def rule(event):
    if any(
        [
            all(
                [
                    event.deep_get("type", default="") == "PATH",
                    event.deep_get("name", default="")
                    in [
                        "/etc/login.defs",
                        "/etc/pam.d/auth",
                        "/etc/pam.d/common-account",
                        "/etc/pam.d/common-auth",
                        "/etc/pam.d/common-password",
                        "/etc/pam.d/system-auth",
                        "/etc/security/pwquality.conf",
                    ],
                ]
            ),
            all(
                [
                    event.deep_get("type", default="") == "EXECVE",
                    event.deep_get("a0", default="") == "chage",
                    event.deep_get("a1", default="") in ["--list", "-l"],
                ]
            ),
            all(
                [
                    event.deep_get("type", default="") == "EXECVE",
                    event.deep_get("a0", default="") == "passwd",
                    event.deep_get("a1", default="") in ["-S", "--status"],
                ]
            ),
        ]
    ):
        return True
    return False
