diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md
index 8677d64d593..cfc76fac022 100644
--- a/docs/templates/template_reference.md
+++ b/docs/templates/template_reference.md
@@ -621,6 +621,30 @@ When the remediation is applied duplicate occurrences of `key` are removed.
- **app** - optional. If not set the check will use the default text `The respective application or service`.
If set, the `app` is used within sentences like: "`application` is configured correctly and configuration file exists"
+#### pam_account_password_faillock
+- Checks if the pam_faillock is enabled in PAM and if the specified
+ parameter is correctly configured either in /etc/security/faillock.conf
+ or directly in /etc/pam.d/* files.
+
+ The allowed interval for the faillock parameter is defined by
+ template parameters `variable_lower_bound` and `variable_upper_bound`.
+ The boundaries are inclusive (lower <= parameter value <= upper) and
+ can be set as:
+ - `use_ext_variable`: use value in external XCCDF variable defined by `ext_variable`
+ - number: literal number
+ - undefined: no boundary
+
+- Parameters:
+ - **description** - Description of rule
+ - **prm_name** - name of faillock parameter
+ - **prm_regex_conf** - regex for faillock parameter in /etc/security/faillock.conf
+ - **prm_regex_pamd** - regex for faillock parameter in /etc/pam.d/*
+ - **variable_lower_bound** - lower boundary for allowed parameter value
+ - **variable_upper_bound** - upper boundary for allowed parameter value
+ - **ext_variable** - external XCCDG variable used to define interval boundaries and
+ the value used in the remediation.
+
+
#### pam_options
- Checks if the parameters or arguments of a given Linux-PAM (Pluggable
Authentication Modules) module in a given PAM configuration file
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
index f18c0a14fec..52107ee4843 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
@@ -97,4 +97,4 @@ template:
ext_variable: var_accounts_passwords_pam_faillock_deny
description: Lockout account after failed login attempts.
variable_upper_bound: use_ext_variable
- variable_lower_bound: 0
+ variable_lower_bound: 1
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/authselect_modified_pam.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/authselect_modified_pam.fail.sh
deleted file mode 100644
index b3232cc93ec..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/authselect_modified_pam.fail.sh
+++ /dev/null
@@ -1,12 +0,0 @@
-#!/bin/bash
-# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
-# remediation = none
-
-SYSTEM_AUTH_FILE="/etc/pam.d/system-auth"
-
-# This modification will break the integrity checks done by authselect.
-if ! $(grep -q "^[^#].*pam_pwhistory\.so.*remember=" $SYSTEM_AUTH_FILE); then
- sed -i "/^password.*requisite.*pam_pwquality\.so/a password requisite pam_pwhistory.so" $SYSTEM_AUTH_FILE
-else
- sed -i "s/\(.*pam_pwhistory\.so.*remember=\)[[:digit:]]\+\s\(.*\)/\1/g" $SYSTEM_AUTH_FILE
-fi
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_expected_pam_files.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_expected_pam_files.pass.sh
deleted file mode 100644
index bbf97fa2ac0..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_expected_pam_files.pass.sh
+++ /dev/null
@@ -1,6 +0,0 @@
-#!/bin/bash
-# packages = authconfig
-# platform = Oracle Linux 7,multi_platform_fedora
-# variables = var_accounts_passwords_pam_faillock_deny=3
-
-authconfig --enablefaillock --faillockargs="deny=3" --update
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_lenient_pam_files.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_lenient_pam_files.fail.sh
deleted file mode 100644
index cb1ca930499..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_lenient_pam_files.fail.sh
+++ /dev/null
@@ -1,6 +0,0 @@
-#!/bin/bash
-# packages = authconfig
-# platform = Oracle Linux 7,multi_platform_fedora
-# variables = var_accounts_passwords_pam_faillock_deny=3
-
-authconfig --enablefaillock --faillockargs="deny=5" --update
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_stricter_pam_files.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_stricter_pam_files.pass.sh
deleted file mode 100644
index 54729a3144b..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_stricter_pam_files.pass.sh
+++ /dev/null
@@ -1,6 +0,0 @@
-#!/bin/bash
-# packages = authconfig
-# platform = Oracle Linux 7,multi_platform_fedora
-# variables = var_accounts_passwords_pam_faillock_deny=3
-
-authconfig --enablefaillock --faillockargs="deny=2" --update
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_commented_values.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_commented_values.fail.sh
deleted file mode 100644
index 9b10313e9f8..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_commented_values.fail.sh
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/bin/bash
-# platform = multi_platform_ubuntu
-# variables = var_accounts_passwords_pam_faillock_deny=10
-
-source ubuntu_common.sh
-
-echo "#deny=1" > /etc/security/faillock.conf
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_common.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_common.sh
deleted file mode 100644
index 532926d2701..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_common.sh
+++ /dev/null
@@ -1,24 +0,0 @@
-#!/bin/bash
-
-cat << EOF > /usr/share/pam-configs/faillock
-Name: Enable pam_faillock to deny access
-Default: yes
-Priority: 0
-Auth-Type: Primary
-Auth:
- [default=die] pam_faillock.so authfail
-EOF
-
-cat << EOF > /usr/share/pam-configs/faillock_notify
-Name: Notify of failed login attempts and reset count upon success
-Default: yes
-Priority: 1024
-Auth-Type: Primary
-Auth:
- requisite pam_faillock.so preauth
-Account-Type: Primary
-Account:
- required pam_faillock.so
-EOF
-
-DEBIAN_FRONTEND=noninteractive pam-auth-update
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_correct.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_correct.pass.sh
deleted file mode 100644
index 6edc7e7af1f..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_correct.pass.sh
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/bin/bash
-# platform = multi_platform_ubuntu
-# variables = var_accounts_passwords_pam_faillock_deny=10
-
-source ubuntu_common.sh
-
-echo "deny=1" > /etc/security/faillock.conf
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_correct_pamd.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_correct_pamd.pass.sh
deleted file mode 100644
index f1d9a7266c5..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_correct_pamd.pass.sh
+++ /dev/null
@@ -1,26 +0,0 @@
-#!/bin/bash
-# platform = multi_platform_ubuntu
-# variables = var_accounts_passwords_pam_faillock_deny=10
-
-cat << EOF > /usr/share/pam-configs/faillock
-Name: Enable pam_faillock to deny access
-Default: yes
-Priority: 0
-Auth-Type: Primary
-Auth:
- [default=die] pam_faillock.so authfail deny=1
-EOF
-
-cat << EOF > /usr/share/pam-configs/faillock_notify
-Name: Notify of failed login attempts and reset count upon success
-Default: yes
-Priority: 1024
-Auth-Type: Primary
-Auth:
- requisite pam_faillock.so preauth deny=1
-Account-Type: Primary
-Account:
- required pam_faillock.so
-EOF
-
-DEBIAN_FRONTEND=noninteractive pam-auth-update
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_missing_pamd.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_missing_pamd.fail.sh
deleted file mode 100644
index 3fbb16cdc5c..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_missing_pamd.fail.sh
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/bash
-# platform = multi_platform_ubuntu
-# variables = var_accounts_passwords_pam_faillock_deny=10
-
-echo "deny=1" > /etc/security/faillock.conf
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_wrong_value.fail.sh
deleted file mode 100644
index b185d221714..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_wrong_value.fail.sh
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/bin/bash
-# platform = multi_platform_ubuntu
-# variables = var_accounts_passwords_pam_faillock_deny=10
-
-source ubuntu_common.sh
-
-echo "deny=999" > /etc/security/faillock.conf
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/authselect_modified_pam.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/authselect_modified_pam.fail.sh
deleted file mode 100644
index b3232cc93ec..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/authselect_modified_pam.fail.sh
+++ /dev/null
@@ -1,12 +0,0 @@
-#!/bin/bash
-# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
-# remediation = none
-
-SYSTEM_AUTH_FILE="/etc/pam.d/system-auth"
-
-# This modification will break the integrity checks done by authselect.
