so fail_interval parameter in system-auth -->
-  <ind:textfilecontent54_object version="1"
-        id="object_accounts_passwords_pam_faillock_interval_parameter_pamd_system"
-        comment="Get the pam_faillock.so fail_interval parameter from system-auth file">
-    <ind:filepath operation="pattern match">^/etc/pam.d/system-auth$</ind:filepath>
-    <ind:pattern operation="pattern match"
-                 var_ref="var_accounts_passwords_pam_faillock_interval_pam_faillock_fail_interval_parameter_regex"/>
-    <ind:instance datatype="int" operation="equals">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test check="all" check_existence="all_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_interval_parameter_pamd_system"
-        comment="Check the expected fail_interval value in system-auth">
-    <ind:object object_ref="object_accounts_passwords_pam_faillock_interval_parameter_pamd_system"/>
-    <ind:state state_ref="state_accounts_passwords_pam_faillock_interval_parameter_lower_bound"/>
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_test check="all" check_existence="none_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_interval_parameter_no_pamd_system"
-        comment="Check the absence of fail_interval parameter in system-auth">
-    <ind:object object_ref="object_accounts_passwords_pam_faillock_interval_parameter_pamd_system"/>
-  </ind:textfilecontent54_test>
-
-  <!-- Check the pam_faillock.so fail_interval parameter in password-auth -->
-  <ind:textfilecontent54_object version="1"
-        id="object_accounts_passwords_pam_faillock_interval_parameter_pamd_password"
-        comment="Get the pam_faillock.so fail_interval parameter from password-auth file">
-    <ind:filepath operation="pattern match">^/etc/pam.d/password-auth$</ind:filepath>
-    <ind:pattern operation="pattern match"
-            var_ref="var_accounts_passwords_pam_faillock_interval_pam_faillock_fail_interval_parameter_regex"/>
-    <ind:instance datatype="int" operation="equals">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test check="all" check_existence="all_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_interval_parameter_pamd_password"
-        comment="Check the expected fail_interval value in password-auth">
-    <ind:object object_ref="object_accounts_passwords_pam_faillock_interval_parameter_pamd_password"/>
-    <ind:state state_ref="state_accounts_passwords_pam_faillock_interval_parameter_lower_bound"/>
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_test check="all" check_existence="none_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_interval_parameter_no_pamd_password"
-        comment="Check the absence of fail_interval parameter in password-auth">
-    <ind:object object_ref="object_accounts_passwords_pam_faillock_interval_parameter_pamd_password"/>
-  </ind:textfilecontent54_test>
-
-  <!-- Check pam_faillock.so fail_interval parameter in /etc/security/faillock.conf -->
-  <ind:textfilecontent54_object version="1"
-      id="object_accounts_passwords_pam_faillock_interval_parameter_faillock_conf"
-      comment="Check the expected pam_faillock.so fail_interval parameter in /etc/security/faillock.conf">
-    <ind:filepath operation="pattern match">^/etc/security/faillock.conf$</ind:filepath>
-    <ind:pattern operation="pattern match"
-          var_ref="var_accounts_passwords_pam_faillock_interval_faillock_conf_fail_interval_parameter_regex"/>
-    <ind:instance datatype="int" operation="equals">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test check="all" check_existence="all_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_interval_parameter_faillock_conf"
-        comment="Check the expected fail_interval value in in /etc/security/faillock.conf">
-    <ind:object object_ref="object_accounts_passwords_pam_faillock_interval_parameter_faillock_conf"/>
-    <ind:state state_ref="state_accounts_passwords_pam_faillock_interval_parameter_lower_bound"/>
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_test check="all" check_existence="none_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_interval_parameter_no_faillock_conf"
-        comment="Check the absence of fail_interval parameter in /etc/security/faillock.conf">
-    <ind:object object_ref="object_accounts_passwords_pam_faillock_interval_parameter_faillock_conf"/>
-  </ind:textfilecontent54_test>
-</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/oval/ubuntu.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/oval/ubuntu.xml
deleted file mode 100644
index 02a8568e010f..000000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/oval/ubuntu.xml
+++ /dev/null
@@ -1,195 +0,0 @@
-{{# Very similar OVAL is used in several rules, differing primarily in faillock.so parameter. #}}
-{{# For transferability, we define the parameter and corresponding regular expressions in jinja. #}}
-{{# The rules should ideally use a single template. #}}
-
-{{% set prm_name = "fail_interval" %}}
-{{% set prm_regex_conf = "^[\s]*fail_interval[\s]*=[\s]*([0-9]+)" %}}
-{{% set prm_regex_pamd = "^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*fail_interval=([0-9]+)" %}}
-{{% set ext_variable = "var_accounts_passwords_pam_faillock_fail_interval" %}}
-{{% set description = "The number of allowed failed logins should be set correctly." %}}
-
-<def-group>
-  <definition class="compliance" id="{{{ rule_id }}}" version="4">
-    {{{ oval_metadata(description) }}}
-    <criteria operator="AND" comment="Check the proper configuration of pam_faillock.so">
-      <criteria operator="AND" comment="Check if pam_faillock.so is properly enabled">
-        <!-- pam_unix.so is a control module present in all realistic scenarios and also used
-             as reference for the correct position of pam_faillock.so in auth section. If the
-             system is properly configured, it must appear only once in auth section. -->
-        <criterion test_ref="test_accounts_passwords_pam_faillock_{{{ prm_name }}}_common_pam_unix_auth"
-            comment="pam_unix.so appears only once in auth section of common-auth"/>
-        <criterion test_ref="test_accounts_passwords_pam_faillock_{{{ prm_name }}}_common_pam_faillock_auth"
-            comment="pam_faillock.so is properly defined in auth section of common-auth"/>
-        <criterion test_ref="test_accounts_passwords_pam_faillock_{{{ prm_name }}}_common_pam_faillock_account"
-            comment="pam_faillock.so is properly defined in common-account"/>
-      </criteria>
-
-      <!-- pam_faillock.so parameters should be defined in /etc/security/faillock.conf whenever
-           possible. But due to backwards compatibility, they are also allowed in pam files
-           directly. In case they are defined in both places, pam files have precedence and this
-           may confuse the assessment. The following tests ensure only one option is used. -->
-      <criteria operator="OR" comment="Check expected value for pam_faillock.so {{{ prm_name }}} parameter">
-        <criteria operator="AND"
-            comment="Check expected pam_faillock.so {{{ prm_name }}} parameter in pam files">
-          <criterion test_ref="test_accounts_passwords_pam_faillock_{{{ prm_name }}}_parameter_pamd_common"
-              comment="Check the {{{ prm_name }}} parameter is present common-auth file"/>
-          <criterion test_ref="test_accounts_passwords_pam_faillock_{{{ prm_name }}}_parameter_no_faillock_conf"
-              comment="Ensure the {{{ prm_name }}} parameter is not present in /etc/security/faillock.conf"/>
-        </criteria>
-        <criteria operator="AND"
-            comment="Check expected pam_faillock.so {{{ prm_name }}} parameter in faillock.conf">
-          <criterion test_ref="test_accounts_passwords_pam_faillock_{{{ prm_name }}}_parameter_no_pamd_common"
-              comment="Check the {{{ prm_name }}} parameter is not present common-auth file"/>
-          <criterion test_ref="test_accounts_passwords_pam_faillock_{{{ prm_name }}}_parameter_faillock_conf"
-              comment="Ensure the {{{ prm_name }}} parameter is present in /etc/security/faillock.conf"/>
-        </criteria>
-      </criteria>
-    </criteria>
-  </definition>
-
-  <!-- The following tests demand complex regex which are necessary more than once.
-       These variables make simpler the usage of regex patterns. -->
-  <constant_variable id="var_accounts_passwords_pam_faillock_{{{ prm_name }}}_pam_unix_regex"
-                datatype="string" version="1"
-                comment="regex to identify pam_unix.so in auth section of pam files">
-    <value>^\s*auth.*pam_unix\.so</value>
-  </constant_variable>
-
-  <constant_variable id="var_accounts_passwords_pam_faillock_{{{ prm_name }}}_pam_faillock_auth_regex"
-                datatype="string" version="1"
-                comment="regex to identify pam_faillock.so entries in auth section of pam files">
-      <value>^\s*auth\s+required\s+pam_faillock\.so.*preauth.*[\s\S]*^\s*auth.*pam_unix\.so[\s\S]*^\s*auth\s+\[default=die\]\s+pam_faillock\.so\s+authfail[\s\S]*^\s*auth\s+sufficient\s+pam_faillock\.so\s+authsucc</value>
-  </constant_variable>
-
-  <constant_variable id="var_accounts_passwords_pam_faillock_{{{ prm_name }}}_pam_faillock_account_regex"
-                datatype="string" version="1"
-                comment="regex to identify pam_faillock.so entry in account section of pam files">
-    <value>^\s*account\s+required\s+pam_faillock\.so\s*(#.*)?$</value>
-  </constant_variable>
-
-  <constant_variable
-    id="var_accounts_passwords_pam_faillock_{{{ prm_name }}}_pam_faillock_{{{ prm_name }}}_parameter_regex"
-    datatype="string" version="1"
-    comment="regex to identify pam_faillock.so {{{ prm_name }}} entry in auth section of pam files">
-    <value>{{{ prm_regex_pamd }}}</value>
-  </constant_variable>
-
-  <constant_variable
-              id="var_accounts_passwords_pam_faillock_{{{ prm_name }}}_faillock_conf_{{{ prm_name }}}_parameter_regex"
-              datatype="string" version="1"
-              comment="regex to identify {{{ prm_name }}} entry in /etc/security/faillock.conf">
-    <value>{{{ prm_regex_conf }}}</value>
-  </constant_variable>
-
-  <!-- Check occurrences of pam_unix.so in auth section of common-auth file -->
-  <ind:textfilecontent54_test check="all" check_existence="none_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_{{{ prm_name }}}_common_pam_unix_auth"
-        comment="No more than one pam_unix.so is expected in auth section of common-auth">
-    <ind:object object_ref="object_accounts_passwords_pam_faillock_{{{ prm_name }}}_common_pam_unix_auth"/>
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_object version="1"
-        id="object_accounts_passwords_pam_faillock_{{{ prm_name }}}_common_pam_unix_auth"
-        comment="Get the second and subsequent occurrences of pam_unix.so in auth section of common-auth">
-    <ind:filepath>/etc/pam.d/common-auth</ind:filepath>
-    <ind:pattern operation="pattern match"
-                 var_ref="var_accounts_passwords_pam_faillock_{{{ prm_name }}}_pam_unix_regex"/>
-    <ind:instance datatype="int" operation="greater than">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <!-- Check common definition of pam_faillock.so in common-auth -->
-  <ind:textfilecontent54_test check="all" check_existence="only_one_exists" version="1"
-        id="test_accounts_passwords_pam_faillock_{{{ prm_name }}}_common_pam_faillock_auth"
-        comment="One and only one occurrence is expected in auth section of common-auth">
-    <ind:object
-        object_ref="object_accounts_passwords_pam_faillock_{{{ prm_name }}}_common_pam_faillock_auth"/>
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_object version="1"
-        id="object_accounts_passwords_pam_faillock_{{{ prm_name }}}_common_pam_faillock_auth"
-        comment="Check common definition of pam_faillock.so in auth section of common-auth">
-    <ind:filepath>/etc/pam.d/common-auth</ind:filepath>
-    <ind:pattern operation="pattern match"
-                 var_ref="var_accounts_passwords_pam_faillock_{{{ prm_name }}}_pam_faillock_auth_regex"/>
