From 99534e1ce78edfe001449ccd97fca89d6607105a Mon Sep 17 00:00:00 2001
From: rchikov <rumen.chikov@suse.com>
Date: Mon, 15 May 2023 14:12:36 +0200
Subject: [PATCH 1/3] Fixes in SLE 12/15 rule
 accounts_passwords_pam_tally2_deny_root

---
 controls/anssi.yml                                 |  2 ++
 controls/cis_sle12.yml                             |  1 +
 controls/cis_sle15.yml                             |  1 +
 .../ansible/shared.yml                             |  7 ++++++-
 .../bash/shared.sh                                 |  7 ++++++-
 .../oval/shared.xml                                |  8 ++++++--
 .../rule.yml                                       |  8 +++++---
 .../tests/pam_tally2_absent_account_config.fail.sh | 14 ++++++++++++++
 .../tests/pam_tally2_deny_missing.fail.sh          | 14 ++++++++++++++
 .../tests/pam_tally2_even_deny_root_absent.fail.sh | 13 +++++++++++++
 .../pam_tally2_even_deny_root_present.pass.sh      | 13 +++++++++++++
 11 files changed, 81 insertions(+), 7 deletions(-)

diff --git a/controls/anssi.yml b/controls/anssi.yml
index ddcbc880fa0..83b48120013 100644
--- a/controls/anssi.yml
+++ b/controls/anssi.yml
@@ -755,6 +755,8 @@ controls:
     - var_accounts_passwords_pam_faillock_deny=3
     - accounts_passwords_pam_faillock_deny
     - accounts_passwords_pam_faillock_deny_root
+    # same as above but for pam_tally2 module
+    - accounts_passwords_pam_tally2_deny_root
     # Automatically unlock users after 15 min to prevent DoS
     - var_accounts_passwords_pam_faillock_unlock_time=900
     - accounts_passwords_pam_faillock_unlock_time
diff --git a/controls/cis_sle12.yml b/controls/cis_sle12.yml
index 468b25f8b98..d7e07507990 100644
--- a/controls/cis_sle12.yml
+++ b/controls/cis_sle12.yml
@@ -1770,6 +1770,7 @@ controls:
     rules:
       - accounts_passwords_pam_tally2
       - var_password_pam_tally2=5
+      - accounts_passwords_pam_tally2_deny_root
 
   - id: 5.3.3
     title: Ensure password reuse is limited (Automated)
diff --git a/controls/cis_sle15.yml b/controls/cis_sle15.yml
index 1625a0cbf6a..7dc066a6451 100644
--- a/controls/cis_sle15.yml
+++ b/controls/cis_sle15.yml
@@ -1954,6 +1954,7 @@ controls:
     rules:
       - accounts_passwords_pam_tally2
       - var_password_pam_tally2=5
+      - accounts_passwords_pam_tally2_deny_root
 
   - id: 5.3.3
     title: Ensure password reuse is limited (Automated)
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/ansible/shared.yml
index ee0243ec978..0ab5d238974 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/ansible/shared.yml
@@ -4,6 +4,11 @@
 # complexity = low
 # disruption = low
 
+{{% if product in ["sle12","sle15"] %}}
+{{{ ansible_remove_pam_module_option('/etc/pam.d/login', 'auth', 'required', 'pam_tally2.so', 'onerr=fail') }}}
+{{{ ansible_ensure_pam_module_option('/etc/pam.d/login', 'auth', 'required', 'pam_tally2.so', 'even_deny_root', '', '') }}}
+{{% else %}}
+{{{ ansible_remove_pam_module_option('/etc/pam.d/common-auth', 'auth', 'required', 'pam_tally2.so', 'onerr=fail') }}}
 {{{ ansible_ensure_pam_module_option('/etc/pam.d/common-auth', 'auth', 'required', 'pam_tally2.so', 'even_deny_root', '', '') }}}
-
+{{% endif %}}
 {{{ ansible_ensure_pam_module_option('/etc/pam.d/common-account', 'account', 'required', 'pam_tally2.so', '', '', '') }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/bash/shared.sh
index 30f18f34d10..58c9f5379a0 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/bash/shared.sh
@@ -4,6 +4,11 @@
 # complexity = low
 # disruption = low
 
