diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml
index a2bd65fa638..b7fc9754811 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml
@@ -10,14 +10,14 @@ description: |-
     directory <tt>/etc/audit/rules.d</tt> in order to watch for attempted manual
     edits of files involved in storing logon events:
     <pre>-w /var/log/tallylog -p wa -k logins
-    -w /var/run/faillock/ -p wa -k logins
+    -w /var/run/faillock -p wa -k logins
     -w /var/log/lastlog -p wa -k logins</pre>
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
     utility to read audit rules during daemon startup, add the following lines to
     <tt>/etc/audit/audit.rules</tt> file in order to watch for unattempted manual
     edits of files involved in storing logon events:
     <pre>-w /var/log/tallylog -p wa -k logins
-    -w /var/run/faillock/ -p wa -k logins
+    -w /var/run/faillock -p wa -k logins
     -w /var/log/lastlog -p wa -k logins</pre>
 
 rationale: |-
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_login_events/rule_audit_rules_login_events/default.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_login_events/rule_audit_rules_login_events/default.pass.sh
index 4f81075d4be..dff797667c5 100644
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_login_events/rule_audit_rules_login_events/default.pass.sh
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_login_events/rule_audit_rules_login_events/default.pass.sh
@@ -3,7 +3,5 @@
 # remediation = bash
 
 echo "-w /var/log/tallylog -p wa -k logins" >> /etc/audit/rules.d/logins.rules
-echo "-w /var/run/faillock/ -p wa -k logins" >> /etc/audit/rules.d/logins.rules
+echo "-w /var/run/faillock -p wa -k logins" >> /etc/audit/rules.d/logins.rules
 echo "-w /var/log/lastlog -p wa -k logins" >> /etc/audit/rules.d/logins.rules
-
-cat /etc/audit/rules.d/logins.rules
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_login_events/rule_audit_rules_login_events/default.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_login_events/rule_audit_rules_login_events/empty.fail.sh
similarity index 100%
rename from tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_login_events/rule_audit_rules_login_events/default.fail.sh
rename to tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_login_events/rule_audit_rules_login_events/empty.fail.sh