-    <ind:instance datatype="int" operation="equals">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <!-- Check common definition of pam_faillock.so in common-account -->
-  <ind:textfilecontent54_test check="all" check_existence="only_one_exists" version="1"
-        id="test_accounts_passwords_pam_faillock_{{{ prm_name }}}_common_pam_faillock_account"
-        comment="One and only one occurrence is expected in common-account">
-    <ind:object
-        object_ref="object_accounts_passwords_pam_faillock_{{{ prm_name }}}_common_pam_faillock_account"/>
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_object version="1"
-        id="object_accounts_passwords_pam_faillock_{{{ prm_name }}}_common_pam_faillock_account"
-        comment="Check common definition of pam_faillock.so in account section of common-account">
-    <ind:filepath>/etc/pam.d/common-account</ind:filepath>
-    <ind:pattern operation="pattern match"
-                 var_ref="var_accounts_passwords_pam_faillock_{{{ prm_name }}}_pam_faillock_account_regex"/>
-    <ind:instance datatype="int" operation="equals">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-
-  <!-- boundaries to test the parameter value -->
-  <!-- Specify the required external variable & create corresponding state from it -->
-  <external_variable id="{{{ ext_variable }}}" datatype="int"
-                     comment="number of failed login attempts allowed" version="1"/>
-
-  <ind:textfilecontent54_state version="1"
-        id="state_accounts_passwords_pam_faillock_{{{ prm_name }}}_parameter_lower_bound">
-    <ind:subexpression datatype="int" operation="greater than or equal"
-          var_ref="{{{ ext_variable }}}"/>
-  </ind:textfilecontent54_state>
-
-
-  <!-- Check absence of {{{ prm_name }}} parameter in common-auth -->
-  <ind:textfilecontent54_test check="all" check_existence="none_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_{{{ prm_name }}}_parameter_no_pamd_common"
-        comment="Check the absence of {{{ prm_name }}} parameter in common-auth">
-    <ind:object object_ref="object_accounts_passwords_pam_faillock_{{{ prm_name }}}_parameter_pamd_common"/>
-  </ind:textfilecontent54_test>
-
-  <!-- Check expected value of {{{ prm_name }}} parameter in common-auth -->
-  <ind:textfilecontent54_test check="all" check_existence="all_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_{{{ prm_name }}}_parameter_pamd_common"
-        comment="Check the expected {{{ prm_name }}} value in common-auth">
-    <ind:object object_ref="object_accounts_passwords_pam_faillock_{{{ prm_name }}}_parameter_pamd_common"/>
-    <ind:state state_ref="state_accounts_passwords_pam_faillock_{{{ prm_name }}}_parameter_lower_bound"/>
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_object version="1"
-        id="object_accounts_passwords_pam_faillock_{{{ prm_name }}}_parameter_pamd_common"
-        comment="Get the pam_faillock.so {{{ prm_name }}} parameter from common-auth file">
-    <ind:filepath>/etc/pam.d/common-auth</ind:filepath>
-    <ind:pattern operation="pattern match"
-                 var_ref="var_accounts_passwords_pam_faillock_{{{ prm_name }}}_pam_faillock_{{{ prm_name }}}_parameter_regex"/>
-    <ind:instance datatype="int" operation="equals">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-
-  <!-- Check absence of {{{ prm_name }}} parameter in /etc/security/faillock.conf -->
-  <ind:textfilecontent54_test check="all" check_existence="none_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_{{{ prm_name }}}_parameter_no_faillock_conf"
-        comment="Check the absence of {{{ prm_name }}} parameter in /etc/security/faillock.conf">
-    <ind:object object_ref="object_accounts_passwords_pam_faillock_{{{ prm_name }}}_parameter_faillock_conf"/>
-  </ind:textfilecontent54_test>
-
-  <!-- Check expected value of {{{ prm_name }}} parameter in /etc/security/faillock.conf -->
-  <ind:textfilecontent54_test check="all" check_existence="all_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_{{{ prm_name }}}_parameter_faillock_conf"
-        comment="Check the expected {{{ prm_name }}} value in /etc/security/faillock.conf">
-    <ind:object object_ref="object_accounts_passwords_pam_faillock_{{{ prm_name }}}_parameter_faillock_conf"/>
-    <ind:state state_ref="state_accounts_passwords_pam_faillock_{{{ prm_name }}}_parameter_lower_bound"/>
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_object version="1"
-      id="object_accounts_passwords_pam_faillock_{{{ prm_name }}}_parameter_faillock_conf"
-      comment="Check the expected pam_faillock.so {{{ prm_name }}} parameter in /etc/security/faillock.conf">
-    <ind:filepath>/etc/security/faillock.conf</ind:filepath>
-    <ind:pattern operation="pattern match"
-          var_ref="var_accounts_passwords_pam_faillock_{{{ prm_name }}}_faillock_conf_{{{ prm_name }}}_parameter_regex"/>
-    <ind:instance datatype="int" operation="equals">1</ind:instance>
-  </ind:textfilecontent54_object>
-</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml
index e4bd615121e1..7d785f2d9a34 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml
@@ -120,3 +120,13 @@ warnings:
         be shown in the remediation report.
         If the system supports the <tt>/etc/security/faillock.conf</tt> file, the pam_faillock
         parameters should be defined in <tt>faillock.conf</tt> file.
+
+template:
+  name: pam_account_password_faillock
+  vars:
+    prm_name: fail_interval
+    prm_regex_conf: ^[\s]*fail_interval[\s]*=[\s]*([0-9]+)
+    prm_regex_pamd: ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*fail_interval=([0-9]+)
+    ext_variable: var_accounts_passwords_pam_faillock_fail_interval
+    description: The number of allowed failed logins should be set correctly.
+    variable_lower_bound: use_ext_variable
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/ansible/shared.yml
deleted file mode 100644
index 230ff5eaa3dd..000000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/ansible/shared.yml
+++ /dev/null
@@ -1,7 +0,0 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
-# reboot = false
-# strategy = restrict
-# complexity = low
-# disruption = low
-{{{ ansible_pam_faillock_enable() }}}
-{{{ ansible_pam_faillock_parameter_value("unlock_time", "var_accounts_passwords_pam_faillock_unlock_time") }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh
deleted file mode 100644
index 51ef7f323473..000000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh
+++ /dev/null
@@ -1,6 +0,0 @@
-# platform = multi_platform_all
-
-{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_unlock_time") }}}
-
-{{{ bash_pam_faillock_enable() }}}
-{{{ bash_pam_faillock_parameter_value("unlock_time", "$var_accounts_passwords_pam_faillock_unlock_time") }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/debian.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/debian.xml
deleted file mode 120000
index 70f08ba8db12..000000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/debian.xml
+++ /dev/null
@@ -1 +0,0 @@
-ubuntu.xml
\ No newline at end of file
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/openeuler.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/openeuler.xml
deleted file mode 100644
index 94c1ecaa55cb..000000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/openeuler.xml
+++ /dev/null
@@ -1,285 +0,0 @@
-<def-group>
-  <definition class="compliance" id="{{{ rule_id }}}" version="3">
-    {{{ oval_metadata("The unlock time after number of failed logins should be set correctly.") }}}
-    <criteria operator="AND" comment="Check the proper configuration of pam_faillock.so">
-      <criteria operator="AND" comment="Check if pam_faillock.so is properly enabled">
-        <!-- pam_unix.so is a control module present in all realistic scenarios and also used
-             as reference for the correct position of pam_faillock.so in auth section. If the
-             system is properly configured, it must appear only once in auth section. -->
-        <criteria operator="AND"
-                  comment="Count occurrences of pam_unix.so in system-auth and password-auth">
-          <criterion test_ref="test_accounts_passwords_pam_faillock_unlock_time_system_pam_unix_auth"
-                     comment="pam_unix.so appears only once in auth section of system-auth"/>
-          <criterion test_ref="test_accounts_passwords_pam_faillock_unlock_time_password_pam_unix_auth"
-                     comment="pam_unix.so appears only once in auth section of password-auth"/>
-        </criteria>
-
-        <!-- pam_faillock.so parameters can be defined directly in pam files or, in newer
-             versions, in /etc/security/faillock.conf. The last is the recommended option when
-             available. Also, is the option used by auselect tool. However, regardless the
-             approach, a minimal declaration is common in pam files. -->
-        <criteria operator="AND" comment="Check common definition of pam_faillock.so">
-          <criterion
-              test_ref="test_accounts_passwords_pam_faillock_unlock_time_system_pam_faillock_auth"
-              comment="pam_faillock.so is properly defined in auth section of system-auth"/>
-          <criterion
-              test_ref="test_accounts_passwords_pam_faillock_unlock_time_system_pam_faillock_account"
-              comment="pam_faillock.so is properly defined in account section of system-auth"/>
-          <criterion
-              test_ref="test_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_auth"
-              comment="pam_faillock.so is properly defined in auth section of password-auth"/>
-          <criterion
-              test_ref="test_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_account"
-              comment="pam_faillock.so is properly defined in account section of password-auth"/>
-        </criteria>
-      </criteria>
-
-      <!-- pam_faillock.so parameters should be defined in /etc/security/faillock.conf whenever
-           possible. But due to backwards compatibility, they are also allowed in pam files
-           directly. In case they are defined in both places, pam files have precedence and this
-           may confuse the assessment. The following tests ensure only one option is used. Note
-           that if faillock.conf is available, authselect tool only manage parameters on this file
-      -->
-      <criteria operator="OR"
-                comment="Check expected value for pam_faillock.so unlock_time parameter">
-        <criteria operator="AND"
-                  comment="Check expected pam_faillock.so unlock_time parameter in pam files">
-          <criterion
-              test_ref="test_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_system"
-              comment="Check the unlock_time parameter in auth section of system-auth file"/>
-          <criterion
-              test_ref="test_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_password"
-              comment="Check the unlock_time parameter in auth section of password-auth file"/>
-          <criterion
-              test_ref="test_accounts_passwords_pam_faillock_unlock_time_parameter_no_faillock_conf"
-              comment="Ensure /etc/security/faillock.conf is not used together with pam files"/>
-        </criteria>
-        <criteria operator="AND"
-              comment="Check expected pam_faillock.so unlock_time parameter in faillock.conf">
-          <criterion
-              test_ref="test_accounts_passwords_pam_faillock_unlock_time_parameter_no_pamd_system"
-              comment="Check the unlock_time parameter is not present system-auth file"/>
-          <criterion
-              test_ref="test_accounts_passwords_pam_faillock_unlock_time_parameter_no_pamd_password"
-              comment="Check the unlock_time parameter is not present password-auth file"/>
-          <criterion
-              test_ref="test_accounts_passwords_pam_faillock_unlock_time_parameter_faillock_conf"
-          comment="Ensure the unlock_time parameter is present in /etc/security/faillock.conf"/>
-        </criteria>
-      </criteria>
-    </criteria>
-  </definition>
-
-  <!-- The following tests demand complex regex which are necessary more than once.
