ComplianceAsCode · dexterle · Jun 20, 2023 · Jun 20, 2023 · Jun 20, 2023 · Jun 20, 2023
diff --git a/components/aide.yml b/components/aide.yml
@@ -6,6 +6,7 @@ packages:
 rules:
 - aide_build_database
 - aide_check_audit_tools
+- aide_disable_silentreports
 - aide_periodic_cron_checking
 - aide_periodic_checking_systemd_timer
 - aide_scan_notification

diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/ansible/shared.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/ansible/shared.yml
@@ -6,20 +6,20 @@
 
 {{{ ansible_instantiate_variables('var_time_service_set_maxpoll') }}}
 
-- name: Check that /etc/ntp.conf exist
-  stat:
+- name: "{{{ rule_title }}} - Check That /etc/ntp.conf Exist"
+  ansible.builtin.stat:
     path: /etc/ntp.conf
   register: ntp_conf_exist_result
 
-- name: Update the maxpoll values in /etc/ntp.conf
-  replace:
+- name: "{{{ rule_title }}} - Update the Maxpoll Values in /etc/ntp.conf"
+  ansible.builtin.replace:
     path: /etc/ntp.conf
     regexp: '^(server.*maxpoll)[ ]+[0-9]+(.*)$'
     replace: '\1 {{ var_time_service_set_maxpoll }}\2'
   when: ntp_conf_exist_result.stat.exists
 
-- name: Set the maxpoll values in /etc/ntp.conf
-  replace:
+- name: "{{{ rule_title }}} - Set the Maxpoll Values in /etc/ntp.conf"
+  ansible.builtin.replace:
     path: /etc/ntp.conf
     regexp: '(^server\s+((?!maxpoll).)*)$'
     replace: '\1 maxpoll {{ var_time_service_set_maxpoll }}\n'
@@ -29,33 +29,34 @@
 # since chrony_conf_path is the full path to chrony.conf
 # and includes chrony.conf, that must be handled as well
 
-- name: Check that {{{ chrony_conf_path }}} exist
-  stat:
+- name: "{{{ rule_title }}} - Check That {{{ chrony_conf_path }}} Exist"
+  ansible.builtin.stat:
     path: {{{ chrony_conf_path }}}
   register: chrony_conf_exist_result
 
-- name: Get get conf files from {{{ chrony_conf_path }}}
-  shell: |
-    set -o pipefail
-    CHRONY_NAME={{{ chrony_conf_path }}}
-    CHRONY_PATH=${CHRONY_NAME%%.*}
-    find ${CHRONY_PATH}.* -type f -name '*.conf'
-  register: update_chrony_files
-  when: chrony_conf_exist_result.stat.exists
-  changed_when: False
-
-- name: Update the maxpoll values in {{{ chrony_conf_path }}}
-  replace:
-    path: "{{ item }}"
+- name: "{{{ rule_title }}} - Set Chrony Path Facts"
+  ansible.builtin.set_fact:
+    chrony_path: {{{ chrony_conf_path }}}
+
+- name: "{{{ rule_title }}} - Get Conf Files from {{ chrony_path | dirname }}"
+  ansible.builtin.find:
+    path: "{{ chrony_path | dirname }}"
+    patterns: '*.conf'
+    file_type: file
+  register: chrony_conf_files
+
+- name: "{{{ rule_title }}} - Update the Maxpoll Values in {{{ chrony_conf_path }}}"
+  ansible.builtin.replace:
+    path: "{{ item.path }}"
     regexp: '^((?:server|pool|peer).*maxpoll)[ ]+[0-9]+(.*)$'
     replace: '\1 {{ var_time_service_set_maxpoll }}\2'
-  loop: "{{ update_chrony_files.stdout_lines|list|flatten|unique }}"
-  when: chrony_conf_exist_result.stat.exists
+  loop: '{{ chrony_conf_files.files }}'
+  when: chrony_conf_files.matched
 
-- name: Set the maxpoll values in {{{ chrony_conf_path }}}
-  replace:
-    path: "{{ item }}"
+- name: "{{{ rule_title }}} - Set the Maxpoll Values in {{{ chrony_conf_path }}}"
+  ansible.builtin.replace:
+    path: "{{ item.path }}"
     regexp: '(^(?:server|pool|peer)\s+((?!maxpoll).)*)$'
     replace: '\1 maxpoll {{ var_time_service_set_maxpoll }}\n'
-  loop: "{{ update_chrony_files.stdout_lines|list|flatten|unique }}"
-  when: chrony_conf_exist_result.stat.exists
+  loop: '{{ chrony_conf_files.files }}'
+  when: chrony_conf_files.matched
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu
 # reboot = false
 # strategy = restrict
 # complexity = low

