diff --git a/components/pam.yml b/components/pam.yml
index b6789a9972c..9367a1c2bd6 100644
--- a/components/pam.yml
+++ b/components/pam.yml
@@ -65,6 +65,7 @@ rules:
 - accounts_password_pam_retry
 - accounts_password_pam_ucredit
 - accounts_password_pam_unix_enabled
+- accounts_password_pam_unix_authtok
 - accounts_password_pam_unix_remember
 - accounts_password_pam_unix_rounds_password_auth
 - accounts_password_pam_unix_rounds_system_auth
diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml
index 74b56aa1cae..f1b7cc4f33d 100644
--- a/controls/cis_ubuntu2404.yml
+++ b/controls/cis_ubuntu2404.yml
@@ -2059,8 +2059,9 @@ controls:
     levels:
       - l1_server
       - l1_workstation
-    status: planned
-    notes: TODO. Rule does not seem to be implemented, nor does it map to any rules in ubuntu2204 profile.
+    rules:
+      - accounts_password_pam_unix_authtok
+    status: automated
 
   - id: 5.4.1.1
     title: Ensure password expiration is configured (Automated)
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/bash/shared.sh
new file mode 100644
index 00000000000..1c7def053ef
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/bash/shared.sh
@@ -0,0 +1,14 @@
+# platform = multi_platform_ubuntu
+
+config_file="/usr/share/pam-configs/cac_unix"
+{{{ bash_pam_unix_enable() }}}
+sed -i -E '/^Password:/,/^[^[:space:]]/ {
+    /pam_unix\.so/ {
+        /use_authtok/! s/$/ use_authtok/g
+    }
+}'  "$config_file"
+
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
+
+
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/oval/shared.xml
new file mode 100644
index 00000000000..452c7d05ccc
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/oval/shared.xml
@@ -0,0 +1,23 @@
+{{%- set accounts_password_pam_unix_file = '/etc/pam.d/common-password' -%}}
+
+<def-group>
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
+    {{{ oval_metadata("Configure the system to include use_authtok in pam common_password configuration file") }}}
+    <criteria>
+      <criterion test_ref="test_password_pam_unix_use_authtok"
+        comment="use_authtok is configured in pam unix in common_password file"/>
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test id="test_password_pam_unix_use_authtok" version="1"
+    check="all" check_existence="only_one_exists"
+    comment="use_authtok is configured in pam unix in common_password file">
+    <ind:object object_ref="obj_test_use_authtok" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="obj_test_use_authtok" version="1">
+    <ind:filepath>{{{ accounts_password_pam_unix_file }}}</ind:filepath>
+    <ind:pattern operation="pattern match">^[ \t]*password[ \t]+([^#\n\r]+)[ \t]+pam_unix\.so[ \t]+([^#\n\r]+[ \t]+)?use_authtok.*$</ind:pattern>
+    <ind:instance datatype="int" operation="equals">1</ind:instance>
+  </ind:textfilecontent54_object>
+</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/rule.yml
new file mode 100644
index 00000000000..e4afb5cacce
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/rule.yml
@@ -0,0 +1,32 @@
+documentation_complete: true
+
+
+title: 'Require use_authtok for pam_unix.so'
+
+{{% set configFile = "/etc/pam.d/common-password" %}}
+
+description: |-
+    When password changing enforce the module to set the new password to the one
+    provided by a previously stacked password module
+
+rationale: |-
+    Require use_authtok in pam_unix.so configuration
+
+severity: medium
+
+ocil_clause: 'Usage of use_authtok for pam_unix.so is required'
+
+ocil: |-
+    To verify the password reuse setting is compliant, run the following command:
+    <pre>$ grep use_authtok {{{ configFile }}}</pre>
+    The output should show use_authtok on the line.
+
+fixtext: |-
+    To configure the <tt>use_authtok</tt> option for the <tt>pam_unix</tt> 
+    PAM modules, in the file <tt>{{{ configFile }}}</tt>, append <tt>use_authtok</tt>
+    to the line which refers to the <tt>pam_unix.so</tt>, as
+    shown below:
+
+    <pre>password [success=1 default=ignore] pam_unix.so <i>...existing_options...</i> use_authtok</pre>
+
+platform: package[pam]
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_correct_value.pass.sh
new file mode 100644
index 00000000000..bef6483a480
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_correct_value.pass.sh
@@ -0,0 +1,33 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+config_file=/usr/share/pam-configs/tmpunix
+
+cat << EOF > "$config_file"
+Name: Unix authentication
+Default: yes
+Priority: 0
+Auth-Type: Primary
+Auth:
+        [success=end default=ignore]    pam_unix.so try_first_pass
+Auth-Initial:
+        [success=end default=ignore]    pam_unix.so
+Account-Type: Primary
+Account:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Account-Initial:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Session-Type: Additional
+Session:
+        required        pam_unix.so
+Session-Initial:
+        required        pam_unix.so
+Password-Type: Primary
+Password:
+        [success=end default=ignore]    pam_unix.so obscure use_authtok try_first_pass yescrypt 
+Password-Initial:
+        [success=end default=ignore]    pam_unix.so obscure yescrypt 
+EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
+rm "$config_file"
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_missing_value.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_missing_value.fail.sh
new file mode 100644
index 00000000000..20f55baf479
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_missing_value.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+config_file=/etc/pam.d/common-password
+sed -i --follow-symlinks "s/use_authtok//g" $config_file
diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja
index 82ac231dfac..96ab55f9f44 100644
--- a/shared/macros/10-bash.jinja
+++ b/shared/macros/10-bash.jinja
@@ -913,8 +913,8 @@ if [ ! -f "$conf_path"/"$conf_name" ]; then
     if [ -f "$conf_path"/unix ]; then
         if grep -q "$(md5sum "$conf_path"/unix | cut -d ' ' -f 1)" /var/lib/dpkg/info/libpam-runtime.md5sums;then
             cp "$conf_path"/unix "$conf_path"/"$conf_name"
-            sed -i '/Default: yes/a Priority: 257\
-Conflicts: unix' "$conf_path"/"$conf_name"
+            sed -i 's/Priority: [0-9]\+/Priority: 257\
+Conflicts: unix/' "$conf_path"/"$conf_name"
             DEBIAN_FRONTEND=noninteractive pam-auth-update
         else
             echo "Not applicable - checksum of $conf_path/unix does not match the original." >&2