-       These variables make simpler the usage of regex patterns. -->
-  <constant_variable id="var_accounts_passwords_pam_faillock_unlock_time_pam_unix_regex"
-                datatype="string" version="1"
-                comment="regex to identify pam_unix.so in auth section of pam files">
-    <value>^[\s]*auth\N+pam_unix\.so</value>
-  </constant_variable>
-
-  <constant_variable id="var_accounts_passwords_pam_faillock_unlock_time_pam_faillock_auth_regex"
-                datatype="string" version="1"
-                comment="regex to identify pam_faillock.so entries in auth section of pam files">
-    <value>^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)?(?=.*?\bnew_authtok_reqd=done\b)?(?=.*?\bdefault=ignore\b)?.*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=die\b)?.*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail</value>
-  </constant_variable>
-
-  <constant_variable id="var_accounts_passwords_pam_faillock_unlock_time_pam_faillock_account_regex"
-                datatype="string" version="1"
-                comment="regex to identify pam_faillock.so entry in account section of pam files">
-    <value>^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_unix\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_faillock\.so</value>
-  </constant_variable>
-
-  <constant_variable
-    id="var_accounts_passwords_pam_faillock_unlock_time_pam_faillock_unlock_time_parameter_regex"
-    datatype="string" version="1"
-    comment="regex to identify pam_faillock.so unlock_time entry in auth section of pam files">
-    <value>^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*unlock_time=([0-9]+)</value>
-  </constant_variable>
-
-  <constant_variable
-              id="var_accounts_passwords_pam_faillock_unlock_time_faillock_conf_unlock_time_parameter_regex"
-              datatype="string" version="1"
-              comment="regex to identify unlock_time entry in /etc/security/faillock.conf">
-    <value>^[\s]*unlock_time[\s]*=[\s]*([0-9]+)</value>
-  </constant_variable>
-
-  <!-- Check occurrences of pam_unix.so in auth section of system-auth file -->
-  <ind:textfilecontent54_object version="1"
-        id="object_accounts_passwords_pam_faillock_unlock_time_system_pam_unix_auth"
-        comment="Get the second and subsequent occurrences of pam_unix.so in auth section of system-auth">
-    <ind:filepath operation="pattern match">^/etc/pam.d/system-auth$</ind:filepath>
-    <ind:pattern operation="pattern match"
-                 var_ref="var_accounts_passwords_pam_faillock_unlock_time_pam_unix_regex"/>
-    <!-- It is not expected to find a second instance of this pattern -->
-    <ind:instance datatype="int" operation="greater than">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test check="all" check_existence="none_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_unlock_time_system_pam_unix_auth"
-        comment="No more than one pam_unix.so is expected in auth section of system-auth">
-    <ind:object object_ref="object_accounts_passwords_pam_faillock_unlock_time_system_pam_unix_auth"/>
-  </ind:textfilecontent54_test>
-
-  <!-- Check occurrences of pam_unix.so in auth section in password-auth -->
-  <ind:textfilecontent54_object version="1"
-        id="object_accounts_passwords_pam_faillock_unlock_time_password_pam_unix_auth"
-        comment="Get the second and subsequent occurrences of pam_unix.so in auth section of password-auth">
-    <ind:filepath operation="pattern match">^/etc/pam.d/password-auth$</ind:filepath>
-    <ind:pattern operation="pattern match"
-                 var_ref="var_accounts_passwords_pam_faillock_unlock_time_pam_unix_regex"/>
-    <ind:instance datatype="int" operation="greater than">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test check="all" check_existence="none_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_unlock_time_password_pam_unix_auth"
-        comment="No more than one pam_unix.so is expected in auth section of password-auth">
-    <ind:object object_ref="object_accounts_passwords_pam_faillock_unlock_time_password_pam_unix_auth"/>
-  </ind:textfilecontent54_test>
-
-  <!-- Check common definition of pam_faillock.so in system-auth -->
-  <ind:textfilecontent54_object version="1"
-        id="object_accounts_passwords_pam_faillock_unlock_time_system_pam_faillock_auth"
-        comment="Check common definition of pam_faillock.so in auth section of system-auth">
-    <ind:filepath operation="pattern match">^/etc/pam.d/system-auth$</ind:filepath>
-    <ind:pattern operation="pattern match"
-                 var_ref="var_accounts_passwords_pam_faillock_unlock_time_pam_faillock_auth_regex"/>
-    <ind:instance datatype="int" operation="equals">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test check="all" check_existence="all_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_unlock_time_system_pam_faillock_auth"
-        comment="One and only one occurrence is expected in auth section of system-auth">
-    <ind:object
-        object_ref="object_accounts_passwords_pam_faillock_unlock_time_system_pam_faillock_auth"/>
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_object version="1"
-        id="object_accounts_passwords_pam_faillock_unlock_time_system_pam_faillock_account"
-        comment="Check common definition of pam_faillock.so in account section of system-auth">
-    <ind:filepath operation="pattern match">^/etc/pam.d/system-auth$</ind:filepath>
-    <ind:pattern operation="pattern match"
-                 var_ref="var_accounts_passwords_pam_faillock_unlock_time_pam_faillock_account_regex"/>
-    <ind:instance datatype="int" operation="equals">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test check="all" check_existence="all_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_unlock_time_system_pam_faillock_account"
-        comment="One and only one occurrence is expected in auth section of system-auth">
-    <ind:object
-        object_ref="object_accounts_passwords_pam_faillock_unlock_time_system_pam_faillock_account"/>
-  </ind:textfilecontent54_test>
-
-  <!-- Check common definition of pam_faillock.so in password-auth -->
-  <ind:textfilecontent54_object version="1"
-        id="object_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_auth"
-        comment="Check common definition of pam_faillock.so in auth section of password-auth">
-    <ind:filepath operation="pattern match">^/etc/pam.d/password-auth$</ind:filepath>
-    <ind:pattern operation="pattern match"
-                 var_ref="var_accounts_passwords_pam_faillock_unlock_time_pam_faillock_auth_regex"/>
-    <ind:instance datatype="int" operation="equals">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test check="all" check_existence="all_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_auth"
-        comment="One and only one occurrence is expected in auth section of password-auth">
-    <ind:object
-        object_ref="object_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_auth"/>
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_object version="1"
-        id="object_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_account"
-        comment="Check common definition of pam_faillock.so in account section of password-auth">
-    <ind:filepath operation="pattern match">^/etc/pam.d/password-auth$</ind:filepath>
-    <ind:pattern operation="pattern match"
-                 var_ref="var_accounts_passwords_pam_faillock_unlock_time_pam_faillock_account_regex"/>
-    <ind:instance datatype="int" operation="equals">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test check="all" check_existence="all_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_account"
-        comment="One and only one occurrence is expected in auth section of password-auth">
-    <ind:object
-        object_ref="object_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_account"/>
-  </ind:textfilecontent54_test>
-
-  <!-- boundaries to test the parameter value -->
-  <!-- Specify the required external variable & create corresponding state from it -->
-  <external_variable id="var_accounts_passwords_pam_faillock_unlock_time" datatype="int"
-                     comment="number of failed login attempts allowed" version="1"/>
-
-  <ind:textfilecontent54_state version="1"
-        id="state_accounts_passwords_pam_faillock_unlock_time_parameter_lower_bound">
-    <ind:subexpression datatype="int" operation="greater than or equal"
-                       var_ref="var_accounts_passwords_pam_faillock_unlock_time"/>
-  </ind:textfilecontent54_state>
-
-  <!-- Check the pam_faillock.so unlock_time parameter in system-auth -->
-  <ind:textfilecontent54_object version="1"
-        id="object_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_system"
-        comment="Get the pam_faillock.so unlock_time parameter from system-auth file">
-    <ind:filepath operation="pattern match">^/etc/pam.d/system-auth$</ind:filepath>
-    <ind:pattern operation="pattern match"
-                 var_ref="var_accounts_passwords_pam_faillock_unlock_time_pam_faillock_unlock_time_parameter_regex"/>
-    <ind:instance datatype="int" operation="equals">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test check="all" check_existence="all_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_system"
-        comment="Check the expected unlock_time value in system-auth">
-    <ind:object object_ref="object_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_system"/>
-    <ind:state state_ref="state_accounts_passwords_pam_faillock_unlock_time_parameter_lower_bound"/>
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_test check="all" check_existence="none_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_unlock_time_parameter_no_pamd_system"
-        comment="Check the absence of unlock_time parameter in system-auth">
-    <ind:object object_ref="object_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_system"/>
-  </ind:textfilecontent54_test>
-
-  <!-- Check the pam_faillock.so unlock_time parameter in password-auth -->
-  <ind:textfilecontent54_object version="1"
-        id="object_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_password"
-        comment="Get the pam_faillock.so unlock_time parameter from password-auth file">
-    <ind:filepath operation="pattern match">^/etc/pam.d/password-auth$</ind:filepath>
-    <ind:pattern operation="pattern match"
-            var_ref="var_accounts_passwords_pam_faillock_unlock_time_pam_faillock_unlock_time_parameter_regex"/>
-    <ind:instance datatype="int" operation="equals">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test check="all" check_existence="all_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_password"
-        comment="Check the expected unlock_time value in password-auth">
-    <ind:object object_ref="object_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_password"/>
-    <ind:state state_ref="state_accounts_passwords_pam_faillock_unlock_time_parameter_lower_bound"/>
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_test check="all" check_existence="none_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_unlock_time_parameter_no_pamd_password"
-        comment="Check the absence of unlock_time parameter in password-auth">
-    <ind:object object_ref="object_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_password"/>
-  </ind:textfilecontent54_test>
-
-  <!-- Check pam_faillock.so unlock_time parameter in /etc/security/faillock.conf -->
-  <ind:textfilecontent54_object version="1"
-      id="object_accounts_passwords_pam_faillock_unlock_time_parameter_faillock_conf"
-      comment="Check the expected pam_faillock.so unlock_time parameter in /etc/security/faillock.conf">
-    <ind:filepath operation="pattern match">^/etc/security/faillock.conf$</ind:filepath>
-    <ind:pattern operation="pattern match"
-          var_ref="var_accounts_passwords_pam_faillock_unlock_time_faillock_conf_unlock_time_parameter_regex"/>
-    <ind:instance datatype="int" operation="equals">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test check="all" check_existence="all_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_unlock_time_parameter_faillock_conf"
-        comment="Check the expected unlock_time value in in /etc/security/faillock.conf">
-    <ind:object object_ref="object_accounts_passwords_pam_faillock_unlock_time_parameter_faillock_conf"/>
-    <ind:state state_ref="state_accounts_passwords_pam_faillock_unlock_time_parameter_lower_bound"/>
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_test check="all" check_existence="none_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_unlock_time_parameter_no_faillock_conf"
-        comment="Check the absence of unlock_time parameter in /etc/security/faillock.conf">
-    <ind:object object_ref="object_accounts_passwords_pam_faillock_unlock_time_parameter_faillock_conf"/>
-  </ind:textfilecontent54_test>
-</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/shared.xml
deleted file mode 100644
index 5dd850d8caf6..000000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/shared.xml
+++ /dev/null
@@ -1,285 +0,0 @@
-<def-group>
-  <definition class="compliance" id="{{{ rule_id }}}" version="3">
-    {{{ oval_metadata("The unlock time after number of failed logins should be set correctly.") }}}
-    <criteria operator="AND" comment="Check the proper configuration of pam_faillock.so">
-      <criteria operator="AND" comment="Check if pam_faillock.so is properly enabled">
-        <!-- pam_unix.so is a control module present in all realistic scenarios and also used
-             as reference for the correct position of pam_faillock.so in auth section. If the
-             system is properly configured, it must appear only once in auth section. -->
-        <criteria operator="AND"
-                  comment="Count occurrences of pam_unix.so in system-auth and password-auth">
-          <criterion test_ref="test_accounts_passwords_pam_faillock_unlock_time_system_pam_unix_auth"
-                     comment="pam_unix.so appears only once in auth section of system-auth"/>
-          <criterion test_ref="test_accounts_passwords_pam_faillock_unlock_time_password_pam_unix_auth"
-                     comment="pam_unix.so appears only once in auth section of password-auth"/>
-        </criteria>
-
-        <!-- pam_faillock.so parameters can be defined directly in pam files or, in newer
-             versions, in /etc/security/faillock.conf. The last is the recommended option when
-             available. Also, is the option used by auselect tool. However, regardless the
-             approach, a minimal declaration is common in pam files. -->
-        <criteria operator="AND" comment="Check common definition of pam_faillock.so">
-          <criterion
-              test_ref="test_accounts_passwords_pam_faillock_unlock_time_system_pam_faillock_auth"
-              comment="pam_faillock.so is properly defined in auth section of system-auth"/>
-          <criterion
-              test_ref="test_accounts_passwords_pam_faillock_unlock_time_system_pam_faillock_account"
-              comment="pam_faillock.so is properly defined in account section of system-auth"/>
-          <criterion
-              test_ref="test_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_auth"
-              comment="pam_faillock.so is properly defined in auth section of password-auth"/>
-          <criterion
-              test_ref="test_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_account"
-              comment="pam_faillock.so is properly defined in account section of password-auth"/>
-        </criteria>
-      </criteria>
-
-      <!-- pam_faillock.so parameters should be defined in /etc/security/faillock.conf whenever
-           possible. But due to backwards compatibility, they are also allowed in pam files
-           directly. In case they are defined in both places, pam files have precedence and this
-           may confuse the assessment. The following tests ensure only one option is used. Note
-           that if faillock.conf is available, authselect tool only manage parameters on this file
-      -->
-      <criteria operator="OR"
-                comment="Check expected value for pam_faillock.so unlock_time parameter">
-        <criteria operator="AND"
-                  comment="Check expected pam_faillock.so unlock_time parameter in pam files">
-          <criterion
-              test_ref="test_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_system"
-              comment="Check the unlock_time parameter in auth section of system-auth file"/>
-          <criterion
-              test_ref="test_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_password"
-              comment="Check the unlock_time parameter in auth section of password-auth file"/>
-          <criterion
-              test_ref="test_accounts_passwords_pam_faillock_unlock_time_parameter_no_faillock_conf"
-              comment="Ensure /etc/security/faillock.conf is not used together with pam files"/>
-        </criteria>
-        <criteria operator="AND"
-              comment="Check expected pam_faillock.so unlock_time parameter in faillock.conf">
-          <criterion
-              test_ref="test_accounts_passwords_pam_faillock_unlock_time_parameter_no_pamd_system"
-              comment="Check the unlock_time parameter is not present system-auth file"/>
-          <criterion
-              test_ref="test_accounts_passwords_pam_faillock_unlock_time_parameter_no_pamd_password"
-              comment="Check the unlock_time parameter is not present password-auth file"/>
-          <criterion
-              test_ref="test_accounts_passwords_pam_faillock_unlock_time_parameter_faillock_conf"
-          comment="Ensure the unlock_time parameter is present in /etc/security/faillock.conf"/>
-        </criteria>
-      </criteria>
-    </criteria>
-  </definition>
-
-  <!-- The following tests demand complex regex which are necessary more than once.
