diff --git a/benchmarks/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.md b/benchmarks/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.md
index 10d12eaffe5d96f12b6e28f6e2a25988e16d4479..219ec2e7ab1b12c02ee37a3520ca31d543ca96a3 100644
--- a/benchmarks/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.md
+++ b/benchmarks/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.md
@@ -15,8 +15,8 @@
 运行以下命令，配置审计服务，确保收集对系统管理范围（sudoers）的更改：
 
 ```bash
-# echo -e "-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n" >> /etc/audit/rules.d/audit.rules
-# echo -e "\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n" >> /etc/audit/audit.rules
+# echo -e "-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope" >> /etc/audit/rules.d/audit.rules
+# echo -e "-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope" >> /etc/audit/audit.rules
 ```
 
 ## 扫描检测
@@ -26,28 +26,16 @@
 执行以下命令，检查对系统管理范围（sudoers）的审计收集是否正确配置：
 
 ```bash
-# grep -E "\-w\s/etc/group\s\-p\swa\s\-k\sidentity
-\-w\s/etc/passwd\s\-p\swa\s\-k\sidentity
-\-w\s/etc/gshadow\s\-p\swa\s\-k\sidentity
-\-w\s/etc/shadow\s\-p\swa\s\-k\sidentity
-\-w\s/etc/security/opasswd\s\-p\swa\s\-k\sidentity" /etc/audit/rules.d/audit.rules
--w /etc/group -p wa -k identity
--w /etc/passwd -p wa -k identity
--w /etc/gshadow -p wa -k identity
--w /etc/shadow -p wa -k identity
--w /etc/security/opasswd -p wa -k identity
-
-# grep -E "\-w\s/etc/group\s\-p\swa\s\-k\sidentity
-\-w\s/etc/passwd\s\-p\swa\s\-k\sidentity
-\-w\s/etc/gshadow\s\-p\swa\s\-k\sidentity
-\-w\s/etc/shadow\s\-p\swa\s\-k\sidentity
-\-w\s/etc/security/opasswd\s\-p\swa\s\-k\sidentity" /etc/audit/audit.rules
--w /etc/group -p wa -k identity
--w /etc/passwd -p wa -k identity
--w /etc/gshadow -p wa -k identity
--w /etc/shadow -p wa -k identity
--w /etc/security/opasswd -p wa -k identity
+# grep -E "\-w\s/etc/sudoers\s\-p\swa\s\-k\sscope
+\-w\s/etc/sudoers.d/\s\-p\swa\s\-k\sscope" /etc/audit/rules.d/audit.rules
+-w /etc/sudoers -p wa -k scope
+-w /etc/sudoers.d/ -p wa -k scope
+
+# grep -E "\-w\s/etc/sudoers\s\-p\swa\s\-k\sscope
+\-w\s/etc/sudoers.d/\s\-p\swa\s\-k\sscope" /etc/audit/audit.rules
+-w /etc/sudoers -p wa -k scope
+-w /etc/sudoers.d/ -p wa -k scope
 ```
 
 如输出结果符合预期，则视为通过此项检查。
-## 参考
+## 参考
\ No newline at end of file
diff --git a/benchmarks/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.md b/benchmarks/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.md
index 5940c3fa0331bc8e9a20ccbe47d66bf01f1f0ea9..21dd00e86959066e470ed5e53dc0b9118b11967b 100644
--- a/benchmarks/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.md
+++ b/benchmarks/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.md
@@ -15,8 +15,8 @@
 运行以下命令，配置审计服务，确保收集对用户/组信息的修改事件：
 
 ```bash
-# echo -e "-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope" >> /etc/audit/rules.d/audit.rules
-# echo -e "-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope" >> /etc/audit/audit.rules
+# echo -e "-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n" >> /etc/audit/rules.d/audit.rules
+# echo -e "\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n" >> /etc/audit/audit.rules
 ```
 
 ## 扫描检测
@@ -26,15 +26,27 @@
 执行以下命令，检查对用户/组信息的修改审计收集是否正确配置：
 
 ```bash
-# grep -E "\-w\s/etc/sudoers\s\-p\swa\s\-k\sscope
-\-w\s/etc/sudoers.d/\s\-p\swa\s\-k\sscope" /etc/audit/rules.d/audit.rules
--w /etc/sudoers -p wa -k scope
--w /etc/sudoers.d/ -p wa -k scope
-
-# grep -E "\-w\s/etc/sudoers\s\-p\swa\s\-k\sscope
-\-w\s/etc/sudoers.d/\s\-p\swa\s\-k\sscope" /etc/audit/audit.rules
--w /etc/sudoers -p wa -k scope
--w /etc/sudoers.d/ -p wa -k scope
+# grep -E "\-w\s/etc/group\s\-p\swa\s\-k\sidentity
+\-w\s/etc/passwd\s\-p\swa\s\-k\sidentity
+\-w\s/etc/gshadow\s\-p\swa\s\-k\sidentity
+\-w\s/etc/shadow\s\-p\swa\s\-k\sidentity
+\-w\s/etc/security/opasswd\s\-p\swa\s\-k\sidentity" /etc/audit/rules.d/audit.rules
+-w /etc/group -p wa -k identity
+-w /etc/passwd -p wa -k identity
+-w /etc/gshadow -p wa -k identity
+-w /etc/shadow -p wa -k identity
+-w /etc/security/opasswd -p wa -k identity
+
+# grep -E "\-w\s/etc/group\s\-p\swa\s\-k\sidentity
+\-w\s/etc/passwd\s\-p\swa\s\-k\sidentity
+\-w\s/etc/gshadow\s\-p\swa\s\-k\sidentity
+\-w\s/etc/shadow\s\-p\swa\s\-k\sidentity
+\-w\s/etc/security/opasswd\s\-p\swa\s\-k\sidentity" /etc/audit/audit.rules
+-w /etc/group -p wa -k identity
+-w /etc/passwd -p wa -k identity
+-w /etc/gshadow -p wa -k identity
+-w /etc/shadow -p wa -k identity
+-w /etc/security/opasswd -p wa -k identity
 ```
 
 如输出结果符合预期，则视为通过此项检查。
diff --git a/remediation-kits/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh b/remediation-kits/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh
index b331cca074d387f122b83b3313feaaf6d34772e0..d10611802d08eab495cdacac5cfe8522af72b97a 100644
--- a/remediation-kits/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh
+++ b/remediation-kits/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh
@@ -1,10 +1,4 @@
-grep -q "\-w /etc/group -p wa -k identity
--w /etc/passwd -p wa -k identity
--w /etc/gshadow -p wa -k identity
--w /etc/shadow -p wa -k identity
--w /etc/security/opasswd -p wa -k identity" /etc/audit/rules.d/*.rules || echo -e "-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n" >> /etc/audit/rules.d/audit.rules
-grep -q "\-w /etc/group -p wa -k identity
--w /etc/passwd -p wa -k identity
--w /etc/gshadow -p wa -k identity
--w /etc/shadow -p wa -k identity
--w /etc/security/opasswd -p wa -k identity" /etc/audit/rules.d/*.rules || echo -e "\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n" >> /etc/audit/audit.rules
+grep -q "\-w /etc/sudoers -p wa -k scope
+-w /etc/sudoers.d/ -p wa -k scope" /etc/audit/rules.d/audit.rules || echo -e "-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope" >> /etc/audit/rules.d/audit.rules
+grep -q "\-w /etc/sudoers -p wa -k scope
+-w /etc/sudoers.d/ -p wa -k scope" /etc/audit/audit.rules || echo -e "-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope" >> /etc/audit/audit.rules
diff --git a/remediation-kits/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh b/remediation-kits/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh
index d10611802d08eab495cdacac5cfe8522af72b97a..fcf6eb1f70664338d3cd21f944ce54167bb7059a 100644
--- a/remediation-kits/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh
+++ b/remediation-kits/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh
@@ -1,4 +1,10 @@
-grep -q "\-w /etc/sudoers -p wa -k scope
--w /etc/sudoers.d/ -p wa -k scope" /etc/audit/rules.d/audit.rules || echo -e "-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope" >> /etc/audit/rules.d/audit.rules
-grep -q "\-w /etc/sudoers -p wa -k scope
--w /etc/sudoers.d/ -p wa -k scope" /etc/audit/audit.rules || echo -e "-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope" >> /etc/audit/audit.rules
+grep -q "\-w /etc/group -p wa -k identity
+-w /etc/passwd -p wa -k identity
+-w /etc/gshadow -p wa -k identity
+-w /etc/shadow -p wa -k identity
+-w /etc/security/opasswd -p wa -k identity" /etc/audit/rules.d/*.rules || echo -e "-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n" >> /etc/audit/rules.d/audit.rules
+grep -q "\-w /etc/group -p wa -k identity
+-w /etc/passwd -p wa -k identity
+-w /etc/gshadow -p wa -k identity
+-w /etc/shadow -p wa -k identity
+-w /etc/security/opasswd -p wa -k identity" /etc/audit/rules.d/*.rules || echo -e "\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n" >> /etc/audit/audit.rules
\ No newline at end of file
diff --git a/scanners/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh b/scanners/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh
index 30de77b5e6b73d2f6403bdba03eda6d57adc0d49..61a6f4321063871ee90e9b4692c98dfe49e712c4 100644
--- a/scanners/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh
+++ b/scanners/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh
@@ -1,17 +1,11 @@
 result=false
 
