diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_inactivity_password_auth/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_inactivity_password_auth/bash/shared.sh
index 50af0272f8a..8588f56f60d 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_inactivity_password_auth/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_inactivity_password_auth/bash/shared.sh
@@ -16,13 +16,17 @@ fi
 {{{ bash_ensure_pam_module_line("$PAM_FILE_PATH",
                                 'auth',
                                 'sufficient', 
-                                'pam_unix.so') }}}
+                                'pam_unix.so',
+                                '^\s*auth.*required.*pam_lastlog\.so.*') }}}
 # Ensure pam_unix.so is configured after pam_lastlog.so
 if ! grep -Pz \
     "auth\s*required\s*pam_lastlog\.so[^#]*inactive=35[\s\S]*\n\s*auth\s*sufficient\s*pam_unix\.so"\
     "$PAM_FILE_PATH"  ; then
-    PAM_LASTLOG_LINE="$(grep -oP '^\s*auth.*pam_lastlog\.so.*' $PAM_FILE_PATH)"
-    sed -i "0,/^\s*auth.*pam_unix\.so.*/i$PAM_LASTLOG_LINE" "$PAM_FILE_PATH"
+    readarray -t pam_lastlog_lines <<< $(grep -oP '^\s*auth.*pam_lastlog\.so[^#]*inactive=35.*' $PAM_FILE_PATH)
+    sed -i "/^\s*auth.*pam_lastlog\.so[^#]*inactive=35.*/d" "$PAM_FILE_PATH"
+    for line in "${pam_lastlog_lines[@]}"; do
+        sed -i "/^\s*auth.*pam_unix\.so.*/i$line" "$PAM_FILE_PATH"
+    done
 fi
 if [ -f /usr/bin/authselect ]; then
     authselect apply-changes -b --backup=after-hardening-pam_lastlog.so-inactive.backup
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_inactivity_system_auth/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_inactivity_system_auth/bash/shared.sh
index f4f4f39f8ff..8d1ed9cc7b0 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_inactivity_system_auth/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_inactivity_system_auth/bash/shared.sh
@@ -16,13 +16,17 @@ fi
 {{{ bash_ensure_pam_module_line("$PAM_FILE_PATH",
                                 'auth',
                                 'sufficient',
-                                'pam_unix.so') }}}
+                                'pam_unix.so',
+                                '^\s*auth.*required.*pam_lastlog\.so.*') }}}
 # Ensure pam_unix.so is configured after pam_lastlog.so
 if ! grep -Pz \
     "auth\s*required\s*pam_lastlog\.so[^#]*inactive=35[\s\S]*\n\s*auth\s*sufficient\s*pam_unix\.so"\
     "$PAM_FILE_PATH"  ; then
-    PAM_LASTLOG_LINE="$(grep -oP '^\s*auth.*pam_lastlog\.so.*' $PAM_FILE_PATH)"
-    sed -i "0,/^\s*auth.*pam_unix\.so.*/i$PAM_LASTLOG_LINE" "$PAM_FILE_PATH"
+    readarray -t pam_lastlog_lines <<< $(grep -oP '^\s*auth.*pam_lastlog\.so[^#]*inactive=35.*' $PAM_FILE_PATH)
+    sed -i "/^\s*auth.*pam_lastlog\.so[^#]*inactive=35.*/d" "$PAM_FILE_PATH"
+    for line in "${pam_lastlog_lines[@]}"; do
+        sed -i "/^\s*auth.*pam_unix\.so.*/i$line" "$PAM_FILE_PATH"
+    done
 fi
 if [ -f /usr/bin/authselect ]; then
     authselect apply-changes -b --backup=after-hardening-pam_lastlog.so-inactive.backup