-       These variables make simpler the usage of regex patterns. -->
-  <constant_variable id="var_accounts_passwords_pam_faillock_unlock_time_pam_unix_regex"
-                datatype="string" version="1"
-                comment="regex to identify pam_unix.so in auth section of pam files">
-    <value>^[\s]*auth\N+pam_unix\.so</value>
-  </constant_variable>
-
-  <constant_variable id="var_accounts_passwords_pam_faillock_unlock_time_pam_faillock_auth_regex"
-                datatype="string" version="1"
-                comment="regex to identify pam_faillock.so entries in auth section of pam files">
-    <value>^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail</value>
-  </constant_variable>
-
-  <constant_variable id="var_accounts_passwords_pam_faillock_unlock_time_pam_faillock_account_regex"
-                datatype="string" version="1"
-                comment="regex to identify pam_faillock.so entry in account section of pam files">
-    <value>^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so</value>
-  </constant_variable>
-
-  <constant_variable
-    id="var_accounts_passwords_pam_faillock_unlock_time_pam_faillock_unlock_time_parameter_regex"
-    datatype="string" version="1"
-    comment="regex to identify pam_faillock.so unlock_time entry in auth section of pam files">
-    <value>^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*unlock_time=([0-9]+)</value>
-  </constant_variable>
-
-  <constant_variable
-              id="var_accounts_passwords_pam_faillock_unlock_time_faillock_conf_unlock_time_parameter_regex"
-              datatype="string" version="1"
-              comment="regex to identify unlock_time entry in /etc/security/faillock.conf">
-    <value>^[\s]*unlock_time[\s]*=[\s]*([0-9]+)</value>
-  </constant_variable>
-
-  <!-- Check occurrences of pam_unix.so in auth section of system-auth file -->
-  <ind:textfilecontent54_object version="1"
-        id="object_accounts_passwords_pam_faillock_unlock_time_system_pam_unix_auth"
-        comment="Get the second and subsequent occurrences of pam_unix.so in auth section of system-auth">
-    <ind:filepath operation="pattern match">^/etc/pam.d/system-auth$</ind:filepath>
-    <ind:pattern operation="pattern match"
-                 var_ref="var_accounts_passwords_pam_faillock_unlock_time_pam_unix_regex"/>
-    <!-- It is not expected to find a second instance of this pattern -->
-    <ind:instance datatype="int" operation="greater than">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test check="all" check_existence="none_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_unlock_time_system_pam_unix_auth"
-        comment="No more than one pam_unix.so is expected in auth section of system-auth">
-    <ind:object object_ref="object_accounts_passwords_pam_faillock_unlock_time_system_pam_unix_auth"/>
-  </ind:textfilecontent54_test>
-
-  <!-- Check occurrences of pam_unix.so in auth section in password-auth -->
-  <ind:textfilecontent54_object version="1"
-        id="object_accounts_passwords_pam_faillock_unlock_time_password_pam_unix_auth"
-        comment="Get the second and subsequent occurrences of pam_unix.so in auth section of password-auth">
-    <ind:filepath operation="pattern match">^/etc/pam.d/password-auth$</ind:filepath>
-    <ind:pattern operation="pattern match"
-                 var_ref="var_accounts_passwords_pam_faillock_unlock_time_pam_unix_regex"/>
-    <ind:instance datatype="int" operation="greater than">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test check="all" check_existence="none_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_unlock_time_password_pam_unix_auth"
-        comment="No more than one pam_unix.so is expected in auth section of password-auth">
-    <ind:object object_ref="object_accounts_passwords_pam_faillock_unlock_time_password_pam_unix_auth"/>
-  </ind:textfilecontent54_test>
-
-  <!-- Check common definition of pam_faillock.so in system-auth -->
-  <ind:textfilecontent54_object version="1"
-        id="object_accounts_passwords_pam_faillock_unlock_time_system_pam_faillock_auth"
-        comment="Check common definition of pam_faillock.so in auth section of system-auth">
-    <ind:filepath operation="pattern match">^/etc/pam.d/system-auth$</ind:filepath>
-    <ind:pattern operation="pattern match"
-                 var_ref="var_accounts_passwords_pam_faillock_unlock_time_pam_faillock_auth_regex"/>
-    <ind:instance datatype="int" operation="equals">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test check="all" check_existence="all_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_unlock_time_system_pam_faillock_auth"
-        comment="One and only one occurrence is expected in auth section of system-auth">
-    <ind:object
-        object_ref="object_accounts_passwords_pam_faillock_unlock_time_system_pam_faillock_auth"/>
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_object version="1"
-        id="object_accounts_passwords_pam_faillock_unlock_time_system_pam_faillock_account"
-        comment="Check common definition of pam_faillock.so in account section of system-auth">
-    <ind:filepath operation="pattern match">^/etc/pam.d/system-auth$</ind:filepath>
-    <ind:pattern operation="pattern match"
-                 var_ref="var_accounts_passwords_pam_faillock_unlock_time_pam_faillock_account_regex"/>
-    <ind:instance datatype="int" operation="equals">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test check="all" check_existence="all_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_unlock_time_system_pam_faillock_account"
-        comment="One and only one occurrence is expected in auth section of system-auth">
-    <ind:object
-        object_ref="object_accounts_passwords_pam_faillock_unlock_time_system_pam_faillock_account"/>
-  </ind:textfilecontent54_test>
-
-  <!-- Check common definition of pam_faillock.so in password-auth -->
-  <ind:textfilecontent54_object version="1"
-        id="object_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_auth"
-        comment="Check common definition of pam_faillock.so in auth section of password-auth">
-    <ind:filepath operation="pattern match">^/etc/pam.d/password-auth$</ind:filepath>
-    <ind:pattern operation="pattern match"
-                 var_ref="var_accounts_passwords_pam_faillock_unlock_time_pam_faillock_auth_regex"/>
-    <ind:instance datatype="int" operation="equals">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test check="all" check_existence="all_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_auth"
-        comment="One and only one occurrence is expected in auth section of password-auth">
-    <ind:object
-        object_ref="object_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_auth"/>
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_object version="1"
-        id="object_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_account"
-        comment="Check common definition of pam_faillock.so in account section of password-auth">
-    <ind:filepath operation="pattern match">^/etc/pam.d/password-auth$</ind:filepath>
-    <ind:pattern operation="pattern match"
-                 var_ref="var_accounts_passwords_pam_faillock_unlock_time_pam_faillock_account_regex"/>
-    <ind:instance datatype="int" operation="equals">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test check="all" check_existence="all_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_account"
-        comment="One and only one occurrence is expected in auth section of password-auth">
-    <ind:object
-        object_ref="object_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_account"/>
-  </ind:textfilecontent54_test>
-
-  <!-- boundaries to test the parameter value -->
-  <!-- Specify the required external variable & create corresponding state from it -->
-  <external_variable id="var_accounts_passwords_pam_faillock_unlock_time" datatype="int"
-                     comment="number of failed login attempts allowed" version="1"/>
-
-  <ind:textfilecontent54_state version="1"
-        id="state_accounts_passwords_pam_faillock_unlock_time_parameter_lower_bound">
-    <ind:subexpression datatype="int" operation="greater than or equal"
-                       var_ref="var_accounts_passwords_pam_faillock_unlock_time"/>
-  </ind:textfilecontent54_state>
-
-  <!-- Check the pam_faillock.so unlock_time parameter in system-auth -->
-  <ind:textfilecontent54_object version="1"
-        id="object_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_system"
-        comment="Get the pam_faillock.so unlock_time parameter from system-auth file">
-    <ind:filepath operation="pattern match">^/etc/pam.d/system-auth$</ind:filepath>
-    <ind:pattern operation="pattern match"
-                 var_ref="var_accounts_passwords_pam_faillock_unlock_time_pam_faillock_unlock_time_parameter_regex"/>
-    <ind:instance datatype="int" operation="equals">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test check="all" check_existence="all_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_system"
-        comment="Check the expected unlock_time value in system-auth">
-    <ind:object object_ref="object_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_system"/>
-    <ind:state state_ref="state_accounts_passwords_pam_faillock_unlock_time_parameter_lower_bound"/>
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_test check="all" check_existence="none_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_unlock_time_parameter_no_pamd_system"
-        comment="Check the absence of unlock_time parameter in system-auth">
-    <ind:object object_ref="object_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_system"/>
-  </ind:textfilecontent54_test>
-
-  <!-- Check the pam_faillock.so unlock_time parameter in password-auth -->
-  <ind:textfilecontent54_object version="1"
-        id="object_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_password"
-        comment="Get the pam_faillock.so unlock_time parameter from password-auth file">
-    <ind:filepath operation="pattern match">^/etc/pam.d/password-auth$</ind:filepath>
-    <ind:pattern operation="pattern match"
-            var_ref="var_accounts_passwords_pam_faillock_unlock_time_pam_faillock_unlock_time_parameter_regex"/>
-    <ind:instance datatype="int" operation="equals">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test check="all" check_existence="all_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_password"
-        comment="Check the expected unlock_time value in password-auth">
-    <ind:object object_ref="object_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_password"/>
-    <ind:state state_ref="state_accounts_passwords_pam_faillock_unlock_time_parameter_lower_bound"/>
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_test check="all" check_existence="none_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_unlock_time_parameter_no_pamd_password"
-        comment="Check the absence of unlock_time parameter in password-auth">
-    <ind:object object_ref="object_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_password"/>
-  </ind:textfilecontent54_test>
-
-  <!-- Check pam_faillock.so unlock_time parameter in /etc/security/faillock.conf -->
-  <ind:textfilecontent54_object version="1"
-      id="object_accounts_passwords_pam_faillock_unlock_time_parameter_faillock_conf"
-      comment="Check the expected pam_faillock.so unlock_time parameter in /etc/security/faillock.conf">
-    <ind:filepath operation="pattern match">^/etc/security/faillock.conf$</ind:filepath>
-    <ind:pattern operation="pattern match"
-          var_ref="var_accounts_passwords_pam_faillock_unlock_time_faillock_conf_unlock_time_parameter_regex"/>
-    <ind:instance datatype="int" operation="equals">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test check="all" check_existence="all_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_unlock_time_parameter_faillock_conf"
-        comment="Check the expected unlock_time value in in /etc/security/faillock.conf">
-    <ind:object object_ref="object_accounts_passwords_pam_faillock_unlock_time_parameter_faillock_conf"/>
-    <ind:state state_ref="state_accounts_passwords_pam_faillock_unlock_time_parameter_lower_bound"/>
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_test check="all" check_existence="none_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_unlock_time_parameter_no_faillock_conf"
-        comment="Check the absence of unlock_time parameter in /etc/security/faillock.conf">
-    <ind:object object_ref="object_accounts_passwords_pam_faillock_unlock_time_parameter_faillock_conf"/>
-  </ind:textfilecontent54_test>
-</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/ubuntu.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/ubuntu.xml
