From 348572081a0dae4a0ef7a1f025f8e4d56c424d0d Mon Sep 17 00:00:00 2001
From: Alan Moore <alan.moore@canonical.com>
Date: Fri, 29 Nov 2024 21:11:53 +0000
Subject: [PATCH] Add 'required' check in oval Add correct os into applicable
 platform Update the ubuntu oval to pass on both required and requisite Remove
 the check for authsucc since preauth can clear the count too Implement
 individual tests for pam_faillock_{deny, unlock_time, interval}

---
 .../tests/expected_pam_files.pass.sh          |  1 +
 .../tests/missing_parameter.fail.sh           |  1 +
 .../oval/ubuntu.xml                           |  2 +-
 .../tests/ubuntu_commented_values.fail.sh     |  3 -
 .../tests/ubuntu_common.sh                    | 64 ++++++-------------
 .../tests/ubuntu_correct_pamd.pass.sh         | 22 ++++++-
 .../tests/ubuntu_missing_pamd.fail.sh         |  3 -
 .../tests/ubuntu_multiple_pam_unix.fail.sh    |  2 +-
 .../tests/ubuntu_commented_values.fail.sh     |  4 +-
 .../tests/ubuntu_common.sh                    | 64 ++++++-------------
 .../tests/ubuntu_correct.pass.sh              |  1 +
 .../tests/ubuntu_correct_pamd.pass.sh         | 23 ++++++-
 .../tests/ubuntu_empty_faillock_conf.fail.sh  |  8 ---
 .../tests/ubuntu_missing_pamd.fail.sh         |  6 +-
 .../tests/ubuntu_multiple_pam_unix.fail.sh    | 11 ----
 .../tests/ubuntu_wrong_value.fail.sh          |  1 +
 .../tests/expected_pam_files.pass.sh          |  1 +
 .../tests/missing_dir_in_authfail.fail.sh     |  1 +
 .../tests/missing_dir_in_preauth.fail.sh      |  1 +
 .../tests/wrong_pam_files.fail.sh             |  1 +
 .../tests/ubuntu_commented_values.fail.sh     |  4 +-
 .../tests/ubuntu_common.sh                    | 64 ++++++-------------
 .../tests/ubuntu_correct.pass.sh              |  1 +
 .../tests/ubuntu_correct_pamd.pass.sh         | 23 ++++++-
 .../tests/ubuntu_empty_faillock_conf.fail.sh  |  8 ---
 .../tests/ubuntu_missing_pamd.fail.sh         |  6 +-
 .../tests/ubuntu_multiple_pam_unix.fail.sh    | 11 ----
 .../tests/ubuntu_wrong_value.fail.sh          |  1 +
 .../tests/ubuntu_commented_values.fail.sh     |  4 +-
 .../tests/ubuntu_common.sh                    | 64 ++++++-------------
 .../tests/ubuntu_correct.pass.sh              |  1 +
 .../tests/ubuntu_correct_pamd.pass.sh         | 23 ++++++-
 .../tests/ubuntu_empty_faillock_conf.fail.sh  |  8 ---
 .../tests/ubuntu_missing_pamd.fail.sh         |  6 +-
 .../tests/ubuntu_multiple_pam_unix.fail.sh    | 11 ----
 .../tests/ubuntu_wrong_value.fail.sh          |  7 ++
 shared/macros/10-bash.jinja                   |  6 +-
 .../oval.template                             |  2 +-
 .../tests/authselect_modified_pam.fail.sh     | 12 ----
 .../conflicting_settings_authselect.fail.sh   | 30 ---------
 .../pam_faillock_conflicting_settings.fail.sh | 16 -----
 .../tests/pam_faillock_disabled.fail.sh       | 11 ----
 ...am_faillock_expected_faillock_conf.pass.sh | 10 ---
 .../pam_faillock_expected_pam_files.pass.sh   |  6 --
 ...pam_faillock_lenient_faillock_conf.fail.sh | 10 ---
 .../pam_faillock_lenient_pam_files.fail.sh    |  6 --
 ...ck_multiple_pam_unix_faillock_conf.fail.sh | 18 ------
 ...illock_multiple_pam_unix_pam_files.fail.sh | 12 ----
 ...am_faillock_not_required_pam_files.fail.sh | 20 ------
 ...am_faillock_stricter_faillock_conf.pass.sh | 10 ---
 .../pam_faillock_stricter_pam_files.pass.sh   |  6 --
 .../tests/ubuntu_commented_values.fail.sh     | 13 ----
 .../tests/ubuntu_common.sh                    | 50 ---------------
 .../tests/ubuntu_correct.pass.sh              |  6 --
 .../tests/ubuntu_correct_pamd.pass.sh         | 10 ---
 .../tests/ubuntu_empty_faillock_conf.fail.sh  | 11 ----
 .../tests/ubuntu_missing_pamd.fail.sh         | 14 ----
 .../tests/ubuntu_multiple_pam_unix.fail.sh    | 11 ----
 .../tests/ubuntu_wrong_value.fail.sh          |  6 --
 59 files changed, 189 insertions(+), 569 deletions(-)
 delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_empty_faillock_conf.fail.sh
 delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_multiple_pam_unix.fail.sh
 delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_empty_faillock_conf.fail.sh
 delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_multiple_pam_unix.fail.sh
 delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_empty_faillock_conf.fail.sh
 delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_multiple_pam_unix.fail.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_wrong_value.fail.sh
 delete mode 100644 shared/templates/pam_account_password_faillock/tests/authselect_modified_pam.fail.sh
 delete mode 100644 shared/templates/pam_account_password_faillock/tests/conflicting_settings_authselect.fail.sh
 delete mode 100644 shared/templates/pam_account_password_faillock/tests/pam_faillock_conflicting_settings.fail.sh
 delete mode 100644 shared/templates/pam_account_password_faillock/tests/pam_faillock_disabled.fail.sh
 delete mode 100644 shared/templates/pam_account_password_faillock/tests/pam_faillock_expected_faillock_conf.pass.sh
 delete mode 100644 shared/templates/pam_account_password_faillock/tests/pam_faillock_expected_pam_files.pass.sh
 delete mode 100644 shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_faillock_conf.fail.sh
 delete mode 100644 shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_pam_files.fail.sh
 delete mode 100644 shared/templates/pam_account_password_faillock/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh
 delete mode 100644 shared/templates/pam_account_password_faillock/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh
 delete mode 100644 shared/templates/pam_account_password_faillock/tests/pam_faillock_not_required_pam_files.fail.sh
 delete mode 100644 shared/templates/pam_account_password_faillock/tests/pam_faillock_stricter_faillock_conf.pass.sh
 delete mode 100644 shared/templates/pam_account_password_faillock/tests/pam_faillock_stricter_pam_files.pass.sh
 delete mode 100644 shared/templates/pam_account_password_faillock/tests/ubuntu_commented_values.fail.sh
 delete mode 100644 shared/templates/pam_account_password_faillock/tests/ubuntu_common.sh
 delete mode 100644 shared/templates/pam_account_password_faillock/tests/ubuntu_correct.pass.sh
 delete mode 100644 shared/templates/pam_account_password_faillock/tests/ubuntu_correct_pamd.pass.sh
 delete mode 100644 shared/templates/pam_account_password_faillock/tests/ubuntu_empty_faillock_conf.fail.sh
 delete mode 100644 shared/templates/pam_account_password_faillock/tests/ubuntu_missing_pamd.fail.sh
 delete mode 100644 shared/templates/pam_account_password_faillock/tests/ubuntu_multiple_pam_unix.fail.sh
 delete mode 100644 shared/templates/pam_account_password_faillock/tests/ubuntu_wrong_value.fail.sh

diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_passwords_pam_faillock_audit/tests/expected_pam_files.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_passwords_pam_faillock_audit/tests/expected_pam_files.pass.sh
index 1c0458b43dc..98037b3e3e0 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_passwords_pam_faillock_audit/tests/expected_pam_files.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_passwords_pam_faillock_audit/tests/expected_pam_files.pass.sh
@@ -1,5 +1,6 @@
 #!/bin/bash
 # packages = authselect,pam
+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
 
 source common.sh
 
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_passwords_pam_faillock_audit/tests/missing_parameter.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_passwords_pam_faillock_audit/tests/missing_parameter.fail.sh
index 72fcac158e9..f56bdbce208 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_passwords_pam_faillock_audit/tests/missing_parameter.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_passwords_pam_faillock_audit/tests/missing_parameter.fail.sh
@@ -1,4 +1,5 @@
 #!/bin/bash
 # packages = authselect,pam
+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
 
 source common.sh
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/oval/ubuntu.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/oval/ubuntu.xml
index 4679d9b38f8..a421b104dc5 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/oval/ubuntu.xml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/oval/ubuntu.xml
@@ -57,7 +57,7 @@
   <constant_variable id="var_accounts_passwords_pam_faillock_{{{ prm_name }}}_pam_faillock_auth_regex"
                 datatype="string" version="1"
                 comment="regex to identify pam_faillock.so entries in auth section of pam files">
-      <value>^\s*auth\s+required\s+pam_faillock\.so.*preauth.*[\s\S]*^\s*auth.*pam_unix\.so[\s\S]*^\s*auth\s+\[default=die\]\s+pam_faillock\.so\s+authfail[\s\S]*^\s*auth\s+sufficient\s+pam_faillock\.so\s+authsucc</value>
+      <value>^\s*auth\s+(requisite|required)\s+pam_faillock\.so.*preauth.*[\s\S]*^\s*auth.*pam_unix\.so[\s\S]*^\s*auth\s+\[default=die\]\s+pam_faillock\.so\s+authfail</value>
   </constant_variable>
 
   <constant_variable id="var_accounts_passwords_pam_faillock_{{{ prm_name }}}_pam_faillock_account_regex"
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/tests/ubuntu_commented_values.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/tests/ubuntu_commented_values.fail.sh
index f36493b5f78..1fb996ad9f3 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/tests/ubuntu_commented_values.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/tests/ubuntu_commented_values.fail.sh
@@ -3,7 +3,4 @@
 
 source ubuntu_common.sh
 
-sed -i 's/\(^.*pam_faillock\.so.*\)/# \1/' /etc/pam.d/common-auth
-sed -i 's/\(^.*pam_faillock\.so.*\)/# \1/' /etc/pam.d/common-account
-
 echo "#audit" > /etc/security/faillock.conf
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/tests/ubuntu_common.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/tests/ubuntu_common.sh
index e64fb3528e8..532926d2701 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/tests/ubuntu_common.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/tests/ubuntu_common.sh
@@ -1,50 +1,24 @@
 #!/bin/bash
 
-# Create passing pam.d files based on defaults from a clean installation of Ubuntu 22.04 LTS
-# Extra comments and whitespaces were added to test for edge cases
-
-cat >/etc/pam.d/common-auth <<EOF
- ## Leading and trailing whitespaces should be ok
- auth required  pam_faillock.so     preauth 
-# here are the per-package modules (the "Primary" block)
-auth    [success=2 default=ignore]      pam_unix.so nullok
-## Several lines of comments should not
-## break faillock remediation logic
-## Nor should commented pam_unix
-#auth    [success=2 default=ignore]      pam_unix.so nullok
-
-auth    [success=1 default=ignore]      pam_sss.so use_first_pass
-
- ## Some more user comments
- auth [default=die]  pam_faillock.so authfail 
- ## and some more
- auth sufficient     pam_faillock.so authsucc 
-
-# here's the fallback if no module succeeds
-auth    requisite                       pam_deny.so
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
-auth    required                        pam_permit.so
-# and here are more per-package modules (the "Additional" block)
-auth    optional                        pam_cap.so 
-# end of pam-auth-update config
+cat << EOF > /usr/share/pam-configs/faillock
+Name: Enable pam_faillock to deny access
+Default: yes
+Priority: 0
+Auth-Type: Primary
+Auth:
+    [default=die]                   pam_faillock.so authfail
 EOF
 
-
-cat >/etc/pam.d/common-account <<EOF
-# here are the per-package modules (the "Primary" block)
-account [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so 
-# here's the fallback if no module succeeds
-account requisite                       pam_deny.so
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
-account required                        pam_permit.so
-# and here are more per-package modules (the "Additional" block)
-account sufficient                      pam_localuser.so 
-account [default=bad success=ok user_unknown=ignore]    pam_sss.so 
-# end of pam-auth-update config
-
-  account required  pam_faillock.so 
+cat << EOF > /usr/share/pam-configs/faillock_notify
+Name: Notify of failed login attempts and reset count upon success
+Default: yes
+Priority: 1024
+Auth-Type: Primary
+Auth:
+    requisite                       pam_faillock.so preauth
+Account-Type: Primary
+Account:
+    required                        pam_faillock.so
 EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/tests/ubuntu_correct_pamd.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/tests/ubuntu_correct_pamd.pass.sh
index 35a749f070a..bffea0531c4 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/tests/ubuntu_correct_pamd.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/tests/ubuntu_correct_pamd.pass.sh
@@ -1,7 +1,25 @@
 #!/bin/bash
 # platform = multi_platform_ubuntu
 
-source ubuntu_common.sh
+cat << EOF > /usr/share/pam-configs/faillock
+Name: Enable pam_faillock to deny access
+Default: yes
+Priority: 0
+Auth-Type: Primary
+Auth:
+    [default=die]                   pam_faillock.so authfail audit
+EOF
 
-sed -i 's/\(.*pam_faillock.so.*\)/\1 audit/g' /etc/pam.d/common-auth
+cat << EOF > /usr/share/pam-configs/faillock_notify
+Name: Notify of failed login attempts and reset count upon success
+Default: yes
+Priority: 1024
+Auth-Type: Primary
+Auth:
+    requisite                       pam_faillock.so preauth audit
+Account-Type: Primary
+Account:
+    required                        pam_faillock.so
+EOF
 
