diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open/rule.yml

index 5784e5ad8f..a80c7dab8c 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open/rule.yml

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open/rule.yml

@@ -10,11 +10,11 @@ description: |-

     to use the <tt>augenrules</tt> program to read audit rules during daemon

     startup (the default), add the following lines to a file with suffix

     <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:

-    
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify

+    
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modify

     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>

     utility to read audit rules during daemon startup, add the following lines to

     <tt>/etc/audit/audit.rules</tt> file:

-    
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify

+    
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modify

 rationale: |-

     Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system.

@@ -36,4 +36,4 @@ warnings:

         number of ways while still achieving the desired effect. Here the system calls

         have been placed independent of other system calls. Grouping system calls related

         to the same event is more efficient. See the following example:

-        
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify

+        
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modify

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open_by_handle_at/rule.yml

index 81841900f0..6181ad50f1 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open_by_handle_at/rule.yml

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open_by_handle_at/rule.yml

@@ -10,11 +10,11 @@ description: |-

     to use the <tt>augenrules</tt> program to read audit rules during daemon

     startup (the default), add the following lines to a file with suffix

     <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:

-    
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify

+    
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modify

     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>

     utility to read audit rules during daemon startup, add the following lines to

     <tt>/etc/audit/audit.rules</tt> file:

-    
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify

+    
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modify

 rationale: |-

     Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system.

@@ -36,4 +36,4 @@ warnings:

         number of ways while still achieving the desired effect. Here the system calls

         have been placed independent of other system calls. Grouping system calls related

         to the same event is more efficient. See the following example:

-        
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify

+        
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modify

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat/rule.yml

index 3515398d50..9a69643a34 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat/rule.yml

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat/rule.yml

@@ -10,11 +10,11 @@ description: |-

     to use the <tt>augenrules</tt> program to read audit rules during daemon

     startup (the default), add the following lines to a file with suffix

     <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:

-    
-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify

+    
-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modify

     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>

     utility to read audit rules during daemon startup, add the following lines to

     <tt>/etc/audit/audit.rules</tt> file:

-    
-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify

+    
-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modify

 rationale: |-

     Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system.

@@ -36,4 +36,4 @@ warnings:

         number of ways while still achieving the desired effect. Here the system calls

         have been placed independent of other system calls. Grouping system calls related

         to the same event is more efficient. See the following example:

-        
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify

+        
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modify

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open/rule.yml

index deb20d24c5..630b03b1b4 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open/rule.yml

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open/rule.yml

@@ -10,11 +10,11 @@ description: |-

     to use the <tt>augenrules</tt> program to read audit rules during daemon

     startup (the default), add the following lines to a file with suffix

     <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:

-    
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify

+    
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modify

     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>

     utility to read audit rules during daemon startup, add the following lines to

     <tt>/etc/audit/audit.rules</tt> file:

-    
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify

+    
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modify

 rationale: |-

     Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system.

@@ -36,4 +36,4 @@ warnings:

         number of ways while still achieving the desired effect. Here the system calls

         have been placed independent of other system calls. Grouping system calls related

         to the same event is more efficient. See the following example:

-        
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify

+        
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modify

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open_by_handle_at/rule.yml

index d65c9171e4..f1b9fbcd17 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open_by_handle_at/rule.yml

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open_by_handle_at/rule.yml

@@ -10,11 +10,11 @@ description: |-

     to use the <tt>augenrules</tt> program to read audit rules during daemon

     startup (the default), add the following lines to a file with suffix

     <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:

-    
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify

+    
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modify

     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>

     utility to read audit rules during daemon startup, add the following lines to

     <tt>/etc/audit/audit.rules</tt> file:

-    
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify

+    
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modify

 rationale: |-

     Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system.

@@ -36,4 +36,4 @@ warnings:

         number of ways while still achieving the desired effect. Here the system calls

         have been placed independent of other system calls. Grouping system calls related

         to the same event is more efficient. See the following example:

-        
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify

+        
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modify

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_openat/rule.yml

index da910036b2..5460009264 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_openat/rule.yml

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_openat/rule.yml

@@ -10,11 +10,11 @@ description: |-

     to use the <tt>augenrules</tt> program to read audit rules during daemon

     startup (the default), add the following lines to a file with suffix

     <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:

-    
-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify

+    
-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modify

     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>

     utility to read audit rules during daemon startup, add the following lines to

     <tt>/etc/audit/audit.rules</tt> file:

-    
-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify

+    
-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modify

 rationale: |-

     Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system.