deleted file mode 100644
index 6f90a6e6a5f2..000000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/ubuntu.xml
+++ /dev/null
@@ -1,195 +0,0 @@
-{{# Very similar OVAL is used in several rules, differing primarily in faillock.so parameter. #}}
-{{# For transferability, we define the parameter and corresponding regular expressions in jinja. #}}
-{{# The rules should ideally use a single template. #}}
-
-{{% set prm_name = "unlock_time" %}}
-{{% set prm_regex_conf = "^[\s]*unlock_time[\s]*=[\s]*([0-9]+)" %}}
-{{% set prm_regex_pamd = "^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*unlock_time=([0-9]+)" %}}
-{{% set ext_variable = "var_accounts_passwords_pam_faillock_unlock_time" %}}
-{{% set description = "The unlock time after number of failed logins should be set correctly." %}}
-
-<def-group>
-  <definition class="compliance" id="{{{ rule_id }}}" version="4">
-    {{{ oval_metadata(description) }}}
-    <criteria operator="AND" comment="Check the proper configuration of pam_faillock.so">
-      <criteria operator="AND" comment="Check if pam_faillock.so is properly enabled">
-        <!-- pam_unix.so is a control module present in all realistic scenarios and also used
-             as reference for the correct position of pam_faillock.so in auth section. If the
-             system is properly configured, it must appear only once in auth section. -->
-        <criterion test_ref="test_accounts_passwords_pam_faillock_{{{ prm_name }}}_common_pam_unix_auth"
-            comment="pam_unix.so appears only once in auth section of common-auth"/>
-        <criterion test_ref="test_accounts_passwords_pam_faillock_{{{ prm_name }}}_common_pam_faillock_auth"
-            comment="pam_faillock.so is properly defined in auth section of common-auth"/>
-        <criterion test_ref="test_accounts_passwords_pam_faillock_{{{ prm_name }}}_common_pam_faillock_account"
-            comment="pam_faillock.so is properly defined in common-account"/>
-      </criteria>
-
-      <!-- pam_faillock.so parameters should be defined in /etc/security/faillock.conf whenever
-           possible. But due to backwards compatibility, they are also allowed in pam files
-           directly. In case they are defined in both places, pam files have precedence and this
-           may confuse the assessment. The following tests ensure only one option is used. -->
-      <criteria operator="OR" comment="Check expected value for pam_faillock.so {{{ prm_name }}} parameter">
-        <criteria operator="AND"
-            comment="Check expected pam_faillock.so {{{ prm_name }}} parameter in pam files">
-          <criterion test_ref="test_accounts_passwords_pam_faillock_{{{ prm_name }}}_parameter_pamd_common"
-              comment="Check the {{{ prm_name }}} parameter is present common-auth file"/>
-          <criterion test_ref="test_accounts_passwords_pam_faillock_{{{ prm_name }}}_parameter_no_faillock_conf"
-              comment="Ensure the {{{ prm_name }}} parameter is not present in /etc/security/faillock.conf"/>
-        </criteria>
-        <criteria operator="AND"
-            comment="Check expected pam_faillock.so {{{ prm_name }}} parameter in faillock.conf">
-          <criterion test_ref="test_accounts_passwords_pam_faillock_{{{ prm_name }}}_parameter_no_pamd_common"
-              comment="Check the {{{ prm_name }}} parameter is not present common-auth file"/>
-          <criterion test_ref="test_accounts_passwords_pam_faillock_{{{ prm_name }}}_parameter_faillock_conf"
-              comment="Ensure the {{{ prm_name }}} parameter is present in /etc/security/faillock.conf"/>
-        </criteria>
-      </criteria>
-    </criteria>
-  </definition>
-
-  <!-- The following tests demand complex regex which are necessary more than once.
-       These variables make simpler the usage of regex patterns. -->
-  <constant_variable id="var_accounts_passwords_pam_faillock_{{{ prm_name }}}_pam_unix_regex"
-                datatype="string" version="1"
-                comment="regex to identify pam_unix.so in auth section of pam files">
-    <value>^\s*auth.*pam_unix\.so</value>
-  </constant_variable>
-
-  <constant_variable id="var_accounts_passwords_pam_faillock_{{{ prm_name }}}_pam_faillock_auth_regex"
-                datatype="string" version="1"
-                comment="regex to identify pam_faillock.so entries in auth section of pam files">
-      <value>^\s*auth\s+required\s+pam_faillock\.so.*preauth.*[\s\S]*^\s*auth.*pam_unix\.so[\s\S]*^\s*auth\s+\[default=die\]\s+pam_faillock\.so\s+authfail[\s\S]*^\s*auth\s+sufficient\s+pam_faillock\.so\s+authsucc</value>
-  </constant_variable>
-
-  <constant_variable id="var_accounts_passwords_pam_faillock_{{{ prm_name }}}_pam_faillock_account_regex"
-                datatype="string" version="1"
-                comment="regex to identify pam_faillock.so entry in account section of pam files">
-    <value>^\s*account\s+required\s+pam_faillock\.so\s*(#.*)?$</value>
-  </constant_variable>
-
-  <constant_variable
-    id="var_accounts_passwords_pam_faillock_{{{ prm_name }}}_pam_faillock_{{{ prm_name }}}_parameter_regex"
-    datatype="string" version="1"
-    comment="regex to identify pam_faillock.so {{{ prm_name }}} entry in auth section of pam files">
-    <value>{{{ prm_regex_pamd }}}</value>
-  </constant_variable>
-
-  <constant_variable
-              id="var_accounts_passwords_pam_faillock_{{{ prm_name }}}_faillock_conf_{{{ prm_name }}}_parameter_regex"
-              datatype="string" version="1"
-              comment="regex to identify {{{ prm_name }}} entry in /etc/security/faillock.conf">
-    <value>{{{ prm_regex_conf }}}</value>
-  </constant_variable>
-
-  <!-- Check occurrences of pam_unix.so in auth section of common-auth file -->
-  <ind:textfilecontent54_test check="all" check_existence="none_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_{{{ prm_name }}}_common_pam_unix_auth"
-        comment="No more than one pam_unix.so is expected in auth section of common-auth">
-    <ind:object object_ref="object_accounts_passwords_pam_faillock_{{{ prm_name }}}_common_pam_unix_auth"/>
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_object version="1"
-        id="object_accounts_passwords_pam_faillock_{{{ prm_name }}}_common_pam_unix_auth"
-        comment="Get the second and subsequent occurrences of pam_unix.so in auth section of common-auth">
-    <ind:filepath>/etc/pam.d/common-auth</ind:filepath>
-    <ind:pattern operation="pattern match"
-                 var_ref="var_accounts_passwords_pam_faillock_{{{ prm_name }}}_pam_unix_regex"/>
-    <ind:instance datatype="int" operation="greater than">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <!-- Check common definition of pam_faillock.so in common-auth -->
-  <ind:textfilecontent54_test check="all" check_existence="only_one_exists" version="1"
-        id="test_accounts_passwords_pam_faillock_{{{ prm_name }}}_common_pam_faillock_auth"
-        comment="One and only one occurrence is expected in auth section of common-auth">
-    <ind:object
-        object_ref="object_accounts_passwords_pam_faillock_{{{ prm_name }}}_common_pam_faillock_auth"/>
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_object version="1"
-        id="object_accounts_passwords_pam_faillock_{{{ prm_name }}}_common_pam_faillock_auth"
-        comment="Check common definition of pam_faillock.so in auth section of common-auth">
-    <ind:filepath>/etc/pam.d/common-auth</ind:filepath>
-    <ind:pattern operation="pattern match"
-                 var_ref="var_accounts_passwords_pam_faillock_{{{ prm_name }}}_pam_faillock_auth_regex"/>
-    <ind:instance datatype="int" operation="equals">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <!-- Check account definition of pam_faillock.so in common-account -->
-  <ind:textfilecontent54_test check="all" check_existence="only_one_exists" version="1"
-        id="test_accounts_passwords_pam_faillock_{{{ prm_name }}}_common_pam_faillock_account"
-        comment="One and only one occurrence is expected in common-account">
-    <ind:object
-        object_ref="object_accounts_passwords_pam_faillock_{{{ prm_name }}}_common_pam_faillock_account"/>
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_object version="1"
-        id="object_accounts_passwords_pam_faillock_{{{ prm_name }}}_common_pam_faillock_account"
-        comment="Check common definition of pam_faillock.so in account section of common-account">
-    <ind:filepath>/etc/pam.d/common-account</ind:filepath>
-    <ind:pattern operation="pattern match"
-                 var_ref="var_accounts_passwords_pam_faillock_{{{ prm_name }}}_pam_faillock_account_regex"/>
-    <ind:instance datatype="int" operation="equals">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-
-  <!-- boundaries to test the parameter value -->
-  <!-- Specify the required external variable & create corresponding state from it -->
-  <external_variable id="{{{ ext_variable }}}" datatype="int"
-                     comment="number of failed login attempts allowed" version="1"/>
-
-  <ind:textfilecontent54_state version="1"
-        id="state_accounts_passwords_pam_faillock_{{{ prm_name }}}_parameter_lower_bound">
-    <ind:subexpression datatype="int" operation="greater than or equal"
-          var_ref="{{{ ext_variable }}}"/>
-  </ind:textfilecontent54_state>
-
-
-  <!-- Check absence of {{{ prm_name }}} parameter in common-auth -->
-  <ind:textfilecontent54_test check="all" check_existence="none_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_{{{ prm_name }}}_parameter_no_pamd_common"
-        comment="Check the absence of {{{ prm_name }}} parameter in common-auth">
-    <ind:object object_ref="object_accounts_passwords_pam_faillock_{{{ prm_name }}}_parameter_pamd_common"/>
-  </ind:textfilecontent54_test>
-
-  <!-- Check expected value of {{{ prm_name }}} parameter in common-auth -->
-  <ind:textfilecontent54_test check="all" check_existence="all_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_{{{ prm_name }}}_parameter_pamd_common"
-        comment="Check the expected {{{ prm_name }}} value in common-auth">
-    <ind:object object_ref="object_accounts_passwords_pam_faillock_{{{ prm_name }}}_parameter_pamd_common"/>
-    <ind:state state_ref="state_accounts_passwords_pam_faillock_{{{ prm_name }}}_parameter_lower_bound"/>
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_object version="1"
-        id="object_accounts_passwords_pam_faillock_{{{ prm_name }}}_parameter_pamd_common"
-        comment="Get the pam_faillock.so {{{ prm_name }}} parameter from common-auth file">
-    <ind:filepath>/etc/pam.d/common-auth</ind:filepath>
-    <ind:pattern operation="pattern match"
-                 var_ref="var_accounts_passwords_pam_faillock_{{{ prm_name }}}_pam_faillock_{{{ prm_name }}}_parameter_regex"/>
-    <ind:instance datatype="int" operation="equals">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-
-  <!-- Check absence of {{{ prm_name }}} parameter in /etc/security/faillock.conf -->
-  <ind:textfilecontent54_test check="all" check_existence="none_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_{{{ prm_name }}}_parameter_no_faillock_conf"
-        comment="Check the absence of {{{ prm_name }}} parameter in /etc/security/faillock.conf">
-    <ind:object object_ref="object_accounts_passwords_pam_faillock_{{{ prm_name }}}_parameter_faillock_conf"/>
-  </ind:textfilecontent54_test>
-
-  <!-- Check expected value of {{{ prm_name }}} parameter in /etc/security/faillock.conf -->
-  <ind:textfilecontent54_test check="all" check_existence="all_exist" version="1"
-        id="test_accounts_passwords_pam_faillock_{{{ prm_name }}}_parameter_faillock_conf"
-        comment="Check the expected {{{ prm_name }}} value in /etc/security/faillock.conf">
-    <ind:object object_ref="object_accounts_passwords_pam_faillock_{{{ prm_name }}}_parameter_faillock_conf"/>
-    <ind:state state_ref="state_accounts_passwords_pam_faillock_{{{ prm_name }}}_parameter_lower_bound"/>
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_object version="1"
-      id="object_accounts_passwords_pam_faillock_{{{ prm_name }}}_parameter_faillock_conf"
-      comment="Check the expected pam_faillock.so {{{ prm_name }}} parameter in /etc/security/faillock.conf">
-    <ind:filepath>/etc/security/faillock.conf</ind:filepath>
-    <ind:pattern operation="pattern match"
-          var_ref="var_accounts_passwords_pam_faillock_{{{ prm_name }}}_faillock_conf_{{{ prm_name }}}_parameter_regex"/>
-    <ind:instance datatype="int" operation="equals">1</ind:instance>
-  </ind:textfilecontent54_object>
-</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml
index ea9414e6b078..e20bb698663b 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml
@@ -127,3 +127,13 @@ warnings:
         be shown in the remediation report.