-if ! $(grep -q "^[^#].*pam_pwhistory\.so.*remember=" $SYSTEM_AUTH_FILE); then
- sed -i "/^password.*requisite.*pam_pwquality\.so/a password requisite pam_pwhistory.so" $SYSTEM_AUTH_FILE
-else
- sed -i "s/\(.*pam_pwhistory\.so.*remember=\)[[:digit:]]\+\s\(.*\)/\1/g" $SYSTEM_AUTH_FILE
-fi
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/conflicting_settings_authselect.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/conflicting_settings_authselect.fail.sh
deleted file mode 100644
index 9a553893cbe..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/conflicting_settings_authselect.fail.sh
+++ /dev/null
@@ -1,29 +0,0 @@
-#!/bin/bash
-# packages = authselect,pam
-# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
-
-pam_files=("password-auth" "system-auth")
-
-authselect create-profile testingProfile --base-on minimal
-
-CUSTOM_PROFILE_DIR="/etc/authselect/custom/testingProfile"
-
-authselect select --force custom/testingProfile
-
-truncate -s 0 /etc/security/faillock.conf
-
-echo "fail_interval = 900" > /etc/security/faillock.conf
-
-{{{ bash_pam_faillock_enable() }}}
-
-for file in ${pam_files[@]}; do
- if grep -qP "auth.*faillock\.so.*preauth" $CUSTOM_PROFILE_DIR/$file; then
- sed -i "/^\s*auth.*faillock\.so.*preauth/ s/$/fail_interval=900/" \
- "$CUSTOM_PROFILE_DIR/$file"
- else
- sed -i "0,/^\s*auth.*/i auth required pam_faillock.so preauth fail_interval=900" \
- "$CUSTOM_PROFILE_DIR/$file"
- fi
-done
-
-authselect apply-changes
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_conflicting_settings.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_conflicting_settings.fail.sh
deleted file mode 100644
index 0b67e0e02af..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_conflicting_settings.fail.sh
+++ /dev/null
@@ -1,16 +0,0 @@
-#!/bin/bash
-# packages = authselect
-# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8
-# remediation = none
-# variables = var_accounts_passwords_pam_faillock_fail_interval=900
-
-authselect select sssd --force
-authselect enable-feature with-faillock
-# This test scenario simulates conflicting settings in pam and faillock.conf files.
-# It means that authselect is not properly configured and may have a unexpected behaviour. The
-# authselect integrity check will fail and the remediation will be aborted in order to preserve
-# intentional changes. In this case, an informative message will be shown in the remediation report.
-sed -i --follow-symlinks 's/\(pam_faillock.so \(preauth silent\|authfail\)\).*$/\1 fail_interval=900/g' /etc/pam.d/system-auth /etc/pam.d/password-auth
-> /etc/security/faillock.conf
-echo "fail_interval = 900" >> /etc/security/faillock.conf
-echo "silent" >> /etc/security/faillock.conf
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_disabled.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_disabled.fail.sh
deleted file mode 100644
index 9d4320fbb4e..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_disabled.fail.sh
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/bin/bash
-# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_sle
-# packages = authselect
-# variables = var_accounts_passwords_pam_faillock_fail_interval=900
-
-if [ -f /usr/sbin/authconfig ]; then
- authconfig --disablefaillock --update
-else
- authselect select sssd --force
- authselect disable-feature with-faillock
-fi
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_expected_faillock_conf.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_expected_faillock_conf.pass.sh
deleted file mode 100644
index 82bf9fa75bb..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_expected_faillock_conf.pass.sh
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/bin/bash
-# packages = authselect
-# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8
-# variables = var_accounts_passwords_pam_faillock_fail_interval=900
-
-authselect select sssd --force
-authselect enable-feature with-faillock
-> /etc/security/faillock.conf
-echo "fail_interval = 900" >> /etc/security/faillock.conf
-echo "silent" >> /etc/security/faillock.conf
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_expected_pam_files.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_expected_pam_files.pass.sh
deleted file mode 100644
index 552078405cc..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_expected_pam_files.pass.sh
+++ /dev/null
@@ -1,6 +0,0 @@
-#!/bin/bash
-# packages = authconfig
-# platform = Oracle Linux 7,multi_platform_fedora
-# variables = var_accounts_passwords_pam_faillock_fail_interval=900
-
-authconfig --enablefaillock --faillockargs="fail_interval=900" --update
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_lenient_faillock_conf.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_lenient_faillock_conf.fail.sh
deleted file mode 100644
index 74236e2fba7..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_lenient_faillock_conf.fail.sh
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/bin/bash
-# packages = authselect
-# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8
-# variables = var_accounts_passwords_pam_faillock_fail_interval=900
-
-authselect select sssd --force
-authselect enable-feature with-faillock
-> /etc/security/faillock.conf
-echo "fail_interval = 300" >> /etc/security/faillock.conf
-echo "silent" >> /etc/security/faillock.conf
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_lenient_pam_files.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_lenient_pam_files.fail.sh
deleted file mode 100644
index f1d331f5da1..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_lenient_pam_files.fail.sh
+++ /dev/null
@@ -1,6 +0,0 @@
-#!/bin/bash
-# packages = authconfig
-# platform = Oracle Linux 7,multi_platform_fedora
-# variables = var_accounts_passwords_pam_faillock_fail_interval=900
-
-authconfig --enablefaillock --faillockargs="fail_interval=300" --update
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh
deleted file mode 100644
index ef2461160c2..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh
+++ /dev/null
@@ -1,18 +0,0 @@
-#!/bin/bash
-# packages = authselect
-# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8
-# remediation = none
-# variables = var_accounts_passwords_pam_faillock_fail_interval=900
-
-authselect select sssd --force
-authselect enable-feature with-faillock
-# Ensure the parameters only in /etc/security/faillock.conf
-sed -i --follow-symlinks 's/\(pam_faillock.so \(preauth silent\|authfail\)\).*$/\1/g' /etc/pam.d/system-auth /etc/pam.d/password-auth
-> /etc/security/faillock.conf
-echo "fail_interval = 900" >> /etc/security/faillock.conf
-echo "silent" >> /etc/security/faillock.conf
-
-# Multiple instances of pam_unix.so in auth section may, intentionally or not, interfere
-# in the expected behaviour of pam_faillock.so. Remediation does not solve this automatically
-# in order to preserve intentional changes.
-echo "auth sufficient pam_unix.so" >> /etc/pam.d/password-auth
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh
deleted file mode 100644
index eaf164272ad..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh
+++ /dev/null
@@ -1,12 +0,0 @@
-#!/bin/bash
-# packages = authconfig
-# platform = Oracle Linux 7,multi_platform_fedora
-# remediation = none
-# variables = var_accounts_passwords_pam_faillock_fail_interval=900
-
-authconfig --enablefaillock --faillockargs="fail_interval=900" --update
-
-# Multiple instances of pam_unix.so in auth section may, intentionally or not, interfere
-# in the expected behaviour of pam_faillock.so. Remediation does not solve this automatically
-# in order to preserve intentional changes.
-echo "auth sufficient pam_unix.so" >> /etc/pam.d/password-auth
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_not_required_pam_files.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_not_required_pam_files.fail.sh
deleted file mode 100644
index 30e04472962..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_not_required_pam_files.fail.sh
+++ /dev/null
@@ -1,20 +0,0 @@
-#!/bin/bash
-# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_sle
-# packages = authselect
-# remediation = none
-# variables = var_accounts_passwords_pam_faillock_fail_interval=900
-
-# This test scenario manually modify the pam_faillock.so entries in auth section from
-# "required" to "sufficient". This makes pam_faillock.so behave differently than initially
-# intentioned. We catch this, but we can't safely remediate in an automated way.