diff --git a/...s/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/ansible/shared.yml b/...s/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = Red Hat Enterprise Linux 7,Oracle Linux 7,multi_platform_sle
+# platform = Red Hat Enterprise Linux 7,Oracle Linux 7,multi_platform_sle,multi_platform_ubuntu
 # reboot = false
 # strategy = restrict
 # complexity = low

diff --git a/...os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/comment.fail.sh b/...os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/comment.fail.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle
+# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu
 
 source common.sh
 

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/common.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/common.sh
@@ -5,7 +5,7 @@ CONF_PREFIX="CRYPTO_POLICY='-oKexAlgorithms="
 KEX_ALGOS="ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512"
 CONF_SUFIX="'"
 CONF_PREFIX_REGEX="^\s*CRYPTO_POLICY"
-{{% elif product in ['ol7','rhel7','sle12','sle15'] %}}
+{{% elif product in ['ol7','rhel7','sle12','sle15','ubuntu2004'] %}}
 FILE_PATH='/etc/ssh/sshd_config'
 CONF_PREFIX="KexAlgorithms "
 KEX_ALGOS="ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256"

diff --git a/...ices/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/correct_reduced_list.pass.sh b/...ices/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/correct_reduced_list.pass.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle
+# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu
 
 source common.sh
 

diff --git a/...ervices/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/correct_scrambled.fail.sh b/...ervices/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/correct_scrambled.fail.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle
+# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu
 
 source common.sh
 

diff --git a/...de/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/correct_value.pass.sh b/...de/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/correct_value.pass.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle
+# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu
 
 source common.sh
 

diff --git a/...e/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/line_not_there.fail.sh b/...e/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/line_not_there.fail.sh
@@ -1,4 +1,4 @@
 #!/bin/bash
-# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle
+# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu
 
 source common.sh
diff --git a/...de/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/no_parameters.fail.sh b/...de/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/no_parameters.fail.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle
+# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu
 
 source common.sh
 

diff --git a/...uide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/wrong_value.fail.sh b/...uide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/wrong_value.fail.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle
+# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu
 
 source common.sh
 

diff --git a/...x_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/ansible/shared.yml b/...x_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = Red Hat Enterprise Linux 7,Oracle Linux 7,multi_platform_sle
+# platform = Red Hat Enterprise Linux 7,Oracle Linux 7,multi_platform_sle,Ubuntu 20.04
 # reboot = false
 # strategy = restrict
 # complexity = low

diff --git a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle
+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu
 # reboot = false
 # strategy = configure
 # complexity = low

diff --git a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/bash/shared.sh b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle
+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu
 # reboot = false
 # strategy = configure
 # complexity = low

diff --git a/...ounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/ansible/ubuntu2004.yml b/...ounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/ansible/ubuntu2004.yml
@@ -0,0 +1,30 @@
+# platform = multi_platform_ubuntu
+# reboot = false
+# strategy = unknown
+# complexity = low
+# disruption = medium
+
+- name: "{{{ rule_title }}} - Uncomment banner-message-enable for Login Warning Banner"
+  ansible.builtin.lineinfile:
+      path: /etc/gdm3/greeter.dconf-defaults
+      regexp: ^(#.*)(banner-message-enable=)
+      line: \2
+      backrefs: true
+
+- name: "{{{ rule_title }}} - Set banner-message-enable to True for Login Warning Banner"
+  ansible.builtin.ini_file:
+      dest: /etc/gdm3/greeter.dconf-defaults
+      section: "org/gnome/login-screen"
+      option: banner-message-enable
+      value: "true"
+      create: yes
+      no_extra_spaces: yes
+
+- name: "{{{ rule_title }}} - Dconf Update"
+  ansible.builtin.command: dconf update
+
+- name: "{{{ rule_title }}} - Restart gdm3.service"
+  ansible.builtin.systemd:
+      name: gdm3
+      enabled: true
+      state: restarted
diff --git a/...tem/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/oval/shared.xml b/...tem/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/oval/shared.xml
@@ -1,12 +1,20 @@
 <def-group>
+  {{% if product not in ['ubuntu2004'] %}}
+    {{%- set gui_banner_path = "/etc/dconf/db/{{{ dconf_gdm_dir }}}" %}}
+  {{%- else %}}
+    {{%- set gui_banner_path = "/etc/gdm3/greeter.dconf-defaults" %}}
+  {{% endif %}}
+
   <definition class="compliance" id="dconf_gnome_banner_enabled" version="1">
     {{{ oval_metadata("Enable the GNOME3 Login warning banner.") }}}
     <criteria operator="OR">
       <extend_definition comment="dconf installed" definition_ref="package_dconf_installed" negate="true" />
       <criteria comment="Enable GUI banner and prevent user from changing it" operator="AND">
         <extend_definition comment="dconf user profile exists" definition_ref="enable_dconf_user_profile" />
         <criterion comment="Enable GUI banner" test_ref="test_banner_gui_enabled" />
+        {{% if product not in ['ubuntu2004'] %}}
         <criterion comment="Prevent user from disabling banner" test_ref="test_prevent_user_banner_gui_enabled_change" />
+        {{% endif %}}
       </criteria>
     </criteria>
   </definition>
@@ -18,7 +26,7 @@
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object id="obj_banner_gui_enabled"
   version="1">
-    <ind:path>/etc/dconf/db/{{{ dconf_gdm_dir }}}/</ind:path>
+    <ind:path>{{{ gui_banner_path }}}</ind:path>
     <ind:filename operation="pattern match">^.*$</ind:filename>
     <ind:pattern operation="pattern match">^\[org/gnome/login-screen\]([^\n]*\n+)+?banner-message-enable=true$</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
@@ -31,7 +39,7 @@
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object id="obj_prevent_user_banner_gui_enabled_change"
   version="1">
-    <ind:path>/etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/</ind:path>
+    <ind:path>{{{ gui_banner_path }}}/locks/</ind:path>
     <ind:filename operation="pattern match">^.*$</ind:filename>
     <ind:pattern operation="pattern match">^/org/gnome/login-screen/banner-message-enable$</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>