         If the system supports the <tt>/etc/security/faillock.conf</tt> file, the pam_faillock
         parameters should be defined in <tt>faillock.conf</tt> file.
+
+template:
+  name: pam_account_password_faillock
+  vars:
+    prm_name: unlock_time
+    prm_regex_conf: ^[\s]*unlock_time[\s]*=[\s]*([0-9]+)
+    prm_regex_pamd: ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*unlock_time=([0-9]+)
+    ext_variable: var_accounts_passwords_pam_faillock_unlock_time
+    description: The unlock time after number of failed logins should be set correctly.
+    variable_lower_bound: use_ext_variable
diff --git a/shared/templates/pam_account_password_faillock/ansible.template b/shared/templates/pam_account_password_faillock/ansible.template
new file mode 100644
index 000000000000..5e1161920e57
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/ansible.template
@@ -0,0 +1,7 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+{{{ ansible_pam_faillock_enable() }}}
+{{{ ansible_pam_faillock_parameter_value(PRM_NAME, EXT_VARIABLE) }}}
diff --git a/shared/templates/pam_account_password_faillock/bash.template b/shared/templates/pam_account_password_faillock/bash.template
new file mode 100644
index 000000000000..e46c3b851976
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/bash.template
@@ -0,0 +1,6 @@
+# platform = multi_platform_all
+
+{{{ bash_instantiate_variables(EXT_VARIABLE) }}}
+
+{{{ bash_pam_faillock_enable() }}}
+{{{ bash_pam_faillock_parameter_value(PRM_NAME, '$'+EXT_VARIABLE) }}}
diff --git a/shared/templates/pam_account_password_faillock/oval.template b/shared/templates/pam_account_password_faillock/oval.template
new file mode 100644
index 000000000000..928876ee53ad
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/oval.template
@@ -0,0 +1,315 @@
+<def-group>
+  <definition class="compliance" id="{{{ _RULE_ID }}}" version="6">
+    {{{ oval_metadata(DESCRIPTION) }}}
+    <criteria operator="AND" comment="Check the proper configuration of pam_faillock.so">
+      <criteria operator="OR" comment="Check if pam_faillock.so is properly enabled">
+        <!-- pam_unix.so is a control module present in all realistic scenarios and also used
+             as reference for the correct position of pam_faillock.so in auth section. If the
+             system is properly configured, it must appear only once in auth section. -->
+	<criteria operator="AND" comment="Redhat family checks">
+	  <criteria operator="AND"
+		    comment="Count occurrences of pam_unix.so in system-auth and password-auth">
+	    <criterion test_ref="test_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_system_pam_unix_auth"
+		       comment="pam_unix.so appears only once in auth section of system-auth"/>
+	    <criterion test_ref="test_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_password_pam_unix_auth"
+                       comment="pam_unix.so appears only once in auth section of password-auth"/>
+	  </criteria>
+
+	  <!-- pam_faillock.so parameters can be defined directly in pam files or, in newer
+               versions, in /etc/security/faillock.conf. The last is the recommended option when
+               available. Also, is the option used by auselect tool. However, regardless the
+               approach, a minimal declaration is common in pam files. -->
+          <criteria operator="AND" comment="Check common definition of pam_faillock.so">
+            <criterion
+		test_ref="test_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_system_pam_faillock_auth"
+		comment="pam_faillock.so is properly defined in auth section of system-auth"/>
+            <criterion
+		test_ref="test_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_system_pam_faillock_account"
+		comment="pam_faillock.so is properly defined in account section of system-auth"/>
+            <criterion
+		test_ref="test_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_password_pam_faillock_auth"
+		comment="pam_faillock.so is properly defined in auth section of password-auth"/>
+            <criterion
+		test_ref="test_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_password_pam_faillock_account"
+		comment="pam_faillock.so is properly defined in account section of password-auth"/>
+          </criteria>
+	</criteria>
+
+	<!-- debian family -->
+	<criteria operator="AND" comment="Debian family checks">
+	  <criterion test_ref="test_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_common_pam_unix_auth"
+		     comment="pam_unix.so appears only once in auth section of common-auth"/>
+          <criterion test_ref="test_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_common_pam_faillock_auth"
+		     comment="pam_faillock.so is properly defined in auth section of common-auth"/>
+          <criterion test_ref="test_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_common_pam_faillock_account"
+		     comment="pam_faillock.so is properly defined in common-account"/>
+	</criteria>
+      </criteria>
+
+      <!-- pam_faillock.so parameters should be defined in /etc/security/faillock.conf whenever
+           possible. But due to backwards compatibility, they are also allowed in pam files
+           directly. In case they are defined in both places, pam files have precedence and this
+           may confuse the assessment. The following tests ensure only one option is used. Note
+           that if faillock.conf is available, authselect tool only manage parameters on it -->
+      <criteria operator="OR" comment="Check expected value for pam_faillock.so {{{ PRM_NAME }}} parameter">
+	<criteria operator="AND"
+		  comment="Check expected pam_faillock.so {{{ PRM_NAME }}} parameter in pam files">
+	  <criteria operator="OR" comment="Redhat or Debian family">
+	    <criteria operator="AND" comment="Redhat family">
+	      <criterion
+                  test_ref="test_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_parameter_pamd_system"
+                  comment="Check the {{{ PRM_NAME }}} parameter in auth section of system-auth file"/>
+              <criterion
+                  test_ref="test_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_parameter_pamd_password"
+                  comment="Check the {{{ PRM_NAME }}} parameter in auth section of password-auth file"/>
+	    </criteria>
+	    <criterion test_ref="test_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_parameter_pamd_common"
+		       comment="Check the {{{ PRM_NAME }}} parameter is present common-auth file"/>
+	  </criteria>
+	  <criterion test_ref="test_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_parameter_no_faillock_conf"
+		     comment="Ensure the {{{ PRM_NAME }}} parameter is not present in /etc/security/faillock.conf"/>
+	</criteria>
+	<criteria operator="AND"
+		  comment="Check expected pam_faillock.so {{{ PRM_NAME }}} parameter in faillock.conf">
+	  <criteria operator="OR" comment="Redhat or Debian family">
+	    <criteria operator="AND" comment="Redhat family">
+	      <criterion
+                  test_ref="test_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_parameter_no_pamd_system"
+                  comment="Check the {{{ PRM_NAME }}} parameter is not present system-auth file"/>
+              <criterion
+                  test_ref="test_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_parameter_no_pamd_password"
+                  comment="Check the {{{ PRM_NAME }}} parameter is not present password-auth file"/>
+	    </criteria>
+	    <criterion test_ref="test_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_parameter_no_pamd_common"
+		       comment="Check the {{{ PRM_NAME }}} parameter is not present common-auth file"/>
+	  </criteria>
+	  <criterion test_ref="test_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_parameter_faillock_conf"
+		     comment="Ensure the {{{ PRM_NAME }}} parameter is present in /etc/security/faillock.conf"/>
+	</criteria>
+      </criteria>
+    </criteria>
+  </definition>
+
+  <!-- The following tests demand complex regex which are necessary more than once.
+       These variables make simpler the usage of regex patterns. -->
+  <constant_variable id="var_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_pam_unix_regex"
+                     datatype="string" version="2"
+                     comment="regex to identify pam_unix.so in auth section of pam files">
+    <value>^\s*auth\N+pam_unix\.so</value>
+  </constant_variable>
+
+  <constant_variable
+      id="var_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_pam_faillock_auth_regex"
+      datatype="string" version="2"
+      comment="regex to identify pam_faillock.so entries in auth section of pam files">
+    {{% if 'debian' in product or 'ubuntu' in product %}}
+    <value>^\s*auth\s+required\s+pam_faillock\.so.*preauth.*[\s\S]*^\s*auth.*pam_unix\.so[\s\S]*^\s*auth\s+\[default=die\]\s+pam_faillock\.so\s+authfail[\s\S]*^\s*auth\s+sufficient\s+pam_faillock\.so\s+authsucc</value>
+    {{% elif 'openeuler' in product %}}
+    <value>^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)?(?=.*?\bnew_authtok_reqd=done\b)?(?=.*?\bdefault=ignore\b)?.*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=die\b)?.*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail</value>
+    {{% else %}}
+    <value>^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail</value>
+    {{% endif %}}
+  </constant_variable>
+
+  <constant_variable
+      id="var_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_pam_faillock_account_regex"
+      datatype="string" version="2"
+      comment="regex to identify pam_faillock.so entry in account section of pam files">
+    {{% if 'debian' in product or 'ubuntu' in product %}}
+    <value>^\s*account\s+required\s+pam_faillock\.so\s*(#.*)?$</value>
+    {{% elif 'openeuler' in product %}}
+    <value>^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_unix\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_faillock\.so</value>
+    {{% else %}}
+    <value>^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so</value>
+    {{% endif %}}
+  </constant_variable>
+
+  <constant_variable
+      id="var_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_pam_faillock_{{{ PRM_NAME }}}_parameter_regex"
+      datatype="string" version="1"
+      comment="regex to identify pam_faillock.so {{{ PRM_NAME }}} entry in auth section of pam files">
+    <value>{{{ PRM_REGEX_PAMD }}}</value>
+  </constant_variable>
+
+  <constant_variable
+      id="var_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_faillock_conf_{{{ PRM_NAME }}}_parameter_regex"
+      datatype="string" version="1"
+      comment="regex to identify {{{ PRM_NAME }}} entry in /etc/security/faillock.conf">
+    <value>{{{ PRM_REGEX_CONF }}}</value>
+  </constant_variable>
+  
+  {{% macro generate_test_faillock_enabled(file_stem) %}}
+  <!-- Check occurences of pam_unix.so in auth section of {{{ file_stem }}}-auth file -->
+  <ind:textfilecontent54_test
+      check="all" check_existence="none_exist" version="2"
+      id="test_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_{{{ file_stem }}}_pam_unix_auth"
+      comment="no more that one pam_unix.so is expected in auth section of {{{ file_stem }}}-auth">
+    <ind:object object_ref="object_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_{{{ file_stem }}}_pam_unix_auth"/>
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object
+      version="2"
+      id="object_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_{{{ file_stem }}}_pam_unix_auth"
+      comment="Get the second and subsequent occurrences of pam_unix.so in auth section of {{{ file_stem}}}-auth">
+    <ind:filepath>/etc/pam.d/{{{file_stem}}}-auth</ind:filepath>
+    <ind:pattern operation="pattern match" var_ref="var_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_pam_unix_regex"/>
+    <ind:instance datatype="int" operation="greater than">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <!-- Check common definition of pam_faillock.so in {{{ file_stem }}}-auth file -->
+  <ind:textfilecontent54_test
+      check="all" check_existence="only_one_exists" version="2"
+      id="test_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_{{{ file_stem }}}_pam_faillock_auth"
+      comment="One and only one occurrence is expected in auth section of {{{ file_stem }}}-auth">
+    <ind:object
+	object_ref="object_accounts_passwords_pam_faillock_{{{ PRM_NAME}}}_{{{ file_stem }}}_pam_faillock_auth"/>
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object
+      version="2"
+      id="object_accounts_passwords_pam_faillock_{{{ PRM_NAME}}}_{{{ file_stem }}}_pam_faillock_auth"
+      comment="Check common definition of pam_faillock.so in auth section of common-auth">
+    <ind:filepath>/etc/pam.d/{{{ file_stem }}}-auth</ind:filepath>
+    <ind:pattern operation="pattern match"
+		 var_ref="var_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_pam_faillock_auth_regex"/>
+    <ind:instance datatype="int" operation="equals">1</ind:instance>
+  </ind:textfilecontent54_object>
+  {{% endmacro %}}
+
+  {{{ generate_test_faillock_enabled (file_stem="system")   }}}
+  {{{ generate_test_faillock_enabled (file_stem="password") }}}
+  {{{ generate_test_faillock_enabled (file_stem="common")   }}}
+
+  {{% macro generate_test_faillock_account(file_stem, file) %}}
+  <!-- Check common definition of pam_faillock.so in {{{ file_stem }}}-account -->
+  <ind:textfilecontent54_test
+      check="all" check_existence="only_one_exists" version="2"
+      id="test_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_{{{ file_stem }}}_pam_faillock_account"
+      comment="One and only one occurrence is expected in {{{ file }}}">
+    <ind:object
+	object_ref="object_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_{{{ file_stem }}}_pam_faillock_account"/>
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object
+      version="2"
+      id="object_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_{{{ file_stem }}}_pam_faillock_account"
+      comment="Check common definition of pam_faillock.so in account section of {{{ file }}}">
+    <ind:filepath>/etc/pam.d/{{{ file }}}</ind:filepath>
+    <ind:pattern operation="pattern match"
+                 var_ref="var_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_pam_faillock_account_regex"/>
+    <ind:instance datatype="int" operation="equals">1</ind:instance>
+  </ind:textfilecontent54_object>
+  {{% endmacro %}}
+
+  {{{ generate_test_faillock_account (file_stem="system",   file="system-auth")    }}}
+  {{{ generate_test_faillock_account (file_stem="password", file="password-auth")  }}}
+  {{{ generate_test_faillock_account (file_stem="common",   file="common-account") }}}
+
+  {{% macro generate_check_parameter_in_pam_file(file_stem) %}}
+  <!-- Check absence of {{{ PRM_NAME }}} parameter in {{{ file_stem }}}-auth -->
+  <ind:textfilecontent54_test
+      check="all" check_existence="none_exist" version="2"
+      id="test_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_parameter_no_pamd_{{{ file_stem }}}"
+      comment="Check the absence of {{{ PRM_NAME }}} parameter in {{{ file_stem }}}-auth">
+    <ind:object object_ref="object_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_parameter_pamd_{{{ file_stem }}}"/>
+  </ind:textfilecontent54_test>
+  
+  <!-- Check expected value of {{{ PRM_NAME }}} parameter in {{{ file_stem }}}-auth -->
+  <ind:textfilecontent54_test
+      check="all" check_existence="all_exist" version="2"
+      id="test_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_parameter_pamd_{{{ file_stem }}}"
+      comment="Check the expected {{{ PRM_NAME }}} value in {{{ file_stem }}}-auth">
+    <ind:object object_ref="object_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_parameter_pamd_{{{ file_stem }}}"/>
+    {{% if VARIABLE_UPPER_BOUND is defined and VARIABLE_UPPER_BOUND != "none" %}}
+    <ind:state state_ref="state_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_parameter_upper_bound"/>
+    {{% endif %}}
+    {{% if VARIABLE_LOWER_BOUND is defined and VARIABLE_LOWER_BOUND != "none" %}}
+    <ind:state state_ref="state_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_parameter_lower_bound"/>
+    {{% endif %}}
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object
+      version="2"
+      id="object_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_parameter_pamd_{{{ file_stem }}}"
+      comment="Get the pam_faillock.so {{{ PRM_NAME }}} parameter from {{{ file_stem }}}-auth file">
+    <ind:filepath>/etc/pam.d/{{{ file_stem }}}-auth</ind:filepath>
+    <ind:pattern operation="pattern match"
+		 var_ref="var_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_pam_faillock_{{{ PRM_NAME }}}_parameter_regex"/>
+    <ind:instance datatype="int" operation="equals">1</ind:instance>
+  </ind:textfilecontent54_object>
+  {{% endmacro %}}
+
+  <!-- boundaries to test the parameter value -->
+  <!-- Specify the required external variable & create corresponding state from it -->
+  <external_variable id="{{{ EXT_VARIABLE }}}" datatype="int"
+                     comment="external variable to use" version="1"/>
+
+  {{% if VARIABLE_UPPER_BOUND is defined and VARIABLE_UPPER_BOUND != "none" %}}
+  <ind:textfilecontent54_state
+      version="1"
+      id="state_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_parameter_upper_bound">
+    {{% if VARIABLE_UPPER_BOUND == "use_ext_variable" %}}
+    <ind:subexpression datatype="int" operation="less than or equal"
+		       var_ref="{{{ EXT_VARIABLE }}}"/>
+    {{% elif VARIABLE_UPPER_BOUND is number %}}
+    <ind:subexpression datatype="int" operation="less than">{{{ VARIABLE_UPPER_BOUND }}}</ind:subexpression>
+    {{% else %}}
+    <ind:subexpression datatype="int" operation="less than or equal"
+		       var_ref="{{{ VARIABLE_UPPER_BOUND }}}"/>
+    {{% endif %}}
+  </ind:textfilecontent54_state>
+  {{% endif %}}
+
+  {{% if VARIABLE_LOWER_BOUND is defined and VARIABLE_LOWER_BOUND != "none" %}}
+  <ind:textfilecontent54_state
+      version="1"
+      id="state_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_parameter_lower_bound">
+    {{% if VARIABLE_LOWER_BOUND == "use_ext_variable" %}}
+    <ind:subexpression datatype="int" operation="greater than or equal"
+		       var_ref="{{{ EXT_VARIABLE }}}"/>
+    {{% elif VARIABLE_LOWER_BOUND is number %}}
+    <ind:subexpression datatype="int" operation="greater than">{{{ VARIABLE_LOWER_BOUND }}}</ind:subexpression>
+    {{% else %}}
+    <ind:subexpression datatype="int" operation="greater than or equal"
+		       var_ref="{{{ VARIABLE_LOWER_BOUND }}}"/>
+    {{% endif %}}
+  </ind:textfilecontent54_state>
+  {{% endif %}}
+  
+  {{{ generate_check_parameter_in_pam_file (file_stem="system")   }}}
+  {{{ generate_check_parameter_in_pam_file (file_stem="password") }}}
+  {{{ generate_check_parameter_in_pam_file (file_stem="common")   }}}
+
+  <!-- Check expected value of {{{ PRM_NAME }}} parameter in /etc/security/faillock.conf -->
+  <ind:textfilecontent54_test check="all" check_existence="all_exist" version="1"
+			      id="test_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_parameter_faillock_conf"
+			      comment="Check the expected {{{ PRM_NAME }}} value in /etc/security/faillock.conf">
+    <ind:object object_ref="object_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_parameter_faillock_conf"/>
+    {{% if VARIABLE_UPPER_BOUND is defined and VARIABLE_UPPER_BOUND != "none" %}}
+    <ind:state state_ref="state_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_parameter_upper_bound"/>
+    {{% endif %}}
+    {{% if VARIABLE_LOWER_BOUND is defined and VARIABLE_LOWER_BOUND != "none" %}}
+    <ind:state state_ref="state_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_parameter_lower_bound"/>
+    {{% endif %}}
+  </ind:textfilecontent54_test>
+
+  <!-- Check absence of {{{ PRM_NAME }}} parameter in /etc/security/faillock.conf -->
+  <ind:textfilecontent54_test
+      check="all" check_existence="none_exist" version="1"
+      id="test_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_parameter_no_faillock_conf"
+      comment="Check the absence of {{{ PRM_NAME }}} parameter in /etc/security/faillock.conf">
+    <ind:object object_ref="object_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_parameter_faillock_conf"/>
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object
+      version="1"
+      id="object_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_parameter_faillock_conf"
+      comment="Check the expected pam_faillock.so {{{ PRM_NAME }}} parameter in /etc/security/faillock.conf">
+    <ind:filepath>/etc/security/faillock.conf</ind:filepath>
+    <ind:pattern
+	operation="pattern match"
+	var_ref="var_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_faillock_conf_{{{ PRM_NAME }}}_parameter_regex"/>
+    <ind:instance datatype="int" operation="equals">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+</def-group>
diff --git a/shared/templates/pam_account_password_faillock/template.yml b/shared/templates/pam_account_password_faillock/template.yml
new file mode 100644
index 000000000000..b57de6fbb63e
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/template.yml
@@ -0,0 +1,4 @@
+supported_languages:
+  - ansible
+  - bash
+  - oval
diff --git a/shared/templates/pam_account_password_faillock/tests/authselect_modified_pam.fail.sh b/shared/templates/pam_account_password_faillock/tests/authselect_modified_pam.fail.sh
new file mode 100644
index 000000000000..b3232cc93ec2
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/tests/authselect_modified_pam.fail.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
+# remediation = none
+
+SYSTEM_AUTH_FILE="/etc/pam.d/system-auth"
+
+# This modification will break the integrity checks done by authselect.
+if ! $(grep -q "^[^#].*pam_pwhistory\.so.*remember=" $SYSTEM_AUTH_FILE); then
+	sed -i "/^password.*requisite.*pam_pwquality\.so/a password    requisite     pam_pwhistory.so" $SYSTEM_AUTH_FILE
+else
+   sed -i "s/\(.*pam_pwhistory\.so.*remember=\)[[:digit:]]\+\s\(.*\)/\1/g" $SYSTEM_AUTH_FILE
+fi
diff --git a/shared/templates/pam_account_password_faillock/tests/conflicting_settings_authselect.fail.sh b/shared/templates/pam_account_password_faillock/tests/conflicting_settings_authselect.fail.sh
new file mode 100644
index 000000000000..24f5731f63dd
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/tests/conflicting_settings_authselect.fail.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+# packages = authselect,pam
+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
+
+pam_files=("password-auth" "system-auth")
+
+authselect create-profile testingProfile --base-on minimal
+
+CUSTOM_PROFILE_DIR="/etc/authselect/custom/testingProfile"
+
+authselect select --force custom/testingProfile
+
+truncate -s 0 /etc/security/faillock.conf
+
+echo "deny = 3" > /etc/security/faillock.conf
+
+{{{ bash_pam_faillock_enable() }}}
+
+for file in ${pam_files[@]}; do
+    if grep -qP "auth.*faillock\.so.*preauth" $CUSTOM_PROFILE_DIR/$file; then
+        sed -i "/^\s*auth.*faillock\.so.*preauth/ s/$/deny=3/" \
+            "$CUSTOM_PROFILE_DIR/$file"
+    else 
+        sed -i "0,/^\s*auth.*/i auth required pam_faillock.so preauth deny=3" \
+        "$CUSTOM_PROFILE_DIR/$file"
+    fi
+done
+
+
+authselect apply-changes
diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_conflicting_settings.fail.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_conflicting_settings.fail.sh
new file mode 100644
index 000000000000..aa3ca061de72
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_conflicting_settings.fail.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+# packages = authselect
+# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8
+# remediation = none
+# variables = var_accounts_passwords_pam_faillock_deny=3
+
+authselect select sssd --force
+authselect enable-feature with-faillock
+# This test scenario simulates conflicting settings in pam and faillock.conf files.