@@ -36,4 +36,4 @@ warnings:

         number of ways while still achieving the desired effect. Here the system calls

         have been placed independent of other system calls. Grouping system calls related

         to the same event is more efficient. See the following example:

-        
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify

+        
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modify

diff --git a/shared/templates/create_audit_rules_path_syscall.py b/shared/templates/create_audit_rules_path_syscall.py

index 9ab984491e..4164f7b44f 100644

--- a/shared/templates/create_audit_rules_path_syscall.py

+++ b/shared/templates/create_audit_rules_path_syscall.py

@@ -26,6 +26,29 @@ def generate(self, target, args):

                 },

                 "./oval/audit_rules_{0}_{1}.xml", pathid, syscall

             )

+

+        elif target == "bash":

+            self.file_from_template(

+                "./template_BASH_audit_rules_path_syscall",

+                {

+                    "PATH":     path,

+                    "SYSCALL":  syscall,

+                    "POS":      pos

+                },

+                "./bash/audit_rules_{0}_{1}.sh", pathid, syscall

+            )

+

+        elif target == "ansible":

+            self.file_from_template(

+                "./template_ANSIBLE_audit_rules_path_syscall",

+                {

+                    "PATH":     path,

+                    "SYSCALL":  syscall,

+                    "POS":      pos

+                },

+                "./ansible/audit_rules_{0}_{1}.yml", pathid, syscall

+            )

+

         else:

             raise UnknownTargetError(target)

diff --git a/shared/templates/template_ANSIBLE_audit_rules_path_syscall b/shared/templates/template_ANSIBLE_audit_rules_path_syscall

new file mode 100644

index 0000000000..4a27e0f521

--- /dev/null

+++ b/shared/templates/template_ANSIBLE_audit_rules_path_syscall

@@ -0,0 +1,76 @@

+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv

+# reboot = true

+# strategy = restrict

+# complexity = low

+# disruption = low

+

+#

+# What architecture are we on?

+#

+- name: Set architecture for audit {{{ SYSCALL }}} tasks

+  set_fact:

+    audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}"

+

+#

+# Inserts/replaces the rule in /etc/audit/rules.d

+#

+- name: Search /etc/audit/rules.d for other DAC audit rules

+  find:

+    paths: "/etc/audit/rules.d"

+    recurse: no

+    contains: ".*{{{ SYSCALL }}}(,[\\S]+)?[\\s]+-F[\\s]+{{{ POS }}}&03[\\s]+-F[\\s]+path={{{ PATH }}}.*"

+    patterns: "*.rules"

+  register: find_{{{ SYSCALL }}}

+

+- name: If existing DAC ruleset not found, use /etc/audit/rules.d/modify.rules as the recipient for the rule

+  set_fact:

+    all_files:

+      - /etc/audit/rules.d/modify.rules

+  when: find_{{{ SYSCALL }}}.matched == 0

+

+- name: Use matched file as the recipient for the rule

+  set_fact:

+    all_files:

+      - "{{ find_{{{ SYSCALL }}}.files | map(attribute='path') | list | first }}"

+  when: find_{{{ SYSCALL }}}.matched > 0

+

+- name: Inserts/replaces the {{{ SYSCALL }}} rule in rules.d when on x86

+  lineinfile:

+    path: "{{ all_files[0] }}"

+    line: "{{ item }}"

+    create: yes

+    regexp: "-a always,exit -F arch=b32 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=[\\S]+"

+  with_items:

+    - "-a always,exit -F arch=b32 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=modify"

+

+- name: Inserts/replaces the {{{ SYSCALL }}} rule in rules.d when on x86_64

+  lineinfile:

+    path: "{{ all_files[0] }}"

+    line: "{{ item }}"

+    create: yes

+    regexp: "-a always,exit -F arch=b64 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=[\\S]+"

+  with_items:

+    - "-a always,exit -F arch=b64 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=modify"

+  when: audit_arch == 'b64'

+#   

+# Inserts/replaces the rule in /etc/audit/audit.rules

+#

+- name: Inserts/replaces the {{{ SYSCALL }}} rule in /etc/audit/audit.rules when on x86

+  lineinfile:

+    line: "{{ item }}"

+    state: present

+    dest: /etc/audit/audit.rules

+    regexp: "-a always,exit -F arch=b32 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=[\\S]+"

+  with_items:

+    - "-a always,exit -F arch=b32 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=modify"

+

+- name: Inserts/replaces the {{{ SYSCALL }}} rule in audit.rules when on x86_64

+  lineinfile:

+    line: "{{ item }}"

+    state: present

+    dest: /etc/audit/audit.rules

+    create: yes

+    regexp: "-a always,exit -F arch=b64 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=[\\S]+"

+  with_items:

+    - "-a always,exit -F arch=b64 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=modify"

+  when: audit_arch == 'b64'

diff --git a/shared/templates/template_BASH_audit_rules_path_syscall b/shared/templates/template_BASH_audit_rules_path_syscall

new file mode 100644

index 0000000000..c3d31aade9

--- /dev/null

+++ b/shared/templates/template_BASH_audit_rules_path_syscall

@@ -0,0 +1,18 @@

+# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv

+

+# Include source function library.