diff --git a/...ide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml b/...ide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml
@@ -10,13 +10,19 @@ description: |-
     screen by setting <tt>banner-message-enable</tt> to <tt>true</tt>.
     <br /><br />
     To enable, add or edit <tt>banner-message-enable</tt> to
+    {{% if product not in ['ubuntu2004'] %}}
     <tt>/etc/dconf/db/{{{ dconf_gdm_dir }}}/00-security-settings</tt>. For example:
     <pre>[org/gnome/login-screen]
     banner-message-enable=true</pre>
     Once the setting has been added, add a lock to
     <tt>/etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/00-security-settings-lock</tt> to prevent user modification.
     For example:
     <pre>/org/gnome/login-screen/banner-message-enable</pre>
+    {{% else %}}
+    <tt>/etc/gdm3/greeter.dconf-defaults</tt>. For example:
+    <pre>[org/gnome/login-screen]
+    banner-message-enable=true</pre>
+    {{% endif %}}
     After the settings have been set, run <tt>dconf update</tt>.
     The banner text must also be set.
 
@@ -70,11 +76,16 @@ ocil_clause: 'it is not'
 
 ocil: |-
     To ensure a login warning banner is enabled, run the following:
+    {{% if product not in ['ubuntu2004'] %}}
     <pre>$ grep banner-message-enable /etc/dconf/db/{{{ dconf_gdm_dir }}}/*</pre>
     If properly configured, the output should be <tt>true</tt>.
     To ensure a login warning banner is locked and cannot be changed by a user, run the following:
     <pre>$ grep banner-message-enable /etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/*</pre>
     If properly configured, the output should be <tt>/org/gnome/login-screen/banner-message-enable</tt>.
+    {{% else %}}
+    <pre>$ grep banner-message-enable /etc/dconf/db/{{{ dconf_gdm_dir }}}/*</pre>
+    If properly configured, the output should be <tt>true</tt>.
+    {{% endif %}}
 
 fixtext: |-
     Configure {{{ full_name }}} to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.
@@ -83,9 +94,13 @@ fixtext: |-
 
     Create a database to contain the system-wide graphical user logon settings (if it does not already exist) with the following command:
 
+    {{% if product not in ['ubuntu2004'] %}}
     $ sudo touch /etc/dconf/db/local.d/01-banner-message
 
     Add the following lines to the [org/gnome/login-screen] section of the "/etc/dconf/db/local.d/01-banner-message":
+    {{% else %}}
+    Add the following lines to the [org/gnome/login-screen] section of the "/etc/gdm3/greeter.dconf-defaults":
+    {{% endif %}}
 
     [org/gnome/login-screen]
 

diff --git a/...counts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/ubuntu.yml b/...counts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/ubuntu.yml
@@ -0,0 +1,25 @@
+# platform = multi_platform_ubuntu
+# reboot = false
+# strategy = unknown
+# complexity = low
+# disruption = medium
+{{{ ansible_instantiate_variables("login_banner_text") }}}
+
+- name: "{{{ rule_title }}}"
+  lineinfile:
+    path: /etc/gdm3/greeter.dconf-defaults
+    regexp: ^(#.*)(banner-message-text=)
+    line: \2
+    backrefs: true
+
+- name: "{{{ rule_title }}}"
+  ini_file:
+    dest: /etc/gdm3/greeter.dconf-defaults
+    section: org/gnome/login-screen
+    option: banner-message-text
+    value: '{{{ ansible_deregexify_banner_dconf_gnome("login_banner_text") }}}'
+    create: yes
+    no_extra_spaces: yes
+
+- name: Dconf Update
+  command: dconf update
diff --git a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,Red Hat Virtualization 4
+# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,Red Hat Virtualization 4,multi_platform_ubuntu
 # reboot = false
 # strategy = configure
 # complexity = low

diff --git a/...-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/shared.yml b/...-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/shared.yml
@@ -1,21 +1,31 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu
 # reboot = false
 # strategy = configure
 # complexity = low
 # disruption = medium
 
-{{% if product in [ "sle12", "sle15" ] %}}
+{{% if product in [ "sle12", "sle15" ] or product in [ "ubuntu1804", "ubuntu2004" ] %}}
 {{%- set accounts_password_pam_unix_remember_file = '/etc/pam.d/common-password' -%}}
 {{% else %}}
 {{%- set accounts_password_pam_unix_remember_file = '/etc/pam.d/system-auth' -%}}
 {{% endif %}}
 
 {{{ ansible_instantiate_variables("var_password_pam_unix_remember") }}}
 
+{{% if product not in ['ubuntu2004'] %}}
+
 {{{ ansible_pam_pwhistory_enable(accounts_password_pam_unix_remember_file,
                                  'requisite',
                                  '^password.*requisite.*pam_pwquality\.so') }}}
 
 {{{ ansible_pam_pwhistory_parameter_value(accounts_password_pam_unix_remember_file,
                                           'remember',
                                           '{{ var_password_pam_unix_remember }}') }}}
+
+{{% else %}}
+{{{ ansible_ensure_pam_module_line(accounts_password_pam_unix_remember_file,
+                                          "password",
+                                          "[success=1 default=ignore]",
+                                          "pam_unix.so obscure sha512 shadow remember=5 rounds=5000")}}}
+
+{{% endif %}}
diff --git a/...nts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/shared.xml b/...nts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/shared.xml
@@ -1,8 +1,14 @@
-{{% if product in [ "sle12", "sle15" ] %}}
+{{% if product in [ "sle12", "sle15" ] or product in [ "ubuntu1804", "ubuntu2004"] %}}
 {{%- set accounts_password_pam_unix_remember_file = '/etc/pam.d/common-password' -%}}
 {{% else %}}
 {{%- set accounts_password_pam_unix_remember_file = '/etc/pam.d/system-auth' -%}}
 {{% endif %}}
+{{% if product in ["ubuntu2004"] %}}
+{{%- set pam_unix_legacy_regex = '^\s*password\s+\[success=1 default=ignore\]\s+pam_unix\.so.*remember=([0-9]*).*$' %}}
+{{% else %}}
+{{%- set pam_unix_legacy_regex = '^\s*password\s+(?:(?:sufficient)|(?:required))\s+pam_unix\.so.*remember=([0-9]*).*$' %}}
+{{% endif %}}
+
 
 <def-group>
   <definition class="compliance" id="{{{ rule_id }}}" version="2">
@@ -145,14 +151,14 @@
   <!-- Check the pam_unix.so remember case -->
   <ind:textfilecontent54_test id="test_accounts_password_pam_unix_remember_legacy" version="1"
     check="all" check_existence="all_exist"
-    comment="Test if remember attribute of pam_unix.so is set correctly in /etc/pam.d/system-auth">
+    comment="Test if remember attribute of pam_unix.so is set correctly in {{{ accounts_password_pam_unix_remember_file }}}">
     <ind:object object_ref="object_accounts_password_pam_unix_remember_legacy" />
     <ind:state state_ref="state_accounts_password_pam_unix_remember" />
   </ind:textfilecontent54_test>
 
   <ind:textfilecontent54_object id="object_accounts_password_pam_unix_remember_legacy" version="1">
-    <ind:filepath>/etc/pam.d/system-auth</ind:filepath>
-    <ind:pattern operation="pattern match">^\s*password\s+(?:(?:sufficient)|(?:required))\s+pam_unix\.so.*remember=([0-9]*).*$</ind:pattern>
+    <ind:filepath>{{{ accounts_password_pam_unix_remember_file }}}</ind:filepath>
+    <ind:pattern operation="pattern match">{{{ pam_unix_legacy_regex }}}</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 </def-group>