+# It means that authselect is not properly configured and may have a unexpected behaviour. The
+# authselect integrity check will fail and the remediation will be aborted in order to preserve
+# intentional changes. In this case, an informative message will be shown in the remediation report.
+sed -i --follow-symlinks 's/\(pam_faillock.so \(preauth silent\|authfail\)\).*$/\1 deny=3/g' /etc/pam.d/system-auth /etc/pam.d/password-auth
+> /etc/security/faillock.conf
+echo "deny = 3" >> /etc/security/faillock.conf
+echo "silent" >> /etc/security/faillock.conf
diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_disabled.fail.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_disabled.fail.sh
new file mode 100644
index 000000000000..579e5670ea1a
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_disabled.fail.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_sle
+{{%- if product in ["rhel7"] %}}
+# packages = authconfig
+{{%- else %}}
+# packages = authselect
+{{%- endif %}}
+# variables = var_accounts_passwords_pam_faillock_deny=3
+
+if [ -f /usr/sbin/authconfig ]; then
+    authconfig --disablefaillock --update
+else
+    authselect select sssd --force
+    authselect disable-feature with-faillock
+fi
diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_expected_faillock_conf.pass.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_expected_faillock_conf.pass.sh
new file mode 100644
index 000000000000..e770e300f526
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_expected_faillock_conf.pass.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# packages = authselect
+# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8
+# variables = var_accounts_passwords_pam_faillock_deny=3
+
+authselect select sssd --force
+authselect enable-feature with-faillock
+> /etc/security/faillock.conf
+echo "deny = 3" >> /etc/security/faillock.conf
+echo "silent" >> /etc/security/faillock.conf
diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_expected_pam_files.pass.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_expected_pam_files.pass.sh
new file mode 100644
index 000000000000..249366097061
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_expected_pam_files.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = authconfig
+# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,multi_platform_fedora
+# variables = var_accounts_passwords_pam_faillock_deny=3
+
+authconfig --enablefaillock --faillockargs="deny=3" --update
diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_faillock_conf.fail.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_faillock_conf.fail.sh
new file mode 100644
index 000000000000..fd57152b8c4b
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_faillock_conf.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# packages = authselect
+# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8
+# variables = var_accounts_passwords_pam_faillock_deny=3
+
+authselect select sssd --force
+authselect enable-feature with-faillock
+> /etc/security/faillock.conf
+echo "deny = 5" >> /etc/security/faillock.conf
+echo "silent" >> /etc/security/faillock.conf
diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_pam_files.fail.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_pam_files.fail.sh
new file mode 100644
index 000000000000..34405f594223
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_pam_files.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = authconfig
+# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,multi_platform_fedora
+# variables = var_accounts_passwords_pam_faillock_deny=3
+
+authconfig --enablefaillock --faillockargs="deny=5" --update
diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh
new file mode 100644
index 000000000000..efb57601cb9c
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+# packages = authselect
+# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8
+# remediation = none
+# variables = var_accounts_passwords_pam_faillock_deny=3
+
+authselect select sssd --force
+authselect enable-feature with-faillock
+# Ensure the parameters only in /etc/security/faillock.conf
+sed -i --follow-symlinks 's/\(pam_faillock.so \(preauth silent\|authfail\)\).*$/\1/g' /etc/pam.d/system-auth /etc/pam.d/password-auth
+> /etc/security/faillock.conf
+echo "deny = 3" >> /etc/security/faillock.conf
+echo "silent" >> /etc/security/faillock.conf
+
+# Multiple instances of pam_unix.so in auth section may, intentionally or not, interfere
+# in the expected behaviour of pam_faillock.so. Remediation does not solve this automatically
+# in order to preserve intentional changes.
+echo "auth        sufficient       pam_unix.so" >> /etc/pam.d/password-auth
diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh
new file mode 100644
index 000000000000..dbc12db6b9f7
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+# packages = authconfig
+# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,multi_platform_fedora
+# remediation = none
+# variables = var_accounts_passwords_pam_faillock_deny=3
+
+authconfig --enablefaillock --faillockargs="deny=3" --update
+
+# Multiple instances of pam_unix.so in auth section may, intentionally or not, interfere
+# in the expected behaviour of pam_faillock.so. Remediation does not solve this automatically
+# in order to preserve intentional changes.
+echo "auth        sufficient       pam_unix.so" >> /etc/pam.d/password-auth
diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_not_required_pam_files.fail.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_not_required_pam_files.fail.sh
new file mode 100644
index 000000000000..b780f3203624
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_not_required_pam_files.fail.sh
@@ -0,0 +1,24 @@
+#!/bin/bash
+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_sle
+{{%- if product in ["rhel7"] %}}
+# packages = authconfig
+{{%- else %}}
+# packages = authselect
+# remediation = none
+{{%- endif %}}
+# variables = var_accounts_passwords_pam_faillock_deny=3
+
+# This test scenario manually modify the pam_faillock.so entries in auth section from
+# "required" to "sufficient". This makes pam_faillock.so behave differently than initially
+# intentioned. We catch this, but we can't safely remediate in an automated way.
+if [ -f /usr/sbin/authconfig ]; then
+    authconfig --enablefaillock --faillockargs="deny=3" --update
+else
+    authselect select sssd --force
+    authselect enable-feature with-faillock
+    sed -i --follow-symlinks 's/\(pam_faillock.so \(preauth silent\|authfail\)\).*$/\1 deny=3/g' /etc/pam.d/system-auth /etc/pam.d/password-auth
+fi
+sed -i --follow-symlinks 's/\(^\s*auth\s*\)\(\s.*\)\(pam_faillock\.so.*$\)/\1 sufficient \3/g' /etc/pam.d/system-auth /etc/pam.d/password-auth
+if [ -f /etc/security/faillock.conf ]; then
+    > /etc/security/faillock.conf
+fi
diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_stricter_faillock_conf.pass.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_stricter_faillock_conf.pass.sh
new file mode 100644
index 000000000000..595b85192da1
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_stricter_faillock_conf.pass.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# packages = authselect
+# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8
+# variables = var_accounts_passwords_pam_faillock_deny=3
+
+authselect select sssd --force
+authselect enable-feature with-faillock
+> /etc/security/faillock.conf
+echo "deny = 2" >> /etc/security/faillock.conf
+echo "silent" >> /etc/security/faillock.conf
diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_stricter_pam_files.pass.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_stricter_pam_files.pass.sh
new file mode 100644
index 000000000000..03f93edaa4f5
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_stricter_pam_files.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = authconfig
+# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,multi_platform_fedora
+# variables = var_accounts_passwords_pam_faillock_deny=3
+
+authconfig --enablefaillock --faillockargs="deny=2" --update
diff --git a/shared/templates/pam_account_password_faillock/tests/ubuntu_commented_values.fail.sh b/shared/templates/pam_account_password_faillock/tests/ubuntu_commented_values.fail.sh
new file mode 100644
index 000000000000..06e07a9d9685
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/tests/ubuntu_commented_values.fail.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+source ubuntu_common.sh
+
+sed -i 's/\(^.*pam_faillock\.so.*\)/# \1/' /etc/pam.d/common-auth
+sed -i 's/\(^.*pam_faillock\.so.*\)/# \1/' /etc/pam.d/common-account
+
+echo "#deny=1" > /etc/security/faillock.conf
diff --git a/shared/templates/pam_account_password_faillock/tests/ubuntu_common.sh b/shared/templates/pam_account_password_faillock/tests/ubuntu_common.sh
new file mode 100644
index 000000000000..e64fb3528e8f
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/tests/ubuntu_common.sh
@@ -0,0 +1,50 @@
+#!/bin/bash
+
+# Create passing pam.d files based on defaults from a clean installation of Ubuntu 22.04 LTS
+# Extra comments and whitespaces were added to test for edge cases
+
+cat >/etc/pam.d/common-auth <<EOF
+ ## Leading and trailing whitespaces should be ok
+ auth required  pam_faillock.so     preauth 
+# here are the per-package modules (the "Primary" block)
+auth    [success=2 default=ignore]      pam_unix.so nullok
+## Several lines of comments should not
+## break faillock remediation logic
+## Nor should commented pam_unix
+#auth    [success=2 default=ignore]      pam_unix.so nullok
+
+auth    [success=1 default=ignore]      pam_sss.so use_first_pass
+
+ ## Some more user comments
+ auth [default=die]  pam_faillock.so authfail 
+ ## and some more
+ auth sufficient     pam_faillock.so authsucc 
+
+# here's the fallback if no module succeeds
+auth    requisite                       pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+auth    required                        pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+auth    optional                        pam_cap.so 
+# end of pam-auth-update config
+EOF
+
+
+cat >/etc/pam.d/common-account <<EOF
+# here are the per-package modules (the "Primary" block)
+account [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so 
+# here's the fallback if no module succeeds
+account requisite                       pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+account required                        pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+account sufficient                      pam_localuser.so 
+account [default=bad success=ok user_unknown=ignore]    pam_sss.so 
+# end of pam-auth-update config
+
+  account required  pam_faillock.so 
+EOF
diff --git a/shared/templates/pam_account_password_faillock/tests/ubuntu_correct.pass.sh b/shared/templates/pam_account_password_faillock/tests/ubuntu_correct.pass.sh
new file mode 100644
index 000000000000..17e2131675e9
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/tests/ubuntu_correct.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+source ubuntu_common.sh
+
+echo "deny=1" > /etc/security/faillock.conf
diff --git a/shared/templates/pam_account_password_faillock/tests/ubuntu_correct_pamd.pass.sh b/shared/templates/pam_account_password_faillock/tests/ubuntu_correct_pamd.pass.sh
new file mode 100644
index 000000000000..e6d203a01c5e
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/tests/ubuntu_correct_pamd.pass.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+source ubuntu_common.sh
+
+sed -i 's/\(.*pam_faillock.so.*\)/\1 deny=1/g' /etc/pam.d/common-auth
+
diff --git a/shared/templates/pam_account_password_faillock/tests/ubuntu_empty_faillock_conf.fail.sh b/shared/templates/pam_account_password_faillock/tests/ubuntu_empty_faillock_conf.fail.sh
new file mode 100644
index 000000000000..3b73ba396a64
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/tests/ubuntu_empty_faillock_conf.fail.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+# This test should fail because neither pam.d or faillock.conf have deny defined
+
+source ubuntu_common.sh
+
+echo > /etc/security/faillock.conf
diff --git a/shared/templates/pam_account_password_faillock/tests/ubuntu_missing_pamd.fail.sh b/shared/templates/pam_account_password_faillock/tests/ubuntu_missing_pamd.fail.sh
new file mode 100644
index 000000000000..40c103dc6f9c
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/tests/ubuntu_missing_pamd.fail.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+source ubuntu_common.sh
+
+sed -i '/pam_faillock\.so/d' /etc/pam.d/common-auth
+sed -i '/pam_faillock\.so/d' /etc/pam.d/common-account
+
+echo "deny=1" > /etc/security/faillock.conf
diff --git a/shared/templates/pam_account_password_faillock/tests/ubuntu_multiple_pam_unix.fail.sh b/shared/templates/pam_account_password_faillock/tests/ubuntu_multiple_pam_unix.fail.sh
new file mode 100644
index 000000000000..23be5083c6ff
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/tests/ubuntu_multiple_pam_unix.fail.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+# remediation = none
+
+# Multiple instances of pam_unix.so in auth section may, intentionally or not, interfere
+# in the expected behaviour of pam_faillock.so. Remediation does not solve this automatically
+# in order to preserve intentional changes.
+
+source ubuntu_common.sh
+
+echo "auth        sufficient       pam_unix.so" >> /etc/pam.d/common-auth
diff --git a/shared/templates/pam_account_password_faillock/tests/ubuntu_wrong_value.fail.sh b/shared/templates/pam_account_password_faillock/tests/ubuntu_wrong_value.fail.sh
new file mode 100644
index 000000000000..d236f32cb8bc
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/tests/ubuntu_wrong_value.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+source ubuntu_common.sh
+
+echo "deny=999" > /etc/security/faillock.conf