-if [ -f /usr/sbin/authconfig ]; then
- authconfig --enablefaillock --faillockargs="fail_interval=900" --update
-else
- authselect select sssd --force
- authselect enable-feature with-faillock
- sed -i --follow-symlinks 's/\(pam_faillock.so \(preauth silent\|authfail\)\).*$/\1 fail_interval=900/g' /etc/pam.d/system-auth /etc/pam.d/password-auth
-fi
-sed -i --follow-symlinks 's/\(^\s*auth\s*\)\(\s.*\)\(pam_faillock\.so.*$\)/\1 sufficient \3/g' /etc/pam.d/system-auth /etc/pam.d/password-auth
-if [ -f /etc/security/faillock.conf ]; then
- > /etc/security/faillock.conf
-fi
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_stricter_faillock_conf.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_stricter_faillock_conf.pass.sh
deleted file mode 100644
index c71a12afe36..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_stricter_faillock_conf.pass.sh
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/bin/bash
-# packages = authselect
-# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8
-# variables = var_accounts_passwords_pam_faillock_fail_interval=900
-
-authselect select sssd --force
-authselect enable-feature with-faillock
-> /etc/security/faillock.conf
-echo "fail_interval = 1200" >> /etc/security/faillock.conf
-echo "silent" >> /etc/security/faillock.conf
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_stricter_pam_files.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_stricter_pam_files.pass.sh
deleted file mode 100644
index 3697ba2b0d9..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_stricter_pam_files.pass.sh
+++ /dev/null
@@ -1,6 +0,0 @@
-#!/bin/bash
-# packages = authconfig
-# platform = Oracle Linux 7,multi_platform_fedora
-# variables = var_accounts_passwords_pam_faillock_fail_interval=900
-
-authconfig --enablefaillock --faillockargs="fail_interval=1200" --update
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_commented_values.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_commented_values.fail.sh
deleted file mode 100644
index a865d7efd18..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_commented_values.fail.sh
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/bin/bash
-# platform = multi_platform_ubuntu
-# variables = var_accounts_passwords_pam_faillock_fail_interval=800
-
-source ubuntu_common.sh
-
-echo "#fail_interval=900" > /etc/security/faillock.conf
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_common.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_common.sh
deleted file mode 100644
index 532926d2701..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_common.sh
+++ /dev/null
@@ -1,24 +0,0 @@
-#!/bin/bash
-
-cat << EOF > /usr/share/pam-configs/faillock
-Name: Enable pam_faillock to deny access
-Default: yes
-Priority: 0
-Auth-Type: Primary
-Auth:
- [default=die] pam_faillock.so authfail
-EOF
-
-cat << EOF > /usr/share/pam-configs/faillock_notify
-Name: Notify of failed login attempts and reset count upon success
-Default: yes
-Priority: 1024
-Auth-Type: Primary
-Auth:
- requisite pam_faillock.so preauth
-Account-Type: Primary
-Account:
- required pam_faillock.so
-EOF
-
-DEBIAN_FRONTEND=noninteractive pam-auth-update
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_correct.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_correct.pass.sh
deleted file mode 100644
index 0be3daea347..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_correct.pass.sh
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/bin/bash
-# platform = multi_platform_ubuntu
-# variables = var_accounts_passwords_pam_faillock_fail_interval=800
-
-source ubuntu_common.sh
-
-echo "fail_interval=900" > /etc/security/faillock.conf
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_correct_pamd.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_correct_pamd.pass.sh
deleted file mode 100644
index 7b43417e5f7..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_correct_pamd.pass.sh
+++ /dev/null
@@ -1,26 +0,0 @@
-#!/bin/bash
-# platform = multi_platform_ubuntu
-# variables = var_accounts_passwords_pam_faillock_fail_interval=800
-
-cat << EOF > /usr/share/pam-configs/faillock
-Name: Enable pam_faillock to deny access
-Default: yes
-Priority: 0
-Auth-Type: Primary
-Auth:
- [default=die] pam_faillock.so authfail fail_interval=900
-EOF
-
-cat << EOF > /usr/share/pam-configs/faillock_notify
-Name: Notify of failed login attempts and reset count upon success
-Default: yes
-Priority: 1024
-Auth-Type: Primary
-Auth:
- requisite pam_faillock.so preauth fail_interval=900
-Account-Type: Primary
-Account:
- required pam_faillock.so
-EOF
-
-DEBIAN_FRONTEND=noninteractive pam-auth-update
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_missing_pamd.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_missing_pamd.fail.sh
deleted file mode 100644
index 1983fb4e6ff..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_missing_pamd.fail.sh
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/bash
-# platform = multi_platform_ubuntu
-# variables = var_accounts_passwords_pam_faillock_fail_interval=800
-
-echo "fail_interval=900" > /etc/security/faillock.conf
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_wrong_value.fail.sh
deleted file mode 100644
index 88fc852a76c..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_wrong_value.fail.sh
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/bin/bash
-# platform = multi_platform_ubuntu
-# variables = var_accounts_passwords_pam_faillock_fail_interval=800
-
-source ubuntu_common.sh
-
-echo "fail_interval=100" > /etc/security/faillock.conf
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/authselect_modified_pam.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/authselect_modified_pam.fail.sh
deleted file mode 100644
index b3232cc93ec..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/authselect_modified_pam.fail.sh
+++ /dev/null
@@ -1,12 +0,0 @@
-#!/bin/bash
-# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
-# remediation = none
-
-SYSTEM_AUTH_FILE="/etc/pam.d/system-auth"
-
-# This modification will break the integrity checks done by authselect.
-if ! $(grep -q "^[^#].*pam_pwhistory\.so.*remember=" $SYSTEM_AUTH_FILE); then
- sed -i "/^password.*requisite.*pam_pwquality\.so/a password requisite pam_pwhistory.so" $SYSTEM_AUTH_FILE
-else
- sed -i "s/\(.*pam_pwhistory\.so.*remember=\)[[:digit:]]\+\s\(.*\)/\1/g" $SYSTEM_AUTH_FILE
-fi
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/conflicting_settings_authselect.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/conflicting_settings_authselect.fail.sh
deleted file mode 100644
index d547b0e3562..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/conflicting_settings_authselect.fail.sh
+++ /dev/null
@@ -1,30 +0,0 @@
-#!/bin/bash
-# packages = authselect,pam
-# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
-
-pam_files=("password-auth" "system-auth")
-
-authselect create-profile testingProfile --base-on minimal
-
-CUSTOM_PROFILE_DIR="/etc/authselect/custom/testingProfile"
-
-authselect select --force custom/testingProfile
-
-truncate -s 0 /etc/security/faillock.conf
-
-echo "unlock_time=600" > /etc/security/faillock.conf
-
-{{{ bash_pam_faillock_enable() }}}
-
-for file in ${pam_files[@]}; do
- if grep -qP "auth.*faillock\.so.*preauth" $CUSTOM_PROFILE_DIR/$file; then
- sed -i "/^\s*auth.*faillock\.so.*preauth/ s/$/unlock_time=600/" \
- "$CUSTOM_PROFILE_DIR/$file"
- else
- sed -i "0,/^\s*auth.*/i auth required pam_faillock.so preauth unlock_time=600" \
- "$CUSTOM_PROFILE_DIR/$file"
- fi
-done
-
-
-authselect apply-changes
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_conflicting_settings.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_conflicting_settings.fail.sh
deleted file mode 100644
index 057348eb4e7..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_conflicting_settings.fail.sh
+++ /dev/null
@@ -1,16 +0,0 @@
-#!/bin/bash
-# packages = authselect
-# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8
-# remediation = none
-# variables = var_accounts_passwords_pam_faillock_unlock_time=600
-
-authselect select sssd --force
-authselect enable-feature with-faillock
-# This test scenario simulates conflicting settings in pam and faillock.conf files.