+DEBIAN_FRONTEND=noninteractive pam-auth-update
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/tests/ubuntu_missing_pamd.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/tests/ubuntu_missing_pamd.fail.sh
index 92e0f1aed6a..6af1c668e92 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/tests/ubuntu_missing_pamd.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/tests/ubuntu_missing_pamd.fail.sh
@@ -3,7 +3,4 @@
 
 source ubuntu_common.sh
 
-sed -i '/pam_faillock\.so/d' /etc/pam.d/common-auth
-sed -i '/pam_faillock\.so/d' /etc/pam.d/common-account
-
 echo "audit" > /etc/security/faillock.conf
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/tests/ubuntu_multiple_pam_unix.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/tests/ubuntu_multiple_pam_unix.fail.sh
index 23be5083c6f..57b3bc3a4bf 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/tests/ubuntu_multiple_pam_unix.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/tests/ubuntu_multiple_pam_unix.fail.sh
@@ -8,4 +8,4 @@
 
 source ubuntu_common.sh
 
-echo "auth        sufficient       pam_unix.so" >> /etc/pam.d/common-auth
+sed -i '/# end of pam-auth-update config/i\auth        sufficient       pam_unix.so' /etc/pam.d/common-auth
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_commented_values.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_commented_values.fail.sh
index 06e07a9d968..9b10313e9f8 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_commented_values.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_commented_values.fail.sh
@@ -1,9 +1,7 @@
 #!/bin/bash
 # platform = multi_platform_ubuntu
+# variables = var_accounts_passwords_pam_faillock_deny=10
 
 source ubuntu_common.sh
 
-sed -i 's/\(^.*pam_faillock\.so.*\)/# \1/' /etc/pam.d/common-auth
-sed -i 's/\(^.*pam_faillock\.so.*\)/# \1/' /etc/pam.d/common-account
-
 echo "#deny=1" > /etc/security/faillock.conf
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_common.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_common.sh
index e64fb3528e8..532926d2701 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_common.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_common.sh
@@ -1,50 +1,24 @@
 #!/bin/bash
 
-# Create passing pam.d files based on defaults from a clean installation of Ubuntu 22.04 LTS
-# Extra comments and whitespaces were added to test for edge cases
-
-cat >/etc/pam.d/common-auth <<EOF
- ## Leading and trailing whitespaces should be ok
- auth required  pam_faillock.so     preauth 
-# here are the per-package modules (the "Primary" block)
-auth    [success=2 default=ignore]      pam_unix.so nullok
-## Several lines of comments should not
-## break faillock remediation logic
-## Nor should commented pam_unix
-#auth    [success=2 default=ignore]      pam_unix.so nullok
-
-auth    [success=1 default=ignore]      pam_sss.so use_first_pass
-
- ## Some more user comments
- auth [default=die]  pam_faillock.so authfail 
- ## and some more
- auth sufficient     pam_faillock.so authsucc 
-
-# here's the fallback if no module succeeds
-auth    requisite                       pam_deny.so
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
-auth    required                        pam_permit.so
-# and here are more per-package modules (the "Additional" block)
-auth    optional                        pam_cap.so 
-# end of pam-auth-update config
+cat << EOF > /usr/share/pam-configs/faillock
+Name: Enable pam_faillock to deny access
+Default: yes
+Priority: 0
+Auth-Type: Primary
+Auth:
+    [default=die]                   pam_faillock.so authfail
 EOF
 
-
-cat >/etc/pam.d/common-account <<EOF
-# here are the per-package modules (the "Primary" block)
-account [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so 
-# here's the fallback if no module succeeds
-account requisite                       pam_deny.so
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
-account required                        pam_permit.so
-# and here are more per-package modules (the "Additional" block)
-account sufficient                      pam_localuser.so 
-account [default=bad success=ok user_unknown=ignore]    pam_sss.so 
-# end of pam-auth-update config
-
-  account required  pam_faillock.so 
+cat << EOF > /usr/share/pam-configs/faillock_notify
+Name: Notify of failed login attempts and reset count upon success
+Default: yes
+Priority: 1024
+Auth-Type: Primary
+Auth:
+    requisite                       pam_faillock.so preauth
+Account-Type: Primary
+Account:
+    required                        pam_faillock.so
 EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_correct.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_correct.pass.sh
index 17e2131675e..6edc7e7af1f 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_correct.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_correct.pass.sh
@@ -1,5 +1,6 @@
 #!/bin/bash
 # platform = multi_platform_ubuntu
+# variables = var_accounts_passwords_pam_faillock_deny=10
 
 source ubuntu_common.sh
 
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_correct_pamd.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_correct_pamd.pass.sh
index e6d203a01c5..f1d9a7266c5 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_correct_pamd.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_correct_pamd.pass.sh
@@ -1,7 +1,26 @@
 #!/bin/bash
 # platform = multi_platform_ubuntu
+# variables = var_accounts_passwords_pam_faillock_deny=10
 
-source ubuntu_common.sh
+cat << EOF > /usr/share/pam-configs/faillock
+Name: Enable pam_faillock to deny access
+Default: yes
+Priority: 0
+Auth-Type: Primary
+Auth:
+    [default=die]                   pam_faillock.so authfail deny=1
+EOF
 
-sed -i 's/\(.*pam_faillock.so.*\)/\1 deny=1/g' /etc/pam.d/common-auth
+cat << EOF > /usr/share/pam-configs/faillock_notify
+Name: Notify of failed login attempts and reset count upon success
+Default: yes
+Priority: 1024
+Auth-Type: Primary
+Auth:
+    requisite                       pam_faillock.so preauth deny=1
+Account-Type: Primary
+Account:
+    required                        pam_faillock.so
+EOF
 
+DEBIAN_FRONTEND=noninteractive pam-auth-update
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_empty_faillock_conf.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_empty_faillock_conf.fail.sh
deleted file mode 100644
index 3b73ba396a6..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_empty_faillock_conf.fail.sh
+++ /dev/null
@@ -1,8 +0,0 @@
-#!/bin/bash
-# platform = multi_platform_ubuntu
-
-# This test should fail because neither pam.d or faillock.conf have deny defined
-
-source ubuntu_common.sh
-
-echo > /etc/security/faillock.conf
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_missing_pamd.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_missing_pamd.fail.sh
index 40c103dc6f9..3fbb16cdc5c 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_missing_pamd.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_missing_pamd.fail.sh
@@ -1,9 +1,5 @@
 #!/bin/bash
 # platform = multi_platform_ubuntu
-
-source ubuntu_common.sh
-
-sed -i '/pam_faillock\.so/d' /etc/pam.d/common-auth
-sed -i '/pam_faillock\.so/d' /etc/pam.d/common-account
+# variables = var_accounts_passwords_pam_faillock_deny=10
 
 echo "deny=1" > /etc/security/faillock.conf
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_multiple_pam_unix.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_multiple_pam_unix.fail.sh
deleted file mode 100644
index 23be5083c6f..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_multiple_pam_unix.fail.sh
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/bin/bash
-# platform = multi_platform_ubuntu
-# remediation = none
-
-# Multiple instances of pam_unix.so in auth section may, intentionally or not, interfere
-# in the expected behaviour of pam_faillock.so. Remediation does not solve this automatically
-# in order to preserve intentional changes.
-
-source ubuntu_common.sh
-
-echo "auth        sufficient       pam_unix.so" >> /etc/pam.d/common-auth
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_wrong_value.fail.sh
index d236f32cb8b..b185d221714 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_wrong_value.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_wrong_value.fail.sh
@@ -1,5 +1,6 @@
 #!/bin/bash
 # platform = multi_platform_ubuntu
+# variables = var_accounts_passwords_pam_faillock_deny=10
 