+. /usr/share/scap-security-guide/remediation_functions

+

+# First perform the remediation of the syscall rule

+# Retrieve hardware architecture of the underlying system

+[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

+

+for ARCH in "${RULE_ARCHS[@]}"

+do

+	PATTERN="-a always,exit -F arch=$ARCH -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}}.*"

+	GROUP="modify"

+	FULL_RULE="-a always,exit -F arch=$ARCH -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=modify"

+	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'

+	fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"

+	fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"

+done

diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_correct_rule.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_correct_rule.pass.sh

index a9a4207877..8db9eab037 100644

--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_correct_rule.pass.sh

+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_correct_rule.pass.sh

@@ -1,7 +1,6 @@

 #!/bin/bash

 # profiles = xccdf_org.ssgproject.content_profile_ospp

-# remediation = none

 # Use auditctl in RHEL7

 sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service

diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_wrong_dir.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_wrong_dir.fail.sh

index 0eabbe097c..532ecedb88 100644

--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_wrong_dir.fail.sh

+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_wrong_dir.fail.sh

@@ -1,7 +1,6 @@

 #!/bin/bash

 # profiles = xccdf_org.ssgproject.content_profile_ospp

-# remediation = none

 # Use auditctl in RHEL7

 sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service

diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/augenrules_correct_rule.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/augenrules_correct_rule.pass.sh

index 6e17de9c20..72254d5c5c 100644

--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/augenrules_correct_rule.pass.sh

+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/augenrules_correct_rule.pass.sh

@@ -1,7 +1,6 @@

 #!/bin/bash

 # profiles = xccdf_org.ssgproject.content_profile_ospp

-# remediation = none

 echo "-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules

 echo "-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules

diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/augenrules_wrong_dir.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/augenrules_wrong_dir.fail.sh

index 7b7b6bc76d..d4e169dcc6 100644

--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/augenrules_wrong_dir.fail.sh

+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/augenrules_wrong_dir.fail.sh

@@ -1,7 +1,6 @@

 #!/bin/bash

 # profiles = xccdf_org.ssgproject.content_profile_ospp

-# remediation = none

 echo "-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/password -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules

 echo "-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules

diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_correct_rule.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_correct_rule.pass.sh

index 472b62ee57..409e96ad73 100644

--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_correct_rule.pass.sh

+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_correct_rule.pass.sh

@@ -1,7 +1,6 @@

 #!/bin/bash

 # profiles = xccdf_org.ssgproject.content_profile_ospp

-# remediation = none

 # Use auditctl in RHEL7

 sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service

diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_multiple_syscalls.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_multiple_syscalls.pass.sh

index 595a97ab22..9aca34dd42 100644

--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_multiple_syscalls.pass.sh

+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_multiple_syscalls.pass.sh

@@ -1,7 +1,6 @@

 #!/bin/bash

 # profiles = xccdf_org.ssgproject.content_profile_ospp

-# remediation = none

 # Use auditctl in RHEL7

 sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service

diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_wrong_dir.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_wrong_dir.fail.sh

index 6ef86ff816..b8c14e63f8 100644

--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_wrong_dir.fail.sh

+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_wrong_dir.fail.sh

@@ -1,7 +1,6 @@

 #!/bin/bash

 # profiles = xccdf_org.ssgproject.content_profile_ospp

-# remediation = none

 # Use auditctl in RHEL7

 sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service

diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_correct_rule.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_correct_rule.pass.sh

index 8c4aaaac25..a6c4c8814f 100644

--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_correct_rule.pass.sh

+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_correct_rule.pass.sh

@@ -1,7 +1,6 @@

 #!/bin/bash

 # profiles = xccdf_org.ssgproject.content_profile_ospp

-# remediation = none

 echo "-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules

 echo "-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules

diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_escaped_gt.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_escaped_gt.fail.sh

index 28ee5ffd9d..7b7f1fd5c9 100644

--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_escaped_gt.fail.sh

+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_escaped_gt.fail.sh

@@ -1,7 +1,6 @@

 #!/bin/bash

 # profiles = xccdf_org.ssgproject.content_profile_ospp

-# remediation = none

 echo "-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules

 echo "-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules

diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_wrong_dir.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_wrong_dir.fail.sh

index 9c9ac0fad4..0747c40b70 100644

--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_wrong_dir.fail.sh

+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_wrong_dir.fail.sh

@@ -1,7 +1,6 @@

 #!/bin/bash

 # profiles = xccdf_org.ssgproject.content_profile_ospp

-# remediation = none

 echo "-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/password -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules

 echo "-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules