{{%- if product in ['sle12', 'sle15', 'slmicro5' ] or "ubuntu" in product %}}
{{% set pam_lastlog_path = "/etc/pam.d/login" %}}
{{% set pam_lastlog = "pam_lastlog.so" %}}
{{% elif product in ['sle16', 'slmicro6'] %}}
{{% set pam_lastlog_path = "/etc/pam.d/postlogin-session" %}}
{{% set pam_lastlog = "pam_lastlog2.so" %}}
{{% else %}}
{{% set pam_lastlog_path = "/etc/pam.d/postlogin" %}}
{{% set pam_lastlog = "pam_lastlog.so" %}}
{{% endif %}}
<def-group>
  <definition class="compliance" id="{{{ rule_id }}}" version="1">
    {{{ oval_metadata("Configure the system to notify users of last login/access using pam_lastlog.", rule_title=rule_title) }}}
    <criteria>
      <criterion test_ref="test_display_login_attempts"
        comment="conditions for pam_lastlog are satisfied"/>
    </criteria>
  </definition>

  <ind:textfilecontent54_test id="test_display_login_attempts" version="2"
    check="all" check_existence="at_least_one_exists"
    comment="Check the pam_lastlog is configured to show last login information">
    <ind:object object_ref="obj_display_login_attempts" />
  </ind:textfilecontent54_test>

  <!-- At least one line should include pam_lastlog.so without silent option
       It sometimes intentional to include pam_lastlog.so with silent option and some previous
       conditionals in order to avoid message duplication since some programs, like login,
       implicitly shows the "Last login:" information regardless of pam_lastlog configuration.
       An detailed documentation about these cases is found in
       https://github.com/ComplianceAsCode/content/issues/9031 -->
  <ind:textfilecontent54_object id="obj_display_login_attempts" version="2">
    <ind:filepath>{{{ pam_lastlog_path }}}</ind:filepath>
    <ind:pattern operation="pattern match">^\s*session\s+.*\s+{{{ pam_lastlog }}}\b(?!.*\ssilent\s).*\sshowfailed\s.*$</ind:pattern>
    <ind:instance datatype="int" operation="equals">1</ind:instance>
  </ind:textfilecontent54_object>
</def-group>