+{{% if product in ["sle12","sle15"] %}}
+{{{ bash_remove_pam_module_option('/etc/pam.d/login', 'auth', 'required', 'pam_tally2.so', 'onerr=fail') }}}
+{{{ bash_ensure_pam_module_option('/etc/pam.d/login', 'auth', 'required', 'pam_tally2.so', 'even_deny_root', '', '') }}}
+{{% else %}}
+{{{ bash_remove_pam_module_option('/etc/pam.d/common-auth', 'auth', 'required', 'pam_tally2.so', 'onerr=fail') }}}
 {{{ bash_ensure_pam_module_option('/etc/pam.d/common-auth', 'auth', 'required', 'pam_tally2.so', 'even_deny_root', '', '') }}}
-
+{{% endif %}}
 {{{ bash_ensure_pam_module_option('/etc/pam.d/common-account', 'account', 'required', 'pam_tally2.so', '', '', '') }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/oval/shared.xml
index ed355f9bc96..6261beca979 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/oval/shared.xml
@@ -17,9 +17,13 @@
   </ind:textfilecontent54_test>
 
   <ind:textfilecontent54_object id="object_accounts_passwords_pam_tally2_even_deny_root" comment="Check even deny root configuration of pam_tally2" version="1">
+    {{% if product in ["sle12","sle15"] %}}
+    <ind:filepath>/etc/pam.d/login</ind:filepath>
+    {{% else %}}
     <ind:filepath>/etc/pam.d/common-auth</ind:filepath>
-    <ind:pattern operation="pattern match">^\s*auth\s+required\s+pam_tally2\.so\s+[^\n]*deny=[[4-9]|[1-9][0-9]]+([\s+\S+]*)even_deny_root([\s+\S+])*\s*(\\)*$</ind:pattern>
-    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+    {{% endif %}}
+    <ind:pattern operation="pattern match">^\s*auth(?:(?!\n)\s)+required(?:(?!\n)\s)+pam_tally2.so(?:(?!\n)\s)+(?:(?:(?:(?!\n)\s)?[^\n]+)?onerr=fail(?:(?:(?!\n)\s)+[^\n]+)?(?:(?!\n)\s)+deny=(\d+)(?:(?:\s+\S+)*\s*$))|(?:(?:(?:(?!\n)\s)?[^\n]+)?deny=(\d+)(?:(?:(?!\n)\s)+[^\n]+)?(?:(?!\n)\s)+even_deny_root(?:(?:\s+\S+)*\s*$))</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>    
   </ind:textfilecontent54_object>
 
   <ind:textfilecontent54_test id="test_accounts_passwords_pam_tally2_even_deny_root_account"
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/rule.yml
index 390e9bbad0d..0e64424a9e9 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/rule.yml
@@ -21,6 +21,8 @@ identifiers:
 
 references:
     anssi: BP28(R18)
+    cis@sle12: 5.3.2
+    cis@sle15: 5.3.2    
     cis-csc: 1,12,15,16
     cobit5: DSS05.04,DSS05.10,DSS06.10
     disa: CCI-002238,CCI-000044
@@ -38,17 +40,17 @@ ocil_clause: 'limiting the number of failed logon attempts for the root user is
 ocil: |-
     To ensure that even the <tt>root</tt> account is locked after a defined number of failed password
     attempts, run the following command:
-    <pre>$ grep even_deny_root /etc/pam.d/common-auth</pre>
+    <pre>$ grep even_deny_root /etc/pam.d/login</pre>
     The output should show <tt>even_deny_root</tt>.
 
 fixtext: |-
     To configure the system to lock out the <tt>root</tt> account after a number of incorrect login
-    attempts using <tt>pam_tally2.so</tt>, modify the content of both <tt>/etc/pam.d/common-auth</tt> and
+    attempts using <tt>pam_tally2.so</tt>, modify the content of both <tt>/etc/pam.d/login</tt> and
     <tt>/etc/pam.d/common-account</tt> as follows:
     <br /><br />
     <ul>
     <li> add or modify the <tt>pam_tally2.so</tt> module line in
-    <tt>/etc/pam.d/common-auth</tt> to ensure  <tt>even_deny_root</tt> is present. For example:
+    <tt>/etc/pam.d/login</tt> to ensure  <tt>even_deny_root</tt> is present. For example:
     <pre>auth     required       pam_tally2.so deny=4 even_deny_root unlock_time=1200</pre>
     <li> add or modify the following line in <tt>/etc/pam.d/common-account</tt>:
     <pre>account required pam_tally2.so</pre></li>
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/tests/pam_tally2_absent_account_config.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/tests/pam_tally2_absent_account_config.fail.sh
index b5c092c4847..907beb0b959 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/tests/pam_tally2_absent_account_config.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/tests/pam_tally2_absent_account_config.fail.sh
@@ -7,6 +7,18 @@ account	requisite			pam_deny.so
 account	required			pam_permit.so
 CAPTA
 
+{{% if product in ["sle12","sle15"] %}}
+
+cat >/etc/pam.d/login <<CAPTEDRC
+auth required pam_tally2.so onerr=fail audit silent deny=3 even_deny_root unlock_time=900
+auth	[success=1 default=ignore]	pam_unix.so nullok_secure
+auth	requisite			pam_deny.so
+auth	required			pam_permit.so
+auth	optional			pam_cap.so
+CAPTEDRC
+
+{{% else %}}
+
 cat >/etc/pam.d/common-auth <<CAPTEDRC
 auth required pam_tally2.so onerr=fail audit silent deny=3 even_deny_root unlock_time=900
 auth	[success=1 default=ignore]	pam_unix.so nullok_secure
@@ -14,3 +26,5 @@ auth	requisite			pam_deny.so
 auth	required			pam_permit.so
 auth	optional			pam_cap.so
 CAPTEDRC
+
+{{% endif %}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/tests/pam_tally2_deny_missing.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/tests/pam_tally2_deny_missing.fail.sh
index 3d9ab9b8301..6d448195c35 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/tests/pam_tally2_deny_missing.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/tests/pam_tally2_deny_missing.fail.sh
@@ -8,6 +8,18 @@ account required                        pam_tally2.so
 account	required			pam_permit.so
 CAPTAC
 
+{{% if product in ["sle12","sle15"] %}}
+
+cat >/etc/pam.d/login <<CAPTDM
+auth required pam_tally2.so onerr=fail audit silent even_deny_root unlock_time=900
+auth	[success=1 default=ignore]	pam_unix.so nullok_secure
+auth	requisite			pam_deny.so
+auth	required			pam_permit.so
+auth	optional			pam_cap.so
+CAPTDM
+
+{{% else %}}
+
 cat >/etc/pam.d/common-auth <<CAPTDM
 auth required pam_tally2.so onerr=fail audit silent even_deny_root unlock_time=900
 auth	[success=1 default=ignore]	pam_unix.so nullok_secure
@@ -15,3 +27,5 @@ auth	requisite			pam_deny.so
 auth	required			pam_permit.so
 auth	optional			pam_cap.so
 CAPTDM
+
+{{% endif %}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/tests/pam_tally2_even_deny_root_absent.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/tests/pam_tally2_even_deny_root_absent.fail.sh
index f4ad3e3eda1..a95dfbff3f8 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/tests/pam_tally2_even_deny_root_absent.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/tests/pam_tally2_even_deny_root_absent.fail.sh
@@ -8,6 +8,18 @@ account required                        pam_tally2.so
 account	required			pam_permit.so
 CAPTC
 
+{{% if product in ["sle12","sle15"] %}}
+
+cat >/etc/pam.d/login <<CAPTEDRM
+auth required pam_tally2.so onerr=fail audit silent deny=3 unlock_time=900
+auth	[success=1 default=ignore]	pam_unix.so nullok_secure
+auth	requisite			pam_deny.so
+auth	required			pam_permit.so
+auth	optional			pam_cap.so
+CAPTEDRM
+
+{{% else %}}
+
 cat >/etc/pam.d/common-auth <<CAPTEDRM
 auth required pam_tally2.so onerr=fail audit silent deny=3 unlock_time=900
 auth	[success=1 default=ignore]	pam_unix.so nullok_secure
@@ -16,3 +28,4 @@ auth	required			pam_permit.so
 auth	optional			pam_cap.so
 CAPTEDRM
 
+{{% endif %}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/tests/pam_tally2_even_deny_root_present.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/tests/pam_tally2_even_deny_root_present.pass.sh
index f5ec1dbb88e..7b3c814be9d 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/tests/pam_tally2_even_deny_root_present.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/tests/pam_tally2_even_deny_root_present.pass.sh
@@ -8,6 +8,18 @@ account required                        pam_tally2.so
 account	required			pam_permit.so
 CAPTC
 
+{{% if product in ["sle12","sle15"] %}}
+
+cat >/etc/pam.d/login <<CAPTEDRC
+auth required pam_tally2.so onerr=fail audit silent deny=3 even_deny_root unlock_time=900
+auth	[success=1 default=ignore]	pam_unix.so nullok_secure
+auth	requisite			pam_deny.so
+auth	required			pam_permit.so
+auth	optional			pam_cap.so
+CAPTEDRC
+
+{{% else %}}
+
 cat >/etc/pam.d/common-auth <<CAPTEDRC
 auth required pam_tally2.so onerr=fail audit silent deny=3 even_deny_root unlock_time=900
 auth	[success=1 default=ignore]	pam_unix.so nullok_secure
@@ -16,3 +28,4 @@ auth	required			pam_permit.so
 auth	optional			pam_cap.so
 CAPTEDRC
 
+{{% endif %}}

From f6d5386879039af440d23dadcecf542141e8d756 Mon Sep 17 00:00:00 2001
From: Rumen <77793453+rumch-se@users.noreply.github.com>
Date: Tue, 16 May 2023 15:10:41 +0200
Subject: [PATCH 2/3] Update
 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/rule.yml

Co-authored-by: Gabriel Becker <ggasparb@redhat.com>
---
 .../accounts_passwords_pam_tally2_deny_root/rule.yml          | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/rule.yml
index 0e64424a9e9..20825fbe143 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/rule.yml
@@ -21,9 +21,9 @@ identifiers:
 
 references:
     anssi: BP28(R18)
-    cis@sle12: 5.3.2
-    cis@sle15: 5.3.2    
     cis-csc: 1,12,15,16
+    cis@sle12: 5.3.2
+    cis@sle15: 5.3.2
     cobit5: DSS05.04,DSS05.10,DSS06.10
     disa: CCI-002238,CCI-000044
     isa-62443-2009: 4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9

From a5f1f43d0de561aa6986d6524567253c1e49c44b Mon Sep 17 00:00:00 2001
From: rchikov <rumen.chikov@suse.com>
Date: Wed, 17 May 2023 13:39:45 +0200
Subject: [PATCH 3/3] Reloval of ubuntu os support from the rule

---
 .../ansible/shared.yml                           |  7 +------
 .../bash/shared.sh                               |  7 +------
 .../oval/shared.xml                              |  4 ----
 .../pam_tally2_absent_account_config.fail.sh     | 16 +---------------
 .../tests/pam_tally2_deny_missing.fail.sh        | 16 +---------------
 .../pam_tally2_even_deny_root_absent.fail.sh     | 16 +---------------
 .../pam_tally2_even_deny_root_present.pass.sh    | 16 +---------------
 7 files changed, 6 insertions(+), 76 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/ansible/shared.yml
index 0ab5d238974..e6f4d08b43f 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/ansible/shared.yml
@@ -1,14 +1,9 @@
-# platform = multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_sle
 # reboot = false
 # strategy = restrict
 # complexity = low
 # disruption = low
 
-{{% if product in ["sle12","sle15"] %}}
 {{{ ansible_remove_pam_module_option('/etc/pam.d/login', 'auth', 'required', 'pam_tally2.so', 'onerr=fail') }}}
 {{{ ansible_ensure_pam_module_option('/etc/pam.d/login', 'auth', 'required', 'pam_tally2.so', 'even_deny_root', '', '') }}}
-{{% else %}}
-{{{ ansible_remove_pam_module_option('/etc/pam.d/common-auth', 'auth', 'required', 'pam_tally2.so', 'onerr=fail') }}}
-{{{ ansible_ensure_pam_module_option('/etc/pam.d/common-auth', 'auth', 'required', 'pam_tally2.so', 'even_deny_root', '', '') }}}
-{{% endif %}}
 {{{ ansible_ensure_pam_module_option('/etc/pam.d/common-account', 'account', 'required', 'pam_tally2.so', '', '', '') }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/bash/shared.sh
index 58c9f5379a0..9bde69cb3a0 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/bash/shared.sh
@@ -1,14 +1,9 @@
-# platform = multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_sle
 # reboot = false
 # strategy = restrict
 # complexity = low
 # disruption = low
 
-{{% if product in ["sle12","sle15"] %}}
 {{{ bash_remove_pam_module_option('/etc/pam.d/login', 'auth', 'required', 'pam_tally2.so', 'onerr=fail') }}}
 {{{ bash_ensure_pam_module_option('/etc/pam.d/login', 'auth', 'required', 'pam_tally2.so', 'even_deny_root', '', '') }}}
-{{% else %}}
-{{{ bash_remove_pam_module_option('/etc/pam.d/common-auth', 'auth', 'required', 'pam_tally2.so', 'onerr=fail') }}}
-{{{ bash_ensure_pam_module_option('/etc/pam.d/common-auth', 'auth', 'required', 'pam_tally2.so', 'even_deny_root', '', '') }}}
-{{% endif %}}
 {{{ bash_ensure_pam_module_option('/etc/pam.d/common-account', 'account', 'required', 'pam_tally2.so', '', '', '') }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/oval/shared.xml
index 6261beca979..86ec2be785b 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/oval/shared.xml
@@ -17,11 +17,7 @@
   </ind:textfilecontent54_test>
 
   <ind:textfilecontent54_object id="object_accounts_passwords_pam_tally2_even_deny_root" comment="Check even deny root configuration of pam_tally2" version="1">
-    {{% if product in ["sle12","sle15"] %}}
     <ind:filepath>/etc/pam.d/login</ind:filepath>
-    {{% else %}}
-    <ind:filepath>/etc/pam.d/common-auth</ind:filepath>
-    {{% endif %}}
     <ind:pattern operation="pattern match">^\s*auth(?:(?!\n)\s)+required(?:(?!\n)\s)+pam_tally2.so(?:(?!\n)\s)+(?:(?:(?:(?!\n)\s)?[^\n]+)?onerr=fail(?:(?:(?!\n)\s)+[^\n]+)?(?:(?!\n)\s)+deny=(\d+)(?:(?:\s+\S+)*\s*$))|(?:(?:(?:(?!\n)\s)?[^\n]+)?deny=(\d+)(?:(?:(?!\n)\s)+[^\n]+)?(?:(?!\n)\s)+even_deny_root(?:(?:\s+\S+)*\s*$))</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>    
   </ind:textfilecontent54_object>
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/tests/pam_tally2_absent_account_config.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/tests/pam_tally2_absent_account_config.fail.sh
index 907beb0b959..04c79f94d8d 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/tests/pam_tally2_absent_account_config.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/tests/pam_tally2_absent_account_config.fail.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-# platform = multi_platform_sle,Ubuntu 20.04
+# platform = multi_platform_sle
 
 cat >/etc/pam.d/common-account <<CAPTA
 account	[success=1 new_authtok_reqd=done default=ignore]	pam_unix.so
@@ -7,8 +7,6 @@ account	requisite			pam_deny.so
 account	required			pam_permit.so
 CAPTA
 
-{{% if product in ["sle12","sle15"] %}}
-
 cat >/etc/pam.d/login <<CAPTEDRC
 auth required pam_tally2.so onerr=fail audit silent deny=3 even_deny_root unlock_time=900
 auth	[success=1 default=ignore]	pam_unix.so nullok_secure
@@ -16,15 +14,3 @@ auth	requisite			pam_deny.so
 auth	required			pam_permit.so
 auth	optional			pam_cap.so
 CAPTEDRC
-
-{{% else %}}
-
-cat >/etc/pam.d/common-auth <<CAPTEDRC
-auth required pam_tally2.so onerr=fail audit silent deny=3 even_deny_root unlock_time=900
-auth	[success=1 default=ignore]	pam_unix.so nullok_secure
-auth	requisite			pam_deny.so
-auth	required			pam_permit.so
-auth	optional			pam_cap.so
-CAPTEDRC
-
-{{% endif %}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/tests/pam_tally2_deny_missing.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/tests/pam_tally2_deny_missing.fail.sh
index 6d448195c35..e0e5715ab49 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/tests/pam_tally2_deny_missing.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/tests/pam_tally2_deny_missing.fail.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-# platform = multi_platform_sle,Ubuntu 20.04
+# platform = multi_platform_sle
 
 cat >/etc/pam.d/common-account <<CAPTAC
 account	[success=1 new_authtok_reqd=done default=ignore]	pam_unix.so
@@ -8,8 +8,6 @@ account required                        pam_tally2.so
 account	required			pam_permit.so
 CAPTAC
 
-{{% if product in ["sle12","sle15"] %}}
-
 cat >/etc/pam.d/login <<CAPTDM
 auth required pam_tally2.so onerr=fail audit silent even_deny_root unlock_time=900
 auth	[success=1 default=ignore]	pam_unix.so nullok_secure
@@ -17,15 +15,3 @@ auth	requisite			pam_deny.so
 auth	required			pam_permit.so
 auth	optional			pam_cap.so
 CAPTDM
-
-{{% else %}}
-
-cat >/etc/pam.d/common-auth <<CAPTDM
-auth required pam_tally2.so onerr=fail audit silent even_deny_root unlock_time=900
-auth	[success=1 default=ignore]	pam_unix.so nullok_secure
-auth	requisite			pam_deny.so
-auth	required			pam_permit.so
-auth	optional			pam_cap.so
-CAPTDM
-
-{{% endif %}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/tests/pam_tally2_even_deny_root_absent.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/tests/pam_tally2_even_deny_root_absent.fail.sh
index a95dfbff3f8..f2b24b6a9ca 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/tests/pam_tally2_even_deny_root_absent.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/tests/pam_tally2_even_deny_root_absent.fail.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-# platform = multi_platform_sle,Ubuntu 20.04
+# platform = multi_platform_sle
 
 cat >/etc/pam.d/common-account <<CAPTC
 account	[success=1 new_authtok_reqd=done default=ignore]	pam_unix.so
@@ -8,8 +8,6 @@ account required                        pam_tally2.so
 account	required			pam_permit.so
 CAPTC
 
-{{% if product in ["sle12","sle15"] %}}
-
 cat >/etc/pam.d/login <<CAPTEDRM
 auth required pam_tally2.so onerr=fail audit silent deny=3 unlock_time=900
 auth	[success=1 default=ignore]	pam_unix.so nullok_secure
@@ -17,15 +15,3 @@ auth	requisite			pam_deny.so
 auth	required			pam_permit.so
 auth	optional			pam_cap.so
 CAPTEDRM
-
-{{% else %}}
-
-cat >/etc/pam.d/common-auth <<CAPTEDRM
-auth required pam_tally2.so onerr=fail audit silent deny=3 unlock_time=900
-auth	[success=1 default=ignore]	pam_unix.so nullok_secure
-auth	requisite			pam_deny.so
-auth	required			pam_permit.so
-auth	optional			pam_cap.so
-CAPTEDRM
-
-{{% endif %}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/tests/pam_tally2_even_deny_root_present.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/tests/pam_tally2_even_deny_root_present.pass.sh
index 7b3c814be9d..0343e72f54e 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/tests/pam_tally2_even_deny_root_present.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/tests/pam_tally2_even_deny_root_present.pass.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-# platform = multi_platform_sle,Ubuntu 20.04
+# platform = multi_platform_sle
 
 cat >/etc/pam.d/common-account <<CAPTC
 account	[success=1 new_authtok_reqd=done default=ignore]	pam_unix.so
@@ -8,8 +8,6 @@ account required                        pam_tally2.so
 account	required			pam_permit.so
 CAPTC
 
-{{% if product in ["sle12","sle15"] %}}
-
 cat >/etc/pam.d/login <<CAPTEDRC
 auth required pam_tally2.so onerr=fail audit silent deny=3 even_deny_root unlock_time=900
 auth	[success=1 default=ignore]	pam_unix.so nullok_secure
@@ -17,15 +15,3 @@ auth	requisite			pam_deny.so
 auth	required			pam_permit.so
 auth	optional			pam_cap.so
 CAPTEDRC
-
-{{% else %}}
-
-cat >/etc/pam.d/common-auth <<CAPTEDRC
-auth required pam_tally2.so onerr=fail audit silent deny=3 even_deny_root unlock_time=900
-auth	[success=1 default=ignore]	pam_unix.so nullok_secure
-auth	requisite			pam_deny.so
-auth	required			pam_permit.so
-auth	optional			pam_cap.so
-CAPTEDRC
-
-{{% endif %}}