-grep -q "\-w /etc/group -p wa -k identity
--w /etc/passwd -p wa -k identity
--w /etc/gshadow -p wa -k identity
--w /etc/shadow -p wa -k identity
--w /etc/security/opasswd -p wa -k identity" /etc/audit/rules.d/*.rules && grep -q "\-w /etc/group -p wa -k identity
--w /etc/passwd -p wa -k identity
--w /etc/gshadow -p wa -k identity
--w /etc/shadow -p wa -k identity
--w /etc/security/opasswd -p wa -k identity" /etc/audit/rules.d/*.rules && result=true
+grep -q "\-w /etc/sudoers -p wa -k scope
+-w /etc/sudoers.d/ -p wa -k scope" /etc/audit/rules.d/audit.rules && grep -q "\-w /etc/sudoers -p wa -k scope
+-w /etc/sudoers.d/ -p wa -k scope" /etc/audit/audit.rules && result=true
 
 if [ "$result" = true ]; then
     echo "pass"
 else
     echo "fail"
-fi
+fi
\ No newline at end of file
diff --git a/scanners/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh b/scanners/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh
index ec29b97a574dcfeb708e23977ab8f873ecf7ef90..9851c6a57acbcb51387fb7253794ff52abcee6d6 100644
--- a/scanners/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh
+++ b/scanners/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh
@@ -1,11 +1,17 @@
 result=false
 
-grep -q "\-w /etc/sudoers -p wa -k scope
--w /etc/sudoers.d/ -p wa -k scope" /etc/audit/rules.d/audit.rules && grep -q "\-w /etc/sudoers -p wa -k scope
--w /etc/sudoers.d/ -p wa -k scope" /etc/audit/audit.rules && result=true
+grep -q "\-w /etc/group -p wa -k identity
+-w /etc/passwd -p wa -k identity
+-w /etc/gshadow -p wa -k identity
+-w /etc/shadow -p wa -k identity
+-w /etc/security/opasswd -p wa -k identity" /etc/audit/rules.d/*.rules && grep -q "\-w /etc/group -p wa -k identity
+-w /etc/passwd -p wa -k identity
+-w /etc/gshadow -p wa -k identity
+-w /etc/shadow -p wa -k identity
+-w /etc/security/opasswd -p wa -k identity" /etc/audit/rules.d/*.rules && result=true
 
 if [ "$result" = true ]; then
     echo "pass"
 else
     echo "fail"
-fi
+fi
\ No newline at end of file