 source ubuntu_common.sh
 
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/tests/expected_pam_files.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/tests/expected_pam_files.pass.sh
index 802d79ba8dc..2894185b055 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/tests/expected_pam_files.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/tests/expected_pam_files.pass.sh
@@ -1,5 +1,6 @@
 #!/bin/bash
 # packages = authselect,pam
+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
 
 source common.sh
 
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/tests/missing_dir_in_authfail.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/tests/missing_dir_in_authfail.fail.sh
index 69d6493e4a7..3953a75673c 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/tests/missing_dir_in_authfail.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/tests/missing_dir_in_authfail.fail.sh
@@ -1,5 +1,6 @@
 #!/bin/bash
 # packages = authselect,pam
+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
 
 source common.sh
 
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/tests/missing_dir_in_preauth.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/tests/missing_dir_in_preauth.fail.sh
index 9d4c3640e66..303cf124fe0 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/tests/missing_dir_in_preauth.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/tests/missing_dir_in_preauth.fail.sh
@@ -1,5 +1,6 @@
 #!/bin/bash
 # packages = authselect,pam
+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
 
 source common.sh
 
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/tests/wrong_pam_files.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/tests/wrong_pam_files.fail.sh
index d59e07f7647..45724e5e1e8 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/tests/wrong_pam_files.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/tests/wrong_pam_files.fail.sh
@@ -1,5 +1,6 @@
 #!/bin/bash
 # packages = authselect,pam
+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
 
 source common.sh
 
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_commented_values.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_commented_values.fail.sh
index 01648c77fc4..a865d7efd18 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_commented_values.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_commented_values.fail.sh
@@ -1,9 +1,7 @@
 #!/bin/bash
 # platform = multi_platform_ubuntu
+# variables = var_accounts_passwords_pam_faillock_fail_interval=800
 
 source ubuntu_common.sh
 
-sed -i 's/\(^.*pam_faillock\.so.*\)/# \1/' /etc/pam.d/common-auth
-sed -i 's/\(^.*pam_faillock\.so.*\)/# \1/' /etc/pam.d/common-account
-
 echo "#fail_interval=900" > /etc/security/faillock.conf
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_common.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_common.sh
index e64fb3528e8..532926d2701 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_common.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_common.sh
@@ -1,50 +1,24 @@
 #!/bin/bash
 
-# Create passing pam.d files based on defaults from a clean installation of Ubuntu 22.04 LTS
-# Extra comments and whitespaces were added to test for edge cases
-
-cat >/etc/pam.d/common-auth <<EOF
- ## Leading and trailing whitespaces should be ok
- auth required  pam_faillock.so     preauth 
-# here are the per-package modules (the "Primary" block)
-auth    [success=2 default=ignore]      pam_unix.so nullok
-## Several lines of comments should not
-## break faillock remediation logic
-## Nor should commented pam_unix
-#auth    [success=2 default=ignore]      pam_unix.so nullok
-
-auth    [success=1 default=ignore]      pam_sss.so use_first_pass
-
- ## Some more user comments
- auth [default=die]  pam_faillock.so authfail 
- ## and some more
- auth sufficient     pam_faillock.so authsucc 
-
-# here's the fallback if no module succeeds
-auth    requisite                       pam_deny.so
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
-auth    required                        pam_permit.so
-# and here are more per-package modules (the "Additional" block)
-auth    optional                        pam_cap.so 
-# end of pam-auth-update config
+cat << EOF > /usr/share/pam-configs/faillock
+Name: Enable pam_faillock to deny access
+Default: yes
+Priority: 0
+Auth-Type: Primary
+Auth:
+    [default=die]                   pam_faillock.so authfail
 EOF
 
-
-cat >/etc/pam.d/common-account <<EOF
-# here are the per-package modules (the "Primary" block)
-account [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so 
-# here's the fallback if no module succeeds
-account requisite                       pam_deny.so
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
-account required                        pam_permit.so
-# and here are more per-package modules (the "Additional" block)
-account sufficient                      pam_localuser.so 
-account [default=bad success=ok user_unknown=ignore]    pam_sss.so 
-# end of pam-auth-update config
-
-  account required  pam_faillock.so 
+cat << EOF > /usr/share/pam-configs/faillock_notify
+Name: Notify of failed login attempts and reset count upon success
+Default: yes
+Priority: 1024
+Auth-Type: Primary
+Auth:
+    requisite                       pam_faillock.so preauth
+Account-Type: Primary
+Account:
+    required                        pam_faillock.so
 EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_correct.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_correct.pass.sh
index 9e960cfda06..0be3daea347 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_correct.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_correct.pass.sh
@@ -1,5 +1,6 @@
 #!/bin/bash
 # platform = multi_platform_ubuntu
+# variables = var_accounts_passwords_pam_faillock_fail_interval=800
 
 source ubuntu_common.sh
 
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_correct_pamd.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_correct_pamd.pass.sh
index 4c9241b5267..7b43417e5f7 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_correct_pamd.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_correct_pamd.pass.sh
@@ -1,7 +1,26 @@
 #!/bin/bash
 # platform = multi_platform_ubuntu
+# variables = var_accounts_passwords_pam_faillock_fail_interval=800
 
-source ubuntu_common.sh
+cat << EOF > /usr/share/pam-configs/faillock
+Name: Enable pam_faillock to deny access
+Default: yes
+Priority: 0
+Auth-Type: Primary
+Auth:
+    [default=die]                   pam_faillock.so authfail fail_interval=900
+EOF
 
-sed -i 's/\(.*pam_faillock.so.*\)/\1 fail_interval=900/g' /etc/pam.d/common-auth
+cat << EOF > /usr/share/pam-configs/faillock_notify
+Name: Notify of failed login attempts and reset count upon success
+Default: yes
+Priority: 1024
+Auth-Type: Primary
+Auth:
+    requisite                       pam_faillock.so preauth fail_interval=900
+Account-Type: Primary
+Account:
+    required                        pam_faillock.so
+EOF
 
+DEBIAN_FRONTEND=noninteractive pam-auth-update
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_empty_faillock_conf.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_empty_faillock_conf.fail.sh
deleted file mode 100644
index 05bac86bef0..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_empty_faillock_conf.fail.sh
+++ /dev/null
@@ -1,8 +0,0 @@
-#!/bin/bash
-# platform = multi_platform_ubuntu
-
-# This test should fail because neither pam.d or faillock.conf have fail_interval defined
-
-source ubuntu_common.sh
-
-echo > /etc/security/faillock.conf
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_missing_pamd.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_missing_pamd.fail.sh
index 0d6ccea0a3f..1983fb4e6ff 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_missing_pamd.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_missing_pamd.fail.sh
@@ -1,9 +1,5 @@
 #!/bin/bash
 # platform = multi_platform_ubuntu
-
-source ubuntu_common.sh
-
-sed -i '/pam_faillock\.so/d' /etc/pam.d/common-auth
-sed -i '/pam_faillock\.so/d' /etc/pam.d/common-account
+# variables = var_accounts_passwords_pam_faillock_fail_interval=800
 
 echo "fail_interval=900" > /etc/security/faillock.conf
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_multiple_pam_unix.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_multiple_pam_unix.fail.sh
deleted file mode 100644
index 23be5083c6f..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_multiple_pam_unix.fail.sh
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/bin/bash
-# platform = multi_platform_ubuntu
-# remediation = none
-
-# Multiple instances of pam_unix.so in auth section may, intentionally or not, interfere
-# in the expected behaviour of pam_faillock.so. Remediation does not solve this automatically
-# in order to preserve intentional changes.
-
-source ubuntu_common.sh
-
-echo "auth        sufficient       pam_unix.so" >> /etc/pam.d/common-auth
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_wrong_value.fail.sh
index 0de402a7213..88fc852a76c 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_wrong_value.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_wrong_value.fail.sh
@@ -1,5 +1,6 @@
 #!/bin/bash
 # platform = multi_platform_ubuntu
+# variables = var_accounts_passwords_pam_faillock_fail_interval=800
 
 source ubuntu_common.sh
 
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_commented_values.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_commented_values.fail.sh
index cc08ec1cf44..0825090b42d 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_commented_values.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_commented_values.fail.sh
@@ -1,9 +1,7 @@
 #!/bin/bash
 # platform = multi_platform_ubuntu
+# variables = var_accounts_passwords_pam_faillock_unlock_time=300
 
 source ubuntu_common.sh
 
-sed -i 's/\(^.*pam_faillock\.so.*\)/# \1/' /etc/pam.d/common-auth
-sed -i 's/\(^.*pam_faillock\.so.*\)/# \1/' /etc/pam.d/common-account
-
 echo "#unlock_time=1000" > /etc/security/faillock.conf
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_common.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_common.sh
index e64fb3528e8..532926d2701 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_common.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_common.sh
@@ -1,50 +1,24 @@
 #!/bin/bash
 
-# Create passing pam.d files based on defaults from a clean installation of Ubuntu 22.04 LTS
-# Extra comments and whitespaces were added to test for edge cases
-
-cat >/etc/pam.d/common-auth <<EOF
- ## Leading and trailing whitespaces should be ok
- auth required  pam_faillock.so     preauth 
-# here are the per-package modules (the "Primary" block)
-auth    [success=2 default=ignore]      pam_unix.so nullok
-## Several lines of comments should not
-## break faillock remediation logic
-## Nor should commented pam_unix
-#auth    [success=2 default=ignore]      pam_unix.so nullok
-
-auth    [success=1 default=ignore]      pam_sss.so use_first_pass
-
- ## Some more user comments
- auth [default=die]  pam_faillock.so authfail 
- ## and some more
- auth sufficient     pam_faillock.so authsucc 
-
-# here's the fallback if no module succeeds
-auth    requisite                       pam_deny.so
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
-auth    required                        pam_permit.so
-# and here are more per-package modules (the "Additional" block)
-auth    optional                        pam_cap.so 
-# end of pam-auth-update config
+cat << EOF > /usr/share/pam-configs/faillock
+Name: Enable pam_faillock to deny access
+Default: yes
+Priority: 0
+Auth-Type: Primary
+Auth:
+    [default=die]                   pam_faillock.so authfail
 EOF
 
-
-cat >/etc/pam.d/common-account <<EOF
-# here are the per-package modules (the "Primary" block)
-account [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so 
-# here's the fallback if no module succeeds
-account requisite                       pam_deny.so
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
-account required                        pam_permit.so
-# and here are more per-package modules (the "Additional" block)
-account sufficient                      pam_localuser.so 
-account [default=bad success=ok user_unknown=ignore]    pam_sss.so 
-# end of pam-auth-update config
-
-  account required  pam_faillock.so 
+cat << EOF > /usr/share/pam-configs/faillock_notify
+Name: Notify of failed login attempts and reset count upon success
+Default: yes
+Priority: 1024
+Auth-Type: Primary
+Auth:
+    requisite                       pam_faillock.so preauth
+Account-Type: Primary
+Account:
+    required                        pam_faillock.so
 EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_correct.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_correct.pass.sh
index e380799af2e..7ace223da97 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_correct.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_correct.pass.sh
@@ -1,5 +1,6 @@
 #!/bin/bash
 # platform = multi_platform_ubuntu
+# variables = var_accounts_passwords_pam_faillock_unlock_time=300
 
 source ubuntu_common.sh
 
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_correct_pamd.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_correct_pamd.pass.sh
index 741bea844af..80bbb85e52a 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_correct_pamd.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_correct_pamd.pass.sh
@@ -1,7 +1,26 @@
 #!/bin/bash
 # platform = multi_platform_ubuntu
+# variables = var_accounts_passwords_pam_faillock_unlock_time=300
 
-source ubuntu_common.sh
+cat << EOF > /usr/share/pam-configs/faillock
+Name: Enable pam_faillock to deny access
+Default: yes
+Priority: 0
+Auth-Type: Primary
+Auth:
+    [default=die]                   pam_faillock.so authfail unlock_time=900
+EOF
 
-sed -i 's/\(.*pam_faillock.so.*\)/\1 unlock_time=1000/g' /etc/pam.d/common-auth
+cat << EOF > /usr/share/pam-configs/faillock_notify
+Name: Notify of failed login attempts and reset count upon success
+Default: yes
+Priority: 1024
+Auth-Type: Primary
+Auth:
+    requisite                       pam_faillock.so preauth unlock_time=900
+Account-Type: Primary
+Account:
+    required                        pam_faillock.so
+EOF
 
+DEBIAN_FRONTEND=noninteractive pam-auth-update
\ No newline at end of file
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_empty_faillock_conf.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_empty_faillock_conf.fail.sh
deleted file mode 100644
index b36740fb97c..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_empty_faillock_conf.fail.sh
+++ /dev/null
@@ -1,8 +0,0 @@
-#!/bin/bash
-# platform = multi_platform_ubuntu
-
-# This test should fail because neither pam.d or faillock.conf have unlock_time defined
-
-source ubuntu_common.sh
-
-echo > /etc/security/faillock.conf
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_missing_pamd.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_missing_pamd.fail.sh
index 9ef68330d39..89e4d1a4a78 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_missing_pamd.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_missing_pamd.fail.sh
@@ -1,9 +1,5 @@
 #!/bin/bash
 # platform = multi_platform_ubuntu
-
-source ubuntu_common.sh
-
-sed -i '/pam_faillock\.so/d' /etc/pam.d/common-auth
-sed -i '/pam_faillock\.so/d' /etc/pam.d/common-account
+# variables = var_accounts_passwords_pam_faillock_unlock_time=300
 