-# It means that authselect is not properly configured and may have a unexpected behaviour. The
-# authselect integrity check will fail and the remediation will be aborted in order to preserve
-# intentional changes. In this case, an informative message will be shown in the remediation report.
-sed -i --follow-symlinks 's/\(pam_faillock.so \(preauth silent\|authfail\)\).*$/\1 unlock_time=600/g' /etc/pam.d/system-auth /etc/pam.d/password-auth
-> /etc/security/faillock.conf
-echo "unlock_time=600" >> /etc/security/faillock.conf
-echo "silent" >> /etc/security/faillock.conf
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_disabled.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_disabled.fail.sh
deleted file mode 100644
index bfcc7d4a43c..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_disabled.fail.sh
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/bin/bash
-# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_sle
-# packages = authselect
-# variables = var_accounts_passwords_pam_faillock_unlock_time=600
-
-if [ -f /usr/sbin/authconfig ]; then
- authconfig --disablefaillock --update
-else
- authselect select sssd --force
- authselect disable-feature with-faillock
-fi
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_expected_pam_files.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_expected_pam_files.pass.sh
deleted file mode 100644
index 643f503f1ac..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_expected_pam_files.pass.sh
+++ /dev/null
@@ -1,6 +0,0 @@
-#!/bin/bash
-# packages = authconfig
-# platform = Oracle Linux 7,multi_platform_fedora
-# variables = var_accounts_passwords_pam_faillock_unlock_time=600
-
-authconfig --enablefaillock --faillockargs="unlock_time=600" --update
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_lenient_faillock_conf.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_lenient_faillock_conf.fail.sh
deleted file mode 100644
index 838ab7c536f..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_lenient_faillock_conf.fail.sh
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/bin/bash
-# packages = authselect
-# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8
-# variables = var_accounts_passwords_pam_faillock_unlock_time=600
-
-authselect select sssd --force
-authselect enable-feature with-faillock
-> /etc/security/faillock.conf
-echo "unlock_time=300" >> /etc/security/faillock.conf
-echo "silent" >> /etc/security/faillock.conf
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_lenient_pam_files.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_lenient_pam_files.fail.sh
deleted file mode 100644
index a45ea873de1..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_lenient_pam_files.fail.sh
+++ /dev/null
@@ -1,6 +0,0 @@
-#!/bin/bash
-# packages = authconfig
-# platform = Oracle Linux 7,multi_platform_fedora
-# variables = var_accounts_passwords_pam_faillock_unlock_time=600
-
-authconfig --enablefaillock --faillockargs="unlock_time=300" --update
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh
deleted file mode 100644
index b7b1532bb97..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh
+++ /dev/null
@@ -1,18 +0,0 @@
-#!/bin/bash
-# packages = authselect
-# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8
-# remediation = none
-# variables = var_accounts_passwords_pam_faillock_unlock_time=600
-
-authselect select sssd --force
-authselect enable-feature with-faillock
-# Ensure the parameters only in /etc/security/faillock.conf
-sed -i --follow-symlinks 's/\(pam_faillock.so \(preauth silent\|authfail\)\).*$/\1/g' /etc/pam.d/system-auth /etc/pam.d/password-auth
-> /etc/security/faillock.conf
-echo "unlock_time=600" >> /etc/security/faillock.conf
-echo "silent" >> /etc/security/faillock.conf
-
-# Multiple instances of pam_unix.so in auth section may, intentionally or not, interfere
-# in the expected behaviour of pam_faillock.so. Remediation does not solve this automatically
-# in order to preserve intentional changes.
-echo "auth sufficient pam_unix.so" >> /etc/pam.d/password-auth
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh
deleted file mode 100644
index d7d727671b4..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh
+++ /dev/null
@@ -1,12 +0,0 @@
-#!/bin/bash
-# packages = authconfig
-# platform = Oracle Linux 7,multi_platform_fedora
-# remediation = none
-# variables = var_accounts_passwords_pam_faillock_unlock_time=600
-
-authconfig --enablefaillock --faillockargs="unlock_time=600" --update
-
-# Multiple instances of pam_unix.so in auth section may, intentionally or not, interfere
-# in the expected behaviour of pam_faillock.so. Remediation does not solve this automatically
-# in order to preserve intentional changes.
-echo "auth sufficient pam_unix.so" >> /etc/pam.d/password-auth
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_not_required_pam_files.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_not_required_pam_files.fail.sh
deleted file mode 100644
index eff1bd32c19..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_not_required_pam_files.fail.sh
+++ /dev/null
@@ -1,20 +0,0 @@
-#!/bin/bash
-# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_sle
-# packages = authselect
-# remediation = none
-# variables = var_accounts_passwords_pam_faillock_unlock_time=600
-
-# This test scenario manually modify the pam_faillock.so entries in auth section from
-# "required" to "sufficient". This makes pam_faillock.so behave differently than initially
-# intentioned. We catch this, but we can't safely remediate in an automated way.
-if [ -f /usr/sbin/authconfig ]; then
- authconfig --enablefaillock --faillockargs="unlock_time=600" --update
-else
- authselect select sssd --force
- authselect enable-feature with-faillock
- sed -i --follow-symlinks 's/\(pam_faillock.so \(preauth silent\|authfail\)\).*$/\1 unlock_time=600/g' /etc/pam.d/system-auth /etc/pam.d/password-auth
-fi
-sed -i --follow-symlinks 's/\(^\s*auth\s*\)\(\s.*\)\(pam_faillock\.so.*$\)/\1 sufficient \3/g' /etc/pam.d/system-auth /etc/pam.d/password-auth
-if [ -f /etc/security/faillock.conf ]; then
- > /etc/security/faillock.conf
-fi
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_stricter_faillock_conf.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_stricter_faillock_conf.pass.sh
deleted file mode 100644
index a57645eb10a..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_stricter_faillock_conf.pass.sh
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/bin/bash
-# packages = authselect
-# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8
-# variables = var_accounts_passwords_pam_faillock_unlock_time=600
-
-authselect select sssd --force
-authselect enable-feature with-faillock
-> /etc/security/faillock.conf
-echo "unlock_time=900" >> /etc/security/faillock.conf
-echo "silent" >> /etc/security/faillock.conf
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_stricter_pam_files.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_stricter_pam_files.pass.sh
deleted file mode 100644
index 3db1d3acf87..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_stricter_pam_files.pass.sh
+++ /dev/null
@@ -1,6 +0,0 @@
-#!/bin/bash
-# packages = authconfig
-# platform = Oracle Linux 7,multi_platform_fedora
-# variables = var_accounts_passwords_pam_faillock_unlock_time=600
-
-authconfig --enablefaillock --faillockargs="unlock_time=900" --update
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_commented_values.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_commented_values.fail.sh
deleted file mode 100644
index 0825090b42d..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_commented_values.fail.sh
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/bin/bash
-# platform = multi_platform_ubuntu
-# variables = var_accounts_passwords_pam_faillock_unlock_time=300
-
-source ubuntu_common.sh
-
-echo "#unlock_time=1000" > /etc/security/faillock.conf
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_common.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_common.sh
deleted file mode 100644
index 532926d2701..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_common.sh
+++ /dev/null
@@ -1,24 +0,0 @@
-#!/bin/bash
-
-cat << EOF > /usr/share/pam-configs/faillock
-Name: Enable pam_faillock to deny access
-Default: yes
-Priority: 0
-Auth-Type: Primary
-Auth:
- [default=die] pam_faillock.so authfail
-EOF
-
-cat << EOF > /usr/share/pam-configs/faillock_notify
-Name: Notify of failed login attempts and reset count upon success
-Default: yes
-Priority: 1024
-Auth-Type: Primary
-Auth:
- requisite pam_faillock.so preauth
-Account-Type: Primary
-Account:
- required pam_faillock.so
-EOF
-
-DEBIAN_FRONTEND=noninteractive pam-auth-update
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_correct.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_correct.pass.sh
deleted file mode 100644
index 7ace223da97..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_correct.pass.sh
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/bin/bash
-# platform = multi_platform_ubuntu
-# variables = var_accounts_passwords_pam_faillock_unlock_time=300
-
-source ubuntu_common.sh
-
-echo "unlock_time=1000" > /etc/security/faillock.conf
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_correct_pamd.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_correct_pamd.pass.sh
deleted file mode 100644
index 884fdcd6baa..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_correct_pamd.pass.sh
+++ /dev/null
@@ -1,26 +0,0 @@
-#!/bin/bash
-# platform = multi_platform_ubuntu
-# variables = var_accounts_passwords_pam_faillock_unlock_time=300
-
-cat << EOF > /usr/share/pam-configs/faillock
-Name: Enable pam_faillock to deny access
-Default: yes
-Priority: 0
-Auth-Type: Primary
-Auth:
- [default=die] pam_faillock.so authfail unlock_time=900
-EOF
-
-cat << EOF > /usr/share/pam-configs/faillock_notify
-Name: Notify of failed login attempts and reset count upon success
-Default: yes
-Priority: 1024
-Auth-Type: Primary
-Auth:
- requisite pam_faillock.so preauth unlock_time=900
-Account-Type: Primary
-Account:
- required pam_faillock.so
-EOF
-
-DEBIAN_FRONTEND=noninteractive pam-auth-update
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_missing_pamd.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_missing_pamd.fail.sh
deleted file mode 100644
index 89e4d1a4a78..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_missing_pamd.fail.sh
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/bash
-# platform = multi_platform_ubuntu
-# variables = var_accounts_passwords_pam_faillock_unlock_time=300
-
-echo "unlock_time=1000" > /etc/security/faillock.conf
diff --git a/shared/macros/20-test-scenarios.jinja b/shared/macros/20-test-scenarios.jinja
index db1f03220eb..879d61a5d69 100644
--- a/shared/macros/20-test-scenarios.jinja
+++ b/shared/macros/20-test-scenarios.jinja
@@ -10,3 +10,103 @@ sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/sys
{{% endif %}}
{{%- endmacro -%}}
+
+{{#
+This macro is used by pam_account_password_faillock template to initialize
+the external variable and parameter value to a desired state.
+
+:param state: correct, stricter, lenient_high, lenient_low
+:type state: str
+#}}
+
+{{%- macro tests_init_faillock_vars(state) -%}}
+
+PRM_NAME={{{ PRM_NAME }}}
+{{% if state not in ["correct", "stricter", "lenient_high", "lenient_low"] %}}
+echo "Unsupported value for argument 'state': {{{ state }}}"
+exit 2
+
+{{% elif VARIABLE_UPPER_BOUND == "use_ext_variable" and VARIABLE_LOWER_BOUND == "use_ext_variable" %}}
+{{% if state == "correct" %}}
+# variables = {{{ EXT_VARIABLE }}}=5
+TEST_VALUE=5
+{{% elif state == "stricter" %}}
+# variables = {{{ EXT_VARIABLE }}}=5
+TEST_VALUE=5
+{{% elif state == "lenient_high" %}}
+# variables = {{{ EXT_VARIABLE }}}=5
+TEST_VALUE=6
+{{% elif state == "lenient_low" %}}
+# variables = {{{ EXT_VARIABLE }}}=5
+TEST_VALUE=4
+{{% endif %}}
+
+{{% elif VARIABLE_UPPER_BOUND == "use_ext_variable" and VARIABLE_LOWER_BOUND is number %}}
+{{% if state == "correct" %}}
+# variables = {{{ EXT_VARIABLE }}}={{{ VARIABLE_LOWER_BOUND }}}
+TEST_VALUE={{{ VARIABLE_LOWER_BOUND }}}
+{{% elif state == "stricter" %}}
+# variables = {{{ EXT_VARIABLE }}}={{{ VARIABLE_LOWER_BOUND + 2 }}}
+TEST_VALUE={{{ VARIABLE_LOWER_BOUND + 1 }}}
+{{% elif state == "lenient_high" %}}
+# variables = {{{ EXT_VARIABLE }}}={{{ VARIABLE_LOWER_BOUND }}}
+TEST_VALUE={{{ VARIABLE_LOWER_BOUND + 1 }}}
+{{% elif state == "lenient_low" %}}
+# variables = {{{ EXT_VARIABLE }}}={{{ VARIABLE_LOWER_BOUND }}}
+TEST_VALUE={{{ VARIABLE_LOWER_BOUND - 1 }}}
+{{% endif %}}
+
+{{% elif VARIABLE_UPPER_BOUND == "use_ext_variable" and VARIABLE_LOWER_BOUND is none %}}
+{{% if state == "correct" %}}
+# variables = {{{ EXT_VARIABLE }}}=5
+TEST_VALUE=5
+{{% elif state == "stricter" %}}
+# variables = {{{ EXT_VARIABLE }}}=5
+TEST_VALUE=4
+{{% elif state == "lenient_high" %}}
+# variables = {{{ EXT_VARIABLE }}}=5
+TEST_VALUE=6
+{{% elif state == "lenient_low" %}}
+# there is no lower limit so the test should be not-applicable
+# check = none
+{{% endif %}}
+
+{{% elif VARIABLE_LOWER_BOUND == "use_ext_variable" and VARIABLE_UPPER_BOUND is number %}}
+{{% if state == "correct" %}}
+# variables = {{{ EXT_VARIABLE }}}={{{ VARIABLE_UPPER_BOUND | default(100) }}}
+TEST_VALUE={{{ VARIABLE_UPPER_BOUND | default(100) }}}
+{{% elif state == "stricter" %}}
+# variables = {{{ EXT_VARIABLE }}}={{{ VARIABLE_UPPER_BOUND | default(100) - 2 }}}
+TEST_VALUE={{{ VARIABLE_UPPER_BOUND | default(100) - 1 }}}
+{{% elif state == "lenient_high" %}}
+# variables = {{{ EXT_VARIABLE }}}={{{ VARIABLE_UPPER_BOUND }}}
+TEST_VALUE={{{ VARIABLE_UPPER_BOUND + 1 }}}
+{{% elif state == "lenient_low" %}}
+# variables = {{{ EXT_VARIABLE }}}={{{ VARIABLE_UPPER_BOUND }}}
+TEST_VALUE={{{ VARIABLE_UPPER_BOUND - 1 }}}
+{{% endif %}}
+
+{{% elif VARIABLE_LOWER_BOUND == "use_ext_variable" and VARIABLE_UPPER_BOUND is none %}}
+{{% if state == "correct" %}}
+# variables = {{{ EXT_VARIABLE }}}=5
+TEST_VALUE=5
+{{% elif state == "stricter" %}}
+# variables = {{{ EXT_VARIABLE }}}=5
+TEST_VALUE=6
+{{% elif state == "lenient_high" %}}
+# there is no upper limit so the test should be not-applicable
+# check = none
+{{% elif state == "lenient_low" %}}
+# variables = {{{ EXT_VARIABLE }}}=5
+TEST_VALUE=4
+{{% endif %}}
+
+{{% else %}}
+echo "The combination of template parameters is not supported by the test:"
+echo " variable_upper_bound={{{ VARIABLE_UPPER_BOUND }}}"
+echo " variable_lower_bound={{{ VARIABLE_LOWER_BOUND }}}"
+echo " ext_variable={{{ EXT_VARIABLE }}}"
+exit 2
+{{% endif %}}
+{{%- endmacro -%}}
+
diff --git a/shared/templates/pam_account_password_faillock/ansible.template b/shared/templates/pam_account_password_faillock/ansible.template
index 5e1161920e5..52ff31b34bd 100644
--- a/shared/templates/pam_account_password_faillock/ansible.template
+++ b/shared/templates/pam_account_password_faillock/ansible.template
@@ -1,4 +1,4 @@
-# platform = multi_platform_all
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
# reboot = false
# strategy = restrict
# complexity = low
diff --git a/shared/templates/pam_account_password_faillock/oval.template b/shared/templates/pam_account_password_faillock/oval.template
index 915905aedd3..c98ebeda316 100644
--- a/shared/templates/pam_account_password_faillock/oval.template
+++ b/shared/templates/pam_account_password_faillock/oval.template
@@ -242,10 +242,10 @@
id="test_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_parameter_pamd_{{{ file_stem }}}"
comment="Check the expected {{{ PRM_NAME }}} value in {{{ file_stem }}}-auth">
- {{% if VARIABLE_UPPER_BOUND is defined and VARIABLE_UPPER_BOUND != "none" %}}
+ {{% if VARIABLE_UPPER_BOUND is not none %}}
{{% endif %}}
- {{% if VARIABLE_LOWER_BOUND is defined and VARIABLE_LOWER_BOUND != "none" %}}
+ {{% if VARIABLE_LOWER_BOUND is not none %}}
{{% endif %}}
@@ -266,34 +266,28 @@
- {{% if VARIABLE_UPPER_BOUND is defined and VARIABLE_UPPER_BOUND != "none" %}}
+ {{% if VARIABLE_UPPER_BOUND is not none %}}
{{% if VARIABLE_UPPER_BOUND == "use_ext_variable" %}}
- {{% elif VARIABLE_UPPER_BOUND is number %}}
- {{{ VARIABLE_UPPER_BOUND }}}
{{% else %}}
-
+ {{{ VARIABLE_UPPER_BOUND }}}
{{% endif %}}
{{% endif %}}
- {{% if VARIABLE_LOWER_BOUND is defined and VARIABLE_LOWER_BOUND != "none" %}}
+ {{% if VARIABLE_LOWER_BOUND is not none %}}
{{% if VARIABLE_LOWER_BOUND == "use_ext_variable" %}}
- {{% elif VARIABLE_LOWER_BOUND is number %}}
- {{{ VARIABLE_LOWER_BOUND }}}
{{% else %}}
-
+ {{{ VARIABLE_LOWER_BOUND }}}
{{% endif %}}
{{% endif %}}
@@ -307,10 +301,10 @@
id="test_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_parameter_faillock_conf"
comment="Check the expected {{{ PRM_NAME }}} value in /etc/security/faillock.conf">
- {{% if VARIABLE_UPPER_BOUND is defined and VARIABLE_UPPER_BOUND != "none" %}}
+ {{% if VARIABLE_UPPER_BOUND is not none %}}
{{% endif %}}
- {{% if VARIABLE_LOWER_BOUND is defined and VARIABLE_LOWER_BOUND != "none" %}}
+ {{% if VARIABLE_LOWER_BOUND is not none %}}
{{% endif %}}
diff --git a/shared/templates/pam_account_password_faillock/template.py b/shared/templates/pam_account_password_faillock/template.py
new file mode 100644
index 00000000000..654209336c1
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/template.py
@@ -0,0 +1,16 @@
+def preprocess(data, lang):
+ if data.get("ext_variable") is None:
+ errmsg = ("The template instance of the rule {0} requires the "
+ "ext_variable to be defined".format(_rule_id))
+ raise ValueError(errmsg)
+
+ for var in ["variable_upper_bound", "variable_lower_bound"]:
+ data[var] = data.get(var, None)
+ if data.get(var) is not None and \
+ data.get(var) != "use_ext_variable" and \
+ type(data.get(var)) != int:
+ errmsg = ("The template instance of the rule {0} requires the "
+ "parameter {1} is either 'use_ext_variable' or "
+ "a number or undefined".formate(_rule_id, var))
+ raise ValueError(errmsg)
+ return data
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/conflicting_settings_authselect.fail.sh b/shared/templates/pam_account_password_faillock/tests/conflicting_settings_authselect.fail.sh
similarity index 66%
rename from linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/conflicting_settings_authselect.fail.sh
rename to shared/templates/pam_account_password_faillock/tests/conflicting_settings_authselect.fail.sh
index 24f5731f63d..91890c28fbc 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/conflicting_settings_authselect.fail.sh
+++ b/shared/templates/pam_account_password_faillock/tests/conflicting_settings_authselect.fail.sh
@@ -2,9 +2,12 @@
# packages = authselect,pam
# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
+{{{ tests_init_faillock_vars("correct") }}}
+
pam_files=("password-auth" "system-auth")
-authselect create-profile testingProfile --base-on minimal
+authselect create-profile testingProfile --base-on minimal || \
+ authselect create-profile testingProfile --base-on local
CUSTOM_PROFILE_DIR="/etc/authselect/custom/testingProfile"
@@ -12,16 +15,16 @@ authselect select --force custom/testingProfile
truncate -s 0 /etc/security/faillock.conf
-echo "deny = 3" > /etc/security/faillock.conf
+echo "$PRM_NAME = $TEST_VALUE" > /etc/security/faillock.conf
{{{ bash_pam_faillock_enable() }}}
for file in ${pam_files[@]}; do
if grep -qP "auth.*faillock\.so.*preauth" $CUSTOM_PROFILE_DIR/$file; then
- sed -i "/^\s*auth.*faillock\.so.*preauth/ s/$/deny=3/" \
+ sed -i "/^\s*auth.*faillock\.so.*preauth/ s/$/$PRM_NAME=$TEST_VALUE/" \
"$CUSTOM_PROFILE_DIR/$file"
else
- sed -i "0,/^\s*auth.*/i auth required pam_faillock.so preauth deny=3" \
+ sed -i "0,/^\s*auth.*/i auth required pam_faillock.so preauth $PRM_NAME=$TEST_VALUE" \
"$CUSTOM_PROFILE_DIR/$file"
fi
done
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_conflicting_settings.fail.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_conflicting_settings.fail.sh
similarity index 78%
rename from linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_conflicting_settings.fail.sh
rename to shared/templates/pam_account_password_faillock/tests/pam_faillock_conflicting_settings.fail.sh
index aa3ca061de7..e9f8a06f48d 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_conflicting_settings.fail.sh
+++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_conflicting_settings.fail.sh
@@ -2,7 +2,8 @@
# packages = authselect
# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8
# remediation = none
-# variables = var_accounts_passwords_pam_faillock_deny=3
+
+{{{ tests_init_faillock_vars("correct") }}}
authselect select sssd --force
authselect enable-feature with-faillock
@@ -10,7 +11,7 @@ authselect enable-feature with-faillock
# It means that authselect is not properly configured and may have a unexpected behaviour. The
# authselect integrity check will fail and the remediation will be aborted in order to preserve
# intentional changes. In this case, an informative message will be shown in the remediation report.
-sed -i --follow-symlinks 's/\(pam_faillock.so \(preauth silent\|authfail\)\).*$/\1 deny=3/g' /etc/pam.d/system-auth /etc/pam.d/password-auth
+sed -i --follow-symlinks 's/\(pam_faillock.so \(preauth silent\|authfail\)\).*$/\1 '$PRM_NAME'='$TEST_VALUE'/g' /etc/pam.d/system-auth /etc/pam.d/password-auth
> /etc/security/faillock.conf
-echo "deny = 3" >> /etc/security/faillock.conf
+echo "$PRM_NAME = $TEST_VALUE" >> /etc/security/faillock.conf
echo "silent" >> /etc/security/faillock.conf
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_disabled.fail.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_disabled.fail.sh
similarity index 84%
rename from linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_disabled.fail.sh
rename to shared/templates/pam_account_password_faillock/tests/pam_faillock_disabled.fail.sh
index 67c1b593bdb..b1a88e37a65 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_disabled.fail.sh
+++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_disabled.fail.sh
@@ -1,7 +1,8 @@
#!/bin/bash
# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_sle
# packages = authselect
-# variables = var_accounts_passwords_pam_faillock_deny=3
+
+{{{ tests_init_faillock_vars("correct") }}}
if [ -f /usr/sbin/authconfig ]; then
authconfig --disablefaillock --update
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_expected_faillock_conf.pass.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_expected_faillock_conf.pass.sh
similarity index 73%
rename from linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_expected_faillock_conf.pass.sh
rename to shared/templates/pam_account_password_faillock/tests/pam_faillock_expected_faillock_conf.pass.sh
index e770e300f52..b5d27377a4c 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_expected_faillock_conf.pass.sh
+++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_expected_faillock_conf.pass.sh
@@ -1,10 +1,11 @@
#!/bin/bash
# packages = authselect
# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8
-# variables = var_accounts_passwords_pam_faillock_deny=3
+
+{{{ tests_init_faillock_vars("correct") }}}
authselect select sssd --force
authselect enable-feature with-faillock
> /etc/security/faillock.conf
-echo "deny = 3" >> /etc/security/faillock.conf
+echo "$PRM_NAME = $TEST_VALUE" >> /etc/security/faillock.conf
echo "silent" >> /etc/security/faillock.conf
diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_expected_pam_files.pass.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_expected_pam_files.pass.sh
new file mode 100644
index 00000000000..1e315064228
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_expected_pam_files.pass.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# packages = authconfig
+# platform = Oracle Linux 7,multi_platform_fedora
+
+{{{ tests_init_faillock_vars("correct") }}}
+
+authconfig --enablefaillock --faillockargs="$PRM_NAME=$TEST_VALUE" --update
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_expected_faillock_conf.pass.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_high_faillock_conf.fail.sh
similarity index 71%
rename from linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_expected_faillock_conf.pass.sh
rename to shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_high_faillock_conf.fail.sh
index 1840cae45af..d900ff868db 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_expected_faillock_conf.pass.sh
+++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_high_faillock_conf.fail.sh
@@ -1,10 +1,11 @@
#!/bin/bash
# packages = authselect
# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8
-# variables = var_accounts_passwords_pam_faillock_unlock_time=600
+
+{{{ tests_init_faillock_vars("lenient_high") }}}
authselect select sssd --force
authselect enable-feature with-faillock
> /etc/security/faillock.conf
-echo "unlock_time=600" >> /etc/security/faillock.conf
+echo "$PRM_NAME = $TEST_VALUE" >> /etc/security/faillock.conf
echo "silent" >> /etc/security/faillock.conf
diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_high_pam_files.fail.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_high_pam_files.fail.sh
new file mode 100644
index 00000000000..0cdaee7c0f3
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_high_pam_files.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# packages = authconfig
+# platform = Oracle Linux 7,multi_platform_fedora
+
+{{{ tests_init_faillock_vars("lenient_high") }}}
+
+authconfig --enablefaillock --faillockargs="$PRM_NAME=$TEST_VALUE" --update
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_lenient_faillock_conf.fail.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_low_faillock_conf.fail.sh
similarity index 73%
rename from linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_lenient_faillock_conf.fail.sh
rename to shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_low_faillock_conf.fail.sh
index fd57152b8c4..bcb8d10028b 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_lenient_faillock_conf.fail.sh
+++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_low_faillock_conf.fail.sh
@@ -1,10 +1,11 @@
#!/bin/bash
# packages = authselect
# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8
-# variables = var_accounts_passwords_pam_faillock_deny=3
+
+{{{ tests_init_faillock_vars("lenient_low") }}}
authselect select sssd --force
authselect enable-feature with-faillock
> /etc/security/faillock.conf
-echo "deny = 5" >> /etc/security/faillock.conf
+echo "$PRM_NAME = $TEST_VALUE" >> /etc/security/faillock.conf
echo "silent" >> /etc/security/faillock.conf
diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_low_pam_files.fail.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_low_pam_files.fail.sh
new file mode 100644
index 00000000000..4b1e2802627
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_low_pam_files.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# packages = authconfig
+# platform = Oracle Linux 7,multi_platform_fedora
+
+{{{ tests_init_faillock_vars("lenient_low") }}}
+
+authconfig --enablefaillock --faillockargs="$PRM_NAME=$TEST_VALUE" --update
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh
similarity index 88%
rename from linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh
rename to shared/templates/pam_account_password_faillock/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh
index efb57601cb9..56f9acccc80 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh
+++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh
@@ -2,14 +2,15 @@
# packages = authselect
# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8
# remediation = none
-# variables = var_accounts_passwords_pam_faillock_deny=3
+
+{{{ tests_init_faillock_vars("correct") }}}
authselect select sssd --force
authselect enable-feature with-faillock
# Ensure the parameters only in /etc/security/faillock.conf
sed -i --follow-symlinks 's/\(pam_faillock.so \(preauth silent\|authfail\)\).*$/\1/g' /etc/pam.d/system-auth /etc/pam.d/password-auth
> /etc/security/faillock.conf
-echo "deny = 3" >> /etc/security/faillock.conf
+echo "$PRM_NAME = $TEST_VALUE" >> /etc/security/faillock.conf
echo "silent" >> /etc/security/faillock.conf
# Multiple instances of pam_unix.so in auth section may, intentionally or not, interfere
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh
similarity index 77%
rename from linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh
rename to shared/templates/pam_account_password_faillock/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh
index 51d94b3333b..5947d7d67a1 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh
+++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh
@@ -2,9 +2,10 @@
# packages = authconfig
# platform = Oracle Linux 7,multi_platform_fedora
# remediation = none
-# variables = var_accounts_passwords_pam_faillock_deny=3
-authconfig --enablefaillock --faillockargs="deny=3" --update
+{{{ tests_init_faillock_vars("correct") }}}
+
+authconfig --enablefaillock --faillockargs="$PRM_NAME=$TEST_VALUE" --update
# Multiple instances of pam_unix.so in auth section may, intentionally or not, interfere
# in the expected behaviour of pam_faillock.so. Remediation does not solve this automatically
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_not_required_pam_files.fail.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_not_required_pam_files.fail.sh
similarity index 78%
rename from linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_not_required_pam_files.fail.sh
rename to shared/templates/pam_account_password_faillock/tests/pam_faillock_not_required_pam_files.fail.sh
index e3ec96da080..4e4f06004f0 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_not_required_pam_files.fail.sh
+++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_not_required_pam_files.fail.sh
