diff --git a/benchmarks/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.md b/benchmarks/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.md
index 7ee070888d35c641778ab07579faa6a3506c831d..64874fad8bee7fc245c619855e68a29e86adaa01 100644
--- a/benchmarks/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.md
+++ b/benchmarks/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.md
@@ -22,17 +22,11 @@
 1. 运行以下两个脚本，更新`system-auth`及`password-auth`文件，添加`deny=5`和`unlock_time=900`参数。：
 
 ```bash
-cat >> /etc/pam.d/password-auth << EOF  
-auth required pam_faillock.so preauth silent deny=5 unlock_time=900
-auth required pam_faillock.so authfail deny=5 unlock_time=900
-EOF
+# sed -ri "/^auth.*pam_env.so$/i auth required pam_faillock.so preauth silent deny=5 unlock_time=900\nauth required pam_faillock.so authfail deny=5 unlock_time=900" /etc/pam.d/password-auth
 ```
 
 ```bash
-cat >> /etc/pam.d/system-auth << EOF  
-auth required pam_faillock.so preauth silent deny=5 unlock_time=900
-auth required pam_faillock.so authfail deny=5 unlock_time=900
-EOF
+# sed -ri "/^auth.*pam_env.so$/i auth required pam_faillock.so preauth silent deny=5 unlock_time=900\nauth required pam_faillock.so authfail deny=5 unlock_time=900" /etc/pam.d/system-auth
 ```
 
 ## 扫描检测
diff --git a/benchmarks/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.md b/benchmarks/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.md
index 286277a4a3916d18a5b3639daf83ecd3a884c161..cf69ac0088442cb29ec5b46c25b94413314a6386 100644
--- a/benchmarks/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.md
+++ b/benchmarks/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.md
@@ -22,17 +22,11 @@
 1. 运行以下两个脚本，更新`system-auth`及`password-auth`文件，添加`deny=5`和`unlock_time=900`参数。：
 
 ```bash
-cat >> /etc/pam.d/password-auth << EOF  
-auth required pam_faillock.so preauth silent deny=5 unlock_time=900
-auth required pam_faillock.so authfail deny=5 unlock_time=900
-EOF
+# sed -ri "/^auth.*pam_env.so$/i auth required pam_faillock.so preauth silent deny=5 unlock_time=900\nauth required pam_faillock.so authfail deny=5 unlock_time=900" /etc/pam.d/password-auth
 ```
 
 ```bash
-cat >> /etc/pam.d/system-auth << EOF  
-auth required pam_faillock.so preauth silent deny=5 unlock_time=900
-auth required pam_faillock.so authfail deny=5 unlock_time=900
-EOF
+# sed -ri "/^auth.*pam_env.so$/i auth required pam_faillock.so preauth silent deny=5 unlock_time=900\nauth required pam_faillock.so authfail deny=5 unlock_time=900" /etc/pam.d/system-auth
 ```
 
 ## 扫描检测
diff --git a/remediation-kits/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.sh b/remediation-kits/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.sh
index 227dee7052849447a6e293bb16527742cde13cc6..23dc0ba2374a1f48dd3130958478b86c0452da5c 100644
--- a/remediation-kits/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.sh
+++ b/remediation-kits/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.sh
@@ -1,9 +1,3 @@
-cat >> /etc/pam.d/password-auth << EOF
-auth required pam_faillock.so preauth silent deny=5 unlock_time=900
-auth required pam_faillock.so authfail deny=5 unlock_time=900
-EOF
+grep -Eq '^\s*auth\s+required\s+pam_faillock.so\s+(preauth|authfail)\s+' /etc/pam.d/password-auth || sed -ri "/^auth.*pam_env.so$/i auth required pam_faillock.so preauth silent deny=5 unlock_time=900\nauth required pam_faillock.so authfail deny=5 unlock_time=900" /etc/pam.d/password-auth
 
-cat >> /etc/pam.d/system-auth << EOF
-auth required pam_faillock.so preauth silent deny=5 unlock_time=900
-auth required pam_faillock.so authfail deny=5 unlock_time=900
-EOF
\ No newline at end of file
+grep -Eq '^\s*auth\s+required\s+pam_faillock.so\s+(preauth|authfail)\s+' /etc/pam.d/system-auth || sed -ri "/^auth.*pam_env.so$/i auth required pam_faillock.so preauth silent deny=5 unlock_time=900\nauth required pam_faillock.so authfail deny=5 unlock_time=900" /etc/pam.d/system-auth
\ No newline at end of file
diff --git a/remediation-kits/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.sh b/remediation-kits/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.sh
index d162024789dd854aa8c1580206c690840ffea943..23dc0ba2374a1f48dd3130958478b86c0452da5c 100644
--- a/remediation-kits/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.sh
+++ b/remediation-kits/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.sh
@@ -1,11 +1,3 @@
-grep -Eq '^\s*auth\s+required\s+pam_faillock.so\s+(preauth|authfail)\s+' /etc/pam.d/password-auth || 
-cat >> /etc/pam.d/password-auth << EOF
-auth required pam_faillock.so preauth silent deny=5 unlock_time=900
-auth required pam_faillock.so authfail deny=5 unlock_time=900
-EOF
+grep -Eq '^\s*auth\s+required\s+pam_faillock.so\s+(preauth|authfail)\s+' /etc/pam.d/password-auth || sed -ri "/^auth.*pam_env.so$/i auth required pam_faillock.so preauth silent deny=5 unlock_time=900\nauth required pam_faillock.so authfail deny=5 unlock_time=900" /etc/pam.d/password-auth
 
-grep -Eq '^\s*auth\s+required\s+pam_faillock.so\s+(preauth|authfail)\s+' /etc/pam.d/system-auth || 
-cat >> /etc/pam.d/system-auth << EOF
-auth required pam_faillock.so preauth silent deny=5 unlock_time=900
-auth required pam_faillock.so authfail deny=5 unlock_time=900
-EOF
\ No newline at end of file
+grep -Eq '^\s*auth\s+required\s+pam_faillock.so\s+(preauth|authfail)\s+' /etc/pam.d/system-auth || sed -ri "/^auth.*pam_env.so$/i auth required pam_faillock.so preauth silent deny=5 unlock_time=900\nauth required pam_faillock.so authfail deny=5 unlock_time=900" /etc/pam.d/system-auth
\ No newline at end of file