 echo "unlock_time=1000" > /etc/security/faillock.conf
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_multiple_pam_unix.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_multiple_pam_unix.fail.sh
deleted file mode 100644
index 23be5083c6f..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_multiple_pam_unix.fail.sh
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/bin/bash
-# platform = multi_platform_ubuntu
-# remediation = none
-
-# Multiple instances of pam_unix.so in auth section may, intentionally or not, interfere
-# in the expected behaviour of pam_faillock.so. Remediation does not solve this automatically
-# in order to preserve intentional changes.
-
-source ubuntu_common.sh
-
-echo "auth        sufficient       pam_unix.so" >> /etc/pam.d/common-auth
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_wrong_value.fail.sh
new file mode 100644
index 00000000000..01e5c0701ed
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_wrong_value.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+# variables = var_accounts_passwords_pam_faillock_unlock_time=300
+
+source ubuntu_common.sh
+
+echo "unlock_time=100" > /etc/security/faillock.conf
diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja
index 9b273765cc5..0ce3432597d 100644
--- a/shared/macros/10-bash.jinja
+++ b/shared/macros/10-bash.jinja
@@ -1029,13 +1029,13 @@ fi
 {{%- macro bash_pam_faillock_parameter_value(option, value='', authfail=True) -%}}
 {{% if 'ubuntu' in product %}}
 AUTH_FILES=("/etc/pam.d/common-auth")
-APPEND_FAILLOCK_CONF=true
+SKIP_FAILLOCK_CHECK=true
 {{% else %}}
 AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
-APPEND_FAILLOCK_CONF=false
+SKIP_FAILLOCK_CHECK=false
 {{% endif %}}
 FAILLOCK_CONF="/etc/security/faillock.conf"
-if [ -f $FAILLOCK_CONF ] || [ "$APPEND_FAILLOCK_CONF" = "true" ]; then
+if [ -f $FAILLOCK_CONF ] || [ "$SKIP_FAILLOCK_CHECK" = "true" ]; then
     {{%- if value == '' %}}
     regex="^\s*{{{ option }}}"
     line="{{{ option }}}"
diff --git a/shared/templates/pam_account_password_faillock/oval.template b/shared/templates/pam_account_password_faillock/oval.template
index a422d5352d2..915905aedd3 100644
--- a/shared/templates/pam_account_password_faillock/oval.template
+++ b/shared/templates/pam_account_password_faillock/oval.template
@@ -125,7 +125,7 @@
     {{% if 'debian' in product %}}
     <value>^\s*auth\s+required\s+pam_faillock\.so.*preauth.*[\s\S]*^\s*auth.*pam_unix\.so[\s\S]*^\s*auth\s+\[default=die\]\s+pam_faillock\.so\s+authfail[\s\S]*^\s*auth\s+sufficient\s+pam_faillock\.so\s+authsucc</value>
     {{% elif 'ubuntu' in product %}}
-    <value>^\s*auth\s+requisite\s+pam_faillock\.so.*preauth.*[\s\S]*^\s*auth.*pam_unix\.so[\s\S]*^\s*auth\s+\[default=die\]\s+pam_faillock\.so\s+authfail</value>
+    <value>^\s*auth\s+(requisite|required)\s+pam_faillock\.so.*preauth.*[\s\S]*^\s*auth.*pam_unix\.so[\s\S]*^\s*auth\s+\[default=die\]\s+pam_faillock\.so\s+authfail</value>
     {{% elif 'openeuler' in product or 'kylinserver' in product %}}
     <value>^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)?(?=.*?\bnew_authtok_reqd=done\b)?(?=.*?\bdefault=ignore\b)?.*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=die\b)?.*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail</value>
     {{% else %}}
diff --git a/shared/templates/pam_account_password_faillock/tests/authselect_modified_pam.fail.sh b/shared/templates/pam_account_password_faillock/tests/authselect_modified_pam.fail.sh
deleted file mode 100644
index b3232cc93ec..00000000000
--- a/shared/templates/pam_account_password_faillock/tests/authselect_modified_pam.fail.sh
+++ /dev/null
@@ -1,12 +0,0 @@
-#!/bin/bash
-# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
-# remediation = none
-
-SYSTEM_AUTH_FILE="/etc/pam.d/system-auth"
-
-# This modification will break the integrity checks done by authselect.
-if ! $(grep -q "^[^#].*pam_pwhistory\.so.*remember=" $SYSTEM_AUTH_FILE); then
-	sed -i "/^password.*requisite.*pam_pwquality\.so/a password    requisite     pam_pwhistory.so" $SYSTEM_AUTH_FILE
-else
-   sed -i "s/\(.*pam_pwhistory\.so.*remember=\)[[:digit:]]\+\s\(.*\)/\1/g" $SYSTEM_AUTH_FILE
-fi
diff --git a/shared/templates/pam_account_password_faillock/tests/conflicting_settings_authselect.fail.sh b/shared/templates/pam_account_password_faillock/tests/conflicting_settings_authselect.fail.sh
deleted file mode 100644
index 24f5731f63d..00000000000
--- a/shared/templates/pam_account_password_faillock/tests/conflicting_settings_authselect.fail.sh
+++ /dev/null
@@ -1,30 +0,0 @@
-#!/bin/bash
-# packages = authselect,pam
-# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
-
-pam_files=("password-auth" "system-auth")
-
-authselect create-profile testingProfile --base-on minimal
-
-CUSTOM_PROFILE_DIR="/etc/authselect/custom/testingProfile"
-
-authselect select --force custom/testingProfile
-
-truncate -s 0 /etc/security/faillock.conf
-
-echo "deny = 3" > /etc/security/faillock.conf
-
-{{{ bash_pam_faillock_enable() }}}
-
-for file in ${pam_files[@]}; do
-    if grep -qP "auth.*faillock\.so.*preauth" $CUSTOM_PROFILE_DIR/$file; then
-        sed -i "/^\s*auth.*faillock\.so.*preauth/ s/$/deny=3/" \
-            "$CUSTOM_PROFILE_DIR/$file"
-    else 
-        sed -i "0,/^\s*auth.*/i auth required pam_faillock.so preauth deny=3" \
-        "$CUSTOM_PROFILE_DIR/$file"
-    fi
-done
-
-
-authselect apply-changes
diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_conflicting_settings.fail.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_conflicting_settings.fail.sh
deleted file mode 100644
index aa3ca061de7..00000000000
--- a/shared/templates/pam_account_password_faillock/tests/pam_faillock_conflicting_settings.fail.sh
+++ /dev/null
@@ -1,16 +0,0 @@
-#!/bin/bash
-# packages = authselect
-# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8
-# remediation = none
-# variables = var_accounts_passwords_pam_faillock_deny=3
-
-authselect select sssd --force
-authselect enable-feature with-faillock
-# This test scenario simulates conflicting settings in pam and faillock.conf files.
-# It means that authselect is not properly configured and may have a unexpected behaviour. The
-# authselect integrity check will fail and the remediation will be aborted in order to preserve
-# intentional changes. In this case, an informative message will be shown in the remediation report.
-sed -i --follow-symlinks 's/\(pam_faillock.so \(preauth silent\|authfail\)\).*$/\1 deny=3/g' /etc/pam.d/system-auth /etc/pam.d/password-auth
-> /etc/security/faillock.conf
-echo "deny = 3" >> /etc/security/faillock.conf
-echo "silent" >> /etc/security/faillock.conf
diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_disabled.fail.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_disabled.fail.sh
deleted file mode 100644
index 67c1b593bdb..00000000000
--- a/shared/templates/pam_account_password_faillock/tests/pam_faillock_disabled.fail.sh