@@ -2,17 +2,18 @@
# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_sle
# packages = authselect
# remediation = none
-# variables = var_accounts_passwords_pam_faillock_deny=3
+
+{{{ tests_init_faillock_vars("correct") }}}
# This test scenario manually modify the pam_faillock.so entries in auth section from
# "required" to "sufficient". This makes pam_faillock.so behave differently than initially
# intentioned. We catch this, but we can't safely remediate in an automated way.
if [ -f /usr/sbin/authconfig ]; then
- authconfig --enablefaillock --faillockargs="deny=3" --update
+ authconfig --enablefaillock --faillockargs="$PRM_NAME=$TEST_VALUE" --update
else
authselect select sssd --force
authselect enable-feature with-faillock
- sed -i --follow-symlinks 's/\(pam_faillock.so \(preauth silent\|authfail\)\).*$/\1 deny=3/g' /etc/pam.d/system-auth /etc/pam.d/password-auth
+ sed -i --follow-symlinks 's/\(pam_faillock.so \(preauth silent\|authfail\)\).*$/\1 '$PRM_NAME'='$TEST_VALUE'/g' /etc/pam.d/system-auth /etc/pam.d/password-auth
fi
sed -i --follow-symlinks 's/\(^\s*auth\s*\)\(\s.*\)\(pam_faillock\.so.*$\)/\1 sufficient \3/g' /etc/pam.d/system-auth /etc/pam.d/password-auth
if [ -f /etc/security/faillock.conf ]; then
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_stricter_faillock_conf.pass.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_stricter_faillock_conf.pass.sh
similarity index 73%
rename from linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_stricter_faillock_conf.pass.sh
rename to shared/templates/pam_account_password_faillock/tests/pam_faillock_stricter_faillock_conf.pass.sh
index 595b85192da..00846218152 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_stricter_faillock_conf.pass.sh
+++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_stricter_faillock_conf.pass.sh
@@ -1,10 +1,11 @@
#!/bin/bash
# packages = authselect
# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8
-# variables = var_accounts_passwords_pam_faillock_deny=3
+
+{{{ tests_init_faillock_vars("stricter") }}}
authselect select sssd --force
authselect enable-feature with-faillock
> /etc/security/faillock.conf
-echo "deny = 2" >> /etc/security/faillock.conf
+echo "$PRM_NAME = $TEST_VALUE" >> /etc/security/faillock.conf
echo "silent" >> /etc/security/faillock.conf
diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_stricter_pam_files.pass.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_stricter_pam_files.pass.sh
new file mode 100644
index 00000000000..8d52f968e26
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_stricter_pam_files.pass.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# packages = authconfig
+# platform = Oracle Linux 7,multi_platform_fedora
+
+{{{ tests_init_faillock_vars("stricter") }}}
+
+authconfig --enablefaillock --faillockargs="$PRM_NAME=$TEST_VALUE" --update
diff --git a/shared/templates/pam_account_password_faillock/tests/ubuntu_commented_values.fail.sh b/shared/templates/pam_account_password_faillock/tests/ubuntu_commented_values.fail.sh
new file mode 100644
index 00000000000..6983c7c371e
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/tests/ubuntu_commented_values.fail.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+{{{ tests_init_faillock_vars("correct") }}}
+
+{{{ bash_enable_pam_faillock_directly_in_pam_files() }}}
+
+echo "#$PRM_NAME=$TEST_VALUE" > /etc/security/faillock.conf
diff --git a/shared/templates/pam_account_password_faillock/tests/ubuntu_correct.pass.sh b/shared/templates/pam_account_password_faillock/tests/ubuntu_correct.pass.sh
new file mode 100644
index 00000000000..1d9c8ca036c
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/tests/ubuntu_correct.pass.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+{{{ tests_init_faillock_vars("correct") }}}
+
+{{{ bash_enable_pam_faillock_directly_in_pam_files() }}}
+
+echo "$PRM_NAME=$TEST_VALUE" > /etc/security/faillock.conf
diff --git a/shared/templates/pam_account_password_faillock/tests/ubuntu_correct_pamd.pass.sh b/shared/templates/pam_account_password_faillock/tests/ubuntu_correct_pamd.pass.sh
new file mode 100644
index 00000000000..c65c647089f
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/tests/ubuntu_correct_pamd.pass.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+{{{ tests_init_faillock_vars("correct") }}}
+
+{{{ bash_enable_pam_faillock_directly_in_pam_files() }}}
+
+sed -i 's/\(.*pam_faillock.so.*\)/\1 '$PRM_NAME'='$TEST_VALUE'/g' /etc/pam.d/common-auth
+
diff --git a/shared/templates/pam_account_password_faillock/tests/ubuntu_correct_stricter.pass.sh b/shared/templates/pam_account_password_faillock/tests/ubuntu_correct_stricter.pass.sh
new file mode 100644
index 00000000000..20f3dc84980
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/tests/ubuntu_correct_stricter.pass.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+{{{ tests_init_faillock_vars("stricter") }}}
+
+{{{ bash_enable_pam_faillock_directly_in_pam_files() }}}
+
+echo "$PRM_NAME=$TEST_VALUE" > /etc/security/faillock.conf
diff --git a/shared/templates/pam_account_password_faillock/tests/ubuntu_empty_faillock_conf.fail.sh b/shared/templates/pam_account_password_faillock/tests/ubuntu_empty_faillock_conf.fail.sh
new file mode 100644
index 00000000000..6e03271b6d2
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/tests/ubuntu_empty_faillock_conf.fail.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+{{{ tests_init_faillock_vars("correct") }}}
+
+{{{ bash_enable_pam_faillock_directly_in_pam_files() }}}
+
+echo > /etc/security/faillock.conf
diff --git a/shared/templates/pam_account_password_faillock/tests/ubuntu_lenient_high.fail.sh b/shared/templates/pam_account_password_faillock/tests/ubuntu_lenient_high.fail.sh
new file mode 100644
index 00000000000..3eac17028ee
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/tests/ubuntu_lenient_high.fail.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+{{{ tests_init_faillock_vars("lenient_high") }}}
+
+{{{ bash_enable_pam_faillock_directly_in_pam_files() }}}
+
+echo "$PRM_NAME=$TEST_VALUE" > /etc/security/faillock.conf
diff --git a/shared/templates/pam_account_password_faillock/tests/ubuntu_lenient_low.fail.sh b/shared/templates/pam_account_password_faillock/tests/ubuntu_lenient_low.fail.sh
new file mode 100644
index 00000000000..fbb76961a61
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/tests/ubuntu_lenient_low.fail.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+{{{ tests_init_faillock_vars("lenient_low") }}}
+
+{{{ bash_enable_pam_faillock_directly_in_pam_files() }}}
+
+echo "$PRM_NAME=$TEST_VALUE" > /etc/security/faillock.conf
diff --git a/shared/templates/pam_account_password_faillock/tests/ubuntu_missing_pamd.fail.sh b/shared/templates/pam_account_password_faillock/tests/ubuntu_missing_pamd.fail.sh
new file mode 100644
index 00000000000..edfa5613095
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/tests/ubuntu_missing_pamd.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+{{{ tests_init_faillock_vars("correct") }}}
+
+echo "$PRM_NAME=$TEST_VALUE" > /etc/security/faillock.conf
diff --git a/shared/templates/pam_account_password_faillock/tests/ubuntu_multiple_pam_unix.fail.sh b/shared/templates/pam_account_password_faillock/tests/ubuntu_multiple_pam_unix.fail.sh
new file mode 100644
index 00000000000..7937ecf2862
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/tests/ubuntu_multiple_pam_unix.fail.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+# remediation = none
+
+{{{ tests_init_faillock_vars("correct") }}}
+
+{{{ bash_enable_pam_faillock_directly_in_pam_files() }}}
+
+# Multiple instances of pam_unix.so in auth section may, intentionally or not, interfere
+# in the expected behaviour of pam_faillock.so. Remediation does not solve this automatically
+# in order to preserve intentional changes.
+
+sed -i '/# end of pam-auth-update config/i\auth sufficient pam_unix.so' /etc/pam.d/common-auth
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_wrong_value.fail.sh b/shared/templates/pam_account_password_faillock/tests/ubuntu_wrong_value.fail.sh
similarity index 100%
rename from linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_wrong_value.fail.sh
rename to shared/templates/pam_account_password_faillock/tests/ubuntu_wrong_value.fail.sh