From 543b228767f21a1c50b0b51889cf1678ace5041d Mon Sep 17 00:00:00 2001
From: AlmaDev <almadev@localhost.localdomain>
Date: Tue, 22 Aug 2023 10:12:42 +0200
Subject: [PATCH] Change rule to use variable when auditing faillock

Some benchmarks specify different paths when monitoring the faillock
file, depending on if a permanent faillock path has been configured.
This updates the audit_rules_login_event_faillock to use the variable
var_accounts_passwords_pam_faillock_dir instead of the profile
faillock_path
---
 controls/cis_rhel8.yml                        |  1 +
 controls/cis_rhel9.yml                        |  1 +
 ...ar_accounts_passwords_pam_faillock_dir.var |  1 +
 .../ansible/shared.yml                        |  9 ++++
 .../bash/shared.sh                            |  6 +++
 .../oval/shared.xml                           | 47 +++++++++++++++++++
 .../rule.yml                                  | 17 +++----
 .../tests/auditctl_correct.pass.sh            |  6 +++
 .../auditctl_correct_extra_permission.pass.sh |  6 +++
 .../auditctl_correct_without_key.pass.sh      |  6 +++
 .../tests/auditctl_remove_all_rules.fail.sh   |  5 ++
 .../tests/auditctl_wrong_rule.fail.sh         |  6 +++
 .../auditctl_wrong_rule_without_key.fail.sh   |  5 ++
 .../tests/augenrules_correct.pass.sh          |  6 +++
 ...ugenrules_correct_extra_permission.pass.sh |  6 +++
 .../augenrules_correct_without_key.pass.sh    |  6 +++
 .../tests/augenrules_remove_all_rules.fail.sh |  5 ++
 .../tests/augenrules_wrong_rule.fail.sh       |  6 +++
 .../augenrules_wrong_rule_without_key.fail.sh |  6 +++
 .../audit_login_events/group.yml              |  4 +-
 20 files changed, 142 insertions(+), 13 deletions(-)
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/ansible/shared.yml
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/bash/shared.sh
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/oval/shared.xml
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_correct.pass.sh
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_correct_extra_permission.pass.sh
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_correct_without_key.pass.sh
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_remove_all_rules.fail.sh
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_wrong_rule.fail.sh
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_wrong_rule_without_key.fail.sh
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_correct.pass.sh
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_correct_extra_permission.pass.sh
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_correct_without_key.pass.sh
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_remove_all_rules.fail.sh
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_wrong_rule.fail.sh
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_wrong_rule_without_key.fail.sh

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 09d049c9dee8..12b71cadd2d2 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1622,6 +1622,7 @@ controls:
     rules:
       - audit_rules_login_events_faillock
       - audit_rules_login_events_lastlog
+      - var_accounts_passwords_pam_faillock_dir=run
 
   - id: 4.1.3.13
     title: Ensure file deletion events by users are collected (Automated)
diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml
index 81cb3e31e8ef..954bd8b7f534 100644
--- a/controls/cis_rhel9.yml
+++ b/controls/cis_rhel9.yml
@@ -1375,6 +1375,7 @@ controls:
     rules:
       - audit_rules_login_events_faillock
       - audit_rules_login_events_lastlog
+      - var_accounts_passwords_pam_faillock_dir=run
 