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/bin/bash
-# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_sle
-# packages = authselect
-# variables = var_accounts_passwords_pam_faillock_deny=3
-
-if [ -f /usr/sbin/authconfig ]; then
-    authconfig --disablefaillock --update
-else
-    authselect select sssd --force
-    authselect disable-feature with-faillock
-fi
diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_expected_faillock_conf.pass.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_expected_faillock_conf.pass.sh
deleted file mode 100644
index e770e300f52..00000000000
--- a/shared/templates/pam_account_password_faillock/tests/pam_faillock_expected_faillock_conf.pass.sh
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/bin/bash
-# packages = authselect
-# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8
-# variables = var_accounts_passwords_pam_faillock_deny=3
-
-authselect select sssd --force
-authselect enable-feature with-faillock
-> /etc/security/faillock.conf
-echo "deny = 3" >> /etc/security/faillock.conf
-echo "silent" >> /etc/security/faillock.conf
diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_expected_pam_files.pass.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_expected_pam_files.pass.sh
deleted file mode 100644
index bbf97fa2ac0..00000000000
--- a/shared/templates/pam_account_password_faillock/tests/pam_faillock_expected_pam_files.pass.sh
+++ /dev/null
@@ -1,6 +0,0 @@
-#!/bin/bash
-# packages = authconfig
-# platform = Oracle Linux 7,multi_platform_fedora
-# variables = var_accounts_passwords_pam_faillock_deny=3
-
-authconfig --enablefaillock --faillockargs="deny=3" --update
diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_faillock_conf.fail.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_faillock_conf.fail.sh
deleted file mode 100644
index fd57152b8c4..00000000000
--- a/shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_faillock_conf.fail.sh
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/bin/bash
-# packages = authselect
-# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8
-# variables = var_accounts_passwords_pam_faillock_deny=3
-
-authselect select sssd --force
-authselect enable-feature with-faillock
-> /etc/security/faillock.conf
-echo "deny = 5" >> /etc/security/faillock.conf
-echo "silent" >> /etc/security/faillock.conf
diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_pam_files.fail.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_pam_files.fail.sh
deleted file mode 100644
index cb1ca930499..00000000000
--- a/shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_pam_files.fail.sh
+++ /dev/null
@@ -1,6 +0,0 @@
-#!/bin/bash
-# packages = authconfig
-# platform = Oracle Linux 7,multi_platform_fedora
-# variables = var_accounts_passwords_pam_faillock_deny=3
-
-authconfig --enablefaillock --faillockargs="deny=5" --update
diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh
deleted file mode 100644
index efb57601cb9..00000000000
--- a/shared/templates/pam_account_password_faillock/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh
+++ /dev/null
@@ -1,18 +0,0 @@
-#!/bin/bash
-# packages = authselect
-# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8
-# remediation = none
-# variables = var_accounts_passwords_pam_faillock_deny=3
-
-authselect select sssd --force
-authselect enable-feature with-faillock
-# Ensure the parameters only in /etc/security/faillock.conf
-sed -i --follow-symlinks 's/\(pam_faillock.so \(preauth silent\|authfail\)\).*$/\1/g' /etc/pam.d/system-auth /etc/pam.d/password-auth
-> /etc/security/faillock.conf
-echo "deny = 3" >> /etc/security/faillock.conf
-echo "silent" >> /etc/security/faillock.conf
-
-# Multiple instances of pam_unix.so in auth section may, intentionally or not, interfere
-# in the expected behaviour of pam_faillock.so. Remediation does not solve this automatically
-# in order to preserve intentional changes.
-echo "auth        sufficient       pam_unix.so" >> /etc/pam.d/password-auth
diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh
deleted file mode 100644
index 51d94b3333b..00000000000
--- a/shared/templates/pam_account_password_faillock/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh
+++ /dev/null
@@ -1,12 +0,0 @@
-#!/bin/bash
-# packages = authconfig
-# platform = Oracle Linux 7,multi_platform_fedora
-# remediation = none
-# variables = var_accounts_passwords_pam_faillock_deny=3
-
-authconfig --enablefaillock --faillockargs="deny=3" --update
-
-# Multiple instances of pam_unix.so in auth section may, intentionally or not, interfere
-# in the expected behaviour of pam_faillock.so. Remediation does not solve this automatically
-# in order to preserve intentional changes.
-echo "auth        sufficient       pam_unix.so" >> /etc/pam.d/password-auth
diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_not_required_pam_files.fail.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_not_required_pam_files.fail.sh
deleted file mode 100644
index e3ec96da080..00000000000
--- a/shared/templates/pam_account_password_faillock/tests/pam_faillock_not_required_pam_files.fail.sh
+++ /dev/null
@@ -1,20 +0,0 @@
-#!/bin/bash
-# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_sle
-# packages = authselect
-# remediation = none
-# variables = var_accounts_passwords_pam_faillock_deny=3
-
-# This test scenario manually modify the pam_faillock.so entries in auth section from
-# "required" to "sufficient". This makes pam_faillock.so behave differently than initially
-# intentioned. We catch this, but we can't safely remediate in an automated way.
-if [ -f /usr/sbin/authconfig ]; then
-    authconfig --enablefaillock --faillockargs="deny=3" --update
-else
-    authselect select sssd --force
-    authselect enable-feature with-faillock
-    sed -i --follow-symlinks 's/\(pam_faillock.so \(preauth silent\|authfail\)\).*$/\1 deny=3/g' /etc/pam.d/system-auth /etc/pam.d/password-auth
-fi
-sed -i --follow-symlinks 's/\(^\s*auth\s*\)\(\s.*\)\(pam_faillock\.so.*$\)/\1 sufficient \3/g' /etc/pam.d/system-auth /etc/pam.d/password-auth
-if [ -f /etc/security/faillock.conf ]; then
-    > /etc/security/faillock.conf
-fi
diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_stricter_faillock_conf.pass.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_stricter_faillock_conf.pass.sh
deleted file mode 100644
index 595b85192da..00000000000
--- a/shared/templates/pam_account_password_faillock/tests/pam_faillock_stricter_faillock_conf.pass.sh
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/bin/bash
-# packages = authselect
-# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8
-# variables = var_accounts_passwords_pam_faillock_deny=3
-
-authselect select sssd --force
-authselect enable-feature with-faillock
-> /etc/security/faillock.conf
-echo "deny = 2" >> /etc/security/faillock.conf
-echo "silent" >> /etc/security/faillock.conf
diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_stricter_pam_files.pass.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_stricter_pam_files.pass.sh
deleted file mode 100644
index 54729a3144b..00000000000
--- a/shared/templates/pam_account_password_faillock/tests/pam_faillock_stricter_pam_files.pass.sh
+++ /dev/null
@@ -1,6 +0,0 @@
-#!/bin/bash
-# packages = authconfig
-# platform = Oracle Linux 7,multi_platform_fedora
-# variables = var_accounts_passwords_pam_faillock_deny=3
-
-authconfig --enablefaillock --faillockargs="deny=2" --update
diff --git a/shared/templates/pam_account_password_faillock/tests/ubuntu_commented_values.fail.sh b/shared/templates/pam_account_password_faillock/tests/ubuntu_commented_values.fail.sh
deleted file mode 100644
index d49c834a648..00000000000
--- a/shared/templates/pam_account_password_faillock/tests/ubuntu_commented_values.fail.sh
+++ /dev/null
@@ -1,13 +0,0 @@
-#!/bin/bash
-# platform = multi_platform_ubuntu
-
-source ubuntu_common.sh
-
-rm -f /usr/share/cac_faillock*
-pam-auth-update
-
-sed -i 's/\(^.*pam_faillock\.so.*\)/# \1/' /etc/pam.d/common-auth
-sed -i 's/\(^.*pam_faillock\.so.*\)/# \1/' /etc/pam.d/common-account
-
-
-echo "#deny=1" > /etc/security/faillock.conf
diff --git a/shared/templates/pam_account_password_faillock/tests/ubuntu_common.sh b/shared/templates/pam_account_password_faillock/tests/ubuntu_common.sh
deleted file mode 100644
index e64fb3528e8..00000000000
--- a/shared/templates/pam_account_password_faillock/tests/ubuntu_common.sh
+++ /dev/null
@@ -1,50 +0,0 @@
-#!/bin/bash
-
-# Create passing pam.d files based on defaults from a clean installation of Ubuntu 22.04 LTS
-# Extra comments and whitespaces were added to test for edge cases
-
-cat >/etc/pam.d/common-auth <<EOF
- ## Leading and trailing whitespaces should be ok
- auth required  pam_faillock.so     preauth 
-# here are the per-package modules (the "Primary" block)
-auth    [success=2 default=ignore]      pam_unix.so nullok
-## Several lines of comments should not
-## break faillock remediation logic
-## Nor should commented pam_unix
-#auth    [success=2 default=ignore]      pam_unix.so nullok
-
-auth    [success=1 default=ignore]      pam_sss.so use_first_pass
-
- ## Some more user comments
- auth [default=die]  pam_faillock.so authfail 
- ## and some more
- auth sufficient     pam_faillock.so authsucc 
-
-# here's the fallback if no module succeeds
-auth    requisite                       pam_deny.so
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
-auth    required                        pam_permit.so
-# and here are more per-package modules (the "Additional" block)
-auth    optional                        pam_cap.so 
-# end of pam-auth-update config
-EOF
-
-
-cat >/etc/pam.d/common-account <<EOF
-# here are the per-package modules (the "Primary" block)
-account [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so 
-# here's the fallback if no module succeeds
-account requisite                       pam_deny.so
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
-account required                        pam_permit.so
-# and here are more per-package modules (the "Additional" block)
-account sufficient                      pam_localuser.so 
-account [default=bad success=ok user_unknown=ignore]    pam_sss.so 
-# end of pam-auth-update config
-
-  account required  pam_faillock.so 
-EOF
diff --git a/shared/templates/pam_account_password_faillock/tests/ubuntu_correct.pass.sh b/shared/templates/pam_account_password_faillock/tests/ubuntu_correct.pass.sh
deleted file mode 100644
index 17e2131675e..00000000000
--- a/shared/templates/pam_account_password_faillock/tests/ubuntu_correct.pass.sh
+++ /dev/null
@@ -1,6 +0,0 @@
-#!/bin/bash
-# platform = multi_platform_ubuntu
-
-source ubuntu_common.sh
-
-echo "deny=1" > /etc/security/faillock.conf
diff --git a/shared/templates/pam_account_password_faillock/tests/ubuntu_correct_pamd.pass.sh b/shared/templates/pam_account_password_faillock/tests/ubuntu_correct_pamd.pass.sh
deleted file mode 100644
index 7560dca2ef2..00000000000
--- a/shared/templates/pam_account_password_faillock/tests/ubuntu_correct_pamd.pass.sh
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/bin/bash
-# platform = multi_platform_ubuntu
-
-source ubuntu_common.sh
-
-rm -f /usr/share/cac_faillock*
-pam-auth-update
-
-sed -i 's/\(.*pam_faillock.so.*\)/\1 deny=1/g' /etc/pam.d/common-auth
-
diff --git a/shared/templates/pam_account_password_faillock/tests/ubuntu_empty_faillock_conf.fail.sh b/shared/templates/pam_account_password_faillock/tests/ubuntu_empty_faillock_conf.fail.sh
deleted file mode 100644
index 7dfc2dc7bd1..00000000000
--- a/shared/templates/pam_account_password_faillock/tests/ubuntu_empty_faillock_conf.fail.sh
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/bin/bash
-# platform = multi_platform_ubuntu
-
-# This test should fail because neither pam.d or faillock.conf have deny defined
-
-source ubuntu_common.sh
-
-rm -f /usr/share/cac_faillock*
-pam-auth-update
-
-echo > /etc/security/faillock.conf
diff --git a/shared/templates/pam_account_password_faillock/tests/ubuntu_missing_pamd.fail.sh b/shared/templates/pam_account_password_faillock/tests/ubuntu_missing_pamd.fail.sh
deleted file mode 100644
index bed9d088ad3..00000000000
--- a/shared/templates/pam_account_password_faillock/tests/ubuntu_missing_pamd.fail.sh
+++ /dev/null
@@ -1,14 +0,0 @@
-#!/bin/bash
-# platform = multi_platform_ubuntu
-
-source ubuntu_common.sh
-
-rm -f /usr/share/cac_faillock*
-pam-auth-update
-
-sed -i 's/\(^.*pam_faillock\.so.*\)/# \1/' /etc/pam.d/common-auth
-sed -i 's/\(^.*pam_faillock\.so.*\)/# \1/' /etc/pam.d/common-account
-
-pam-auth-update --remove faillock faillock_notify --force
-
-echo "deny=1" > /etc/security/faillock.conf
diff --git a/shared/templates/pam_account_password_faillock/tests/ubuntu_multiple_pam_unix.fail.sh b/shared/templates/pam_account_password_faillock/tests/ubuntu_multiple_pam_unix.fail.sh
deleted file mode 100644
index 23be5083c6f..00000000000
--- a/shared/templates/pam_account_password_faillock/tests/ubuntu_multiple_pam_unix.fail.sh
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/bin/bash
-# platform = multi_platform_ubuntu
-# remediation = none
-
-# Multiple instances of pam_unix.so in auth section may, intentionally or not, interfere
-# in the expected behaviour of pam_faillock.so. Remediation does not solve this automatically
-# in order to preserve intentional changes.
-
-source ubuntu_common.sh
-
-echo "auth        sufficient       pam_unix.so" >> /etc/pam.d/common-auth
diff --git a/shared/templates/pam_account_password_faillock/tests/ubuntu_wrong_value.fail.sh b/shared/templates/pam_account_password_faillock/tests/ubuntu_wrong_value.fail.sh
deleted file mode 100644
index d236f32cb8b..00000000000
--- a/shared/templates/pam_account_password_faillock/tests/ubuntu_wrong_value.fail.sh
+++ /dev/null
@@ -1,6 +0,0 @@
-#!/bin/bash
-# platform = multi_platform_ubuntu
-
-source ubuntu_common.sh
-
-echo "deny=999" > /etc/security/faillock.conf