   - id: 4.1.3.13
     title: Ensure file deletion events by users are collected (Automated)
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_accounts_passwords_pam_faillock_dir.var b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_accounts_passwords_pam_faillock_dir.var
index 6dfa79aa3088..1cd7df8c8906 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_accounts_passwords_pam_faillock_dir.var
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_accounts_passwords_pam_faillock_dir.var
@@ -13,3 +13,4 @@ interactive: false
 options:
     ol8: "/var/log/faillock"
     default: "/var/log/faillock"
+    run: "/var/run/faillock"
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/ansible/shared.yml
new file mode 100644
index 000000000000..5d120ec11736
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/ansible/shared.yml
@@ -0,0 +1,9 @@
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu
+# reboot = true
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+{{{ ansible_instantiate_variables("var_accounts_passwords_pam_faillock_dir") }}}
+{{{ ansible_audit_augenrules_add_watch_rule(path="{{ var_accounts_passwords_pam_faillock_dir }}", permissions='wa', key='logins') }}}
+{{{ ansible_audit_auditctl_add_watch_rule(path="{{ var_accounts_passwords_pam_faillock_dir }}", permissions='wa', key='logins') }}}
\ No newline at end of file
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/bash/shared.sh
new file mode 100644
index 000000000000..458a453a2ffa
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/bash/shared.sh
@@ -0,0 +1,6 @@
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu
+
+# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_dir") }}}
+{{{ bash_fix_audit_watch_rule("auditctl", "$var_accounts_passwords_pam_faillock_dir", "wa", "logins") }}}
+{{{ bash_fix_audit_watch_rule("augenrules", "$var_accounts_passwords_pam_faillock_dir", "wa", "logins") }}}
\ No newline at end of file
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/oval/shared.xml
new file mode 100644
index 000000000000..05f42421accd
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/oval/shared.xml
@@ -0,0 +1,47 @@
+<def-group>
+  <definition class="compliance" id="audit_rules_login_events_faillock" version="2">
+    {{{ oval_metadata("Audit rules should be configured to log successful and unsuccessful login and logout events.") }}}
+
+    <criteria operator="OR">
+
+      <!-- Test the augenrules case -->
+      <criteria operator="AND">
+        <extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />
+        <criterion comment="audit augenrules faillock path" test_ref="test_arle_faillock_path_augenrules" />
+      </criteria>
+
+      <!-- Test the auditctl case -->
+      <criteria operator="AND">
+        <extend_definition comment="audit auditctl" definition_ref="audit_rules_auditctl" />
+        <criterion comment="audit auditctl faillock path" test_ref="test_arle_faillock_path_auditctl" />
+      </criteria>
+
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all" comment="audit augenrules faillock path" id="test_arle_faillock_path_augenrules" version="1">
+    <ind:object object_ref="object_arle_faillock_path_augenrules" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_arle_faillock_path_augenrules" version="1">
+    <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
+    <ind:pattern operation="pattern match" var_ref="object_var_accounts_passwords_pam_faillock_dir_pattern"/>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" comment="audit auditctl faillock path" id="test_arle_faillock_path_auditctl" version="1">
+    <ind:object object_ref="object_arle_faillock_path_auditctl" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_arle_faillock_path_auditctl" version="1">
+    <ind:filepath>/etc/audit/audit.rules</ind:filepath>
+    <ind:pattern operation="pattern match" var_ref="object_var_accounts_passwords_pam_faillock_dir_pattern" />
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+  <local_variable id="object_var_accounts_passwords_pam_faillock_dir_pattern"  comment="The composite pattern used to detect if audit as been configured" datatype="string" version="1">
+    <concat>
+      <literal_component>^\-w[\s]+</literal_component>
+      <variable_component var_ref="var_accounts_passwords_pam_faillock_dir"/>
+      <literal_component>[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</literal_component>
+    </concat>
+  </local_variable>
+  <external_variable id="var_accounts_passwords_pam_faillock_dir" comment="Faillock directory" datatype="string" version="1"/>
+</def-group>
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml
index 6a073f18309c..a8519451ea98 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml
@@ -11,12 +11,12 @@ description: |-
     default), add the following lines to a file with suffix <tt>.rules</tt> in the
     directory <tt>/etc/audit/rules.d</tt> in order to watch for attempted manual
     edits of files involved in storing logon events:
-    <pre>-w {{{ faillock_path }}} -p wa -k logins</pre>
+    <pre>-w {{{ xccdf_value("var_accounts_passwords_pam_faillock_dir") }}} -p wa -k logins</pre>
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
     utility to read audit rules during daemon startup, add the following lines to
     <tt>/etc/audit/audit.rules</tt> file in order to watch for unattempted manual
     edits of files involved in storing logon events:
-    <pre>-w {{{ faillock_path }}} -p wa -k logins</pre>
+    <pre>-w {{{ xccdf_value("var_accounts_passwords_pam_faillock_dir") }}} -p wa -k logins</pre>
 
 rationale: |-
     Manual editing of these files may indicate nefarious activity, such
@@ -66,16 +66,11 @@ ocil_clause: 'the command does not return a line, or the line is commented out'
 ocil: |-
     Verify {{{ full_name }}} generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" with the following command:
 
-    $ sudo auditctl -l | grep {{{ faillock_path }}}
+    $ sudo auditctl -l | grep {{{ xccdf_value("var_accounts_passwords_pam_faillock_dir") }}}
 
-    -w {{{ faillock_path }}} -p wa -k logins
-
-template:
-    name: audit_rules_login_events
-    vars:
-        path: {{{ faillock_path }}}
+    -w {{{ xccdf_value("var_accounts_passwords_pam_faillock_dir") }}} -p wa -k logins
 
 fixtext: |-
-    {{{ fixtext_audit_file_watch_rule(faillock_path, "logins", "/etc/audit/rules.d/audit.rules") | indent(4) }}}
+    {{{ fixtext_audit_file_watch_rule(xccdf_value("var_accounts_passwords_pam_faillock_dir"), "logins", "/etc/audit/rules.d/audit.rules") | indent(4) }}}
 
-srg_requirement: '{{{ srg_requirement_audit_file_watch_rule(faillock_path) }}}'
+srg_requirement: '{{{ srg_requirement_audit_file_watch_rule(xccdf_value("var_accounts_passwords_pam_faillock_dir")) }}}'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_correct.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_correct.pass.sh
new file mode 100644
index 000000000000..6ecbc21283cc
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_correct.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = audit
+
+{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_dir") }}}
+echo "-w $var_accounts_passwords_pam_faillock_dir -p wa -k logins" >> /etc/audit/audit.rules
+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_correct_extra_permission.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_correct_extra_permission.pass.sh
new file mode 100644
index 000000000000..f64346846a3a
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_correct_extra_permission.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = audit
+
+{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_dir") }}}
+echo "-w $var_accounts_passwords_pam_faillock_dir -p wra -k logins" >> /etc/audit/audit.rules
+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_correct_without_key.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_correct_without_key.pass.sh
new file mode 100644
index 000000000000..2bedddd4d6b0
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_correct_without_key.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = audit
+
+{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_dir") }}}
+echo "-w $var_accounts_passwords_pam_faillock_dir -p wa" >> /etc/audit/audit.rules
+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_remove_all_rules.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_remove_all_rules.fail.sh
new file mode 100644
index 000000000000..9e56056a5291
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_remove_all_rules.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# packages = audit
+
+rm -f /etc/audit/audit.rules
+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_wrong_rule.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_wrong_rule.fail.sh
new file mode 100644
index 000000000000..e969c7a1570c
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_wrong_rule.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = audit
+
+{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_dir") }}}
+echo "-w $var_accounts_passwords_pam_faillock_dir -p w -k logins" >> /etc/audit/audit.rules
+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_wrong_rule_without_key.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_wrong_rule_without_key.fail.sh
new file mode 100644
index 000000000000..b699bcd91876
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_wrong_rule_without_key.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# packages = audit
+
+echo "-w {{{ PATH }}} -p w" >> /etc/audit/audit.rules
+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_correct.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_correct.pass.sh
new file mode 100644
index 000000000000..32bc6ac818bf
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_correct.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = audit
+
+
+{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_dir") }}}
+echo "-w $var_accounts_passwords_pam_faillock_dir -p wa -k login" >> /etc/audit/rules.d/login.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_correct_extra_permission.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_correct_extra_permission.pass.sh
new file mode 100644
index 000000000000..9ec658930c68
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_correct_extra_permission.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = audit
+
+
+{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_dir") }}}
+echo "-w $var_accounts_passwords_pam_faillock_dir -p wra -k login" >> /etc/audit/rules.d/login.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_correct_without_key.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_correct_without_key.pass.sh
new file mode 100644
index 000000000000..b7d85530ce39
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_correct_without_key.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = audit
+
+
+{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_dir") }}}
+echo "-w $var_accounts_passwords_pam_faillock_dir -p wa" >> /etc/audit/rules.d/login.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_remove_all_rules.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_remove_all_rules.fail.sh
new file mode 100644
index 000000000000..6e368f8d321a
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_remove_all_rules.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# packages = audit
+
+rm -f /etc/audit/rules.d/*
+> /etc/audit/audit.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_wrong_rule.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_wrong_rule.fail.sh
new file mode 100644
index 000000000000..720c08deca03
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_wrong_rule.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = audit
+
+
+{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_dir") }}}
+echo "-w $var_accounts_passwords_pam_faillock_dir -p w -k login" >> /etc/audit/rules.d/login.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_wrong_rule_without_key.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_wrong_rule_without_key.fail.sh
new file mode 100644
index 000000000000..0fcb0c7e5ff9
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_wrong_rule_without_key.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = audit
+
+
+{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_dir") }}}
+echo "-w $var_accounts_passwords_pam_faillock_dir -p w" >> /etc/audit/rules.d/login.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/group.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/group.yml
index d54032a4d218..184bbc332919 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/group.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/group.yml
@@ -10,12 +10,12 @@ description: |-
     directory <tt>/etc/audit/rules.d</tt> in order to watch for attempted manual
     edits of files involved in storing logon events:
     <pre>-w /var/log/tallylog -p wa -k logins
-    -w {{{ faillock_path }}} -p wa -k logins
+    -w {{{ xccdf_value("var_accounts_passwords_pam_faillock_dir") }}} -p wa -k logins
     -w /var/log/lastlog -p wa -k logins</pre>
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
     utility to read audit rules during daemon startup, add the following lines to
     <tt>/etc/audit/audit.rules</tt> file in order to watch for unattempted manual
     edits of files involved in storing logon events:
     <pre>-w /var/log/tallylog -p wa -k logins
-    -w {{{ faillock_path }}} -p wa -k logins
+    -w {{{ xccdf_value("var_accounts_passwords_pam_faillock_dir") }}} -p wa -k logins
     -w /var/log/lastlog -p wa -k logins</pre>