diff --git a/components/pam.yml b/components/pam.yml
index 0590e268d07..94eb1001ad1 100644
--- a/components/pam.yml
+++ b/components/pam.yml
@@ -59,6 +59,7 @@ rules:
- accounts_password_pam_pwhistory_remember_system_auth
- accounts_password_pam_pwquality_password_auth
- accounts_password_pam_pwquality_system_auth
+- accounts_password_pam_pwquality_enabled
- accounts_password_pam_retry
- accounts_password_pam_ucredit
- accounts_password_pam_unix_remember
diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml
index 1d692f57906..0919f14709f 100644
--- a/controls/cis_ubuntu2404.yml
+++ b/controls/cis_ubuntu2404.yml
@@ -1866,8 +1866,9 @@ controls:
levels:
- l1_server
- l1_workstation
- status: planned
- notes: TODO. Rule does not seem to be implemented, nor does it map to any rules in ubuntu2204 profile.
+ rules:
+ - accounts_password_pam_pwquality_enabled
+ status: automated
- id: 5.3.2.4
title: Ensure pam_pwhistory module is enabled (Automated)
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/bash/shared.sh
new file mode 100644
index 00000000000..38f2d36dbe2
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/bash/shared.sh
@@ -0,0 +1,3 @@
+# platform = multi_platform_ubuntu
+
+{{{ bash_pam_pwquality_enable() }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/oval/shared.xml
new file mode 100644
index 00000000000..49409d6cf4b
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/oval/shared.xml
@@ -0,0 +1,37 @@
+{{% if 'ubuntu' in product or 'debian' in product %}}
+{{% set configuration_files = ["common-password"] %}}
+{{% endif %}}
+
+
+ {{{ oval_metadata("Check pam_pwquality module is enabled") }}}
+
+ {{% for file in configuration_files %}}
+
+ {{% endfor %}}
+
+
+
+ {{% macro test_pwquality_enabled(path, test_ref) %}}
+
+
+
+ {{% endmacro %}}
+
+ {{% macro object_pwquality_enabled(path, test_ref) %}}
+
+ {{{ path }}}
+ ^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*$
+ 1
+
+ {{% endmacro %}}
+
+ {{% for file in configuration_files %}}
+ {{{ test_pwquality_enabled( path="/etc/pam.d/" ~ file ,
+ test_ref="password_pam_pwquality_enabled_" ~ (file | escape_id)) }}}
+ {{{ object_pwquality_enabled( path="/etc/pam.d/" ~ file ,
+ test_ref="password_pam_pwquality_enabled_" ~ (file | escape_id)) }}}
+ {{% endfor %}}
+
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/rule.yml
new file mode 100644
index 00000000000..5527e49c0a8
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/rule.yml
@@ -0,0 +1,26 @@
+documentation_complete: true
+
+
+title: 'Ensure pam_pwquality module is enabled'
+
+description: |-
+ The pam_pwquality.so module performs password quality checking. This module can
+ be plugged into the password stack of a given service to provide strength-checking for
+ passwords. The code was originally based on pam_cracklib module and the module is
+ backwards compatible with its options.
+
+ The action of this module is to prompt the user for a password and check its strength
+ against a system dictionary and a set of rules for identifying poor choices.
+
+ The first action is to prompt for a single password, check its strength and then, if it is
+ considered strong, prompt for the password a second time (to verify that it was typed
+ correctly on the first occasion). All being well, the password is passed on to subsequent
+ modules to be installed as the new authentication token.
+
+rationale: |-
+ Use of a unique, complex passwords helps to increase the time and resources required
+ to compromise the password.
+
+severity: medium
+
+platform: package[pam]
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/tests/commented.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/tests/commented.fail.sh
new file mode 100644
index 00000000000..95830eba0ab
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/tests/commented.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+sed -i 's/\(^.*pam_pwquality\.so.*\)/# \1/' /etc/pam.d/common-password
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/tests/common.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/tests/common.sh
new file mode 100644
index 00000000000..02bd487048c
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/tests/common.sh
@@ -0,0 +1,27 @@
+{{% if 'ubuntu' in product %}}
+configuration_files=("common-password")
+{{% elif product in ['ol8', 'ol9', 'rhel8', 'rhel9'] %}}
+configuration_files=("password-auth" "system-auth")
+{{% else %}}
+configuration_files=("system-auth")
+{{% endif %}}
+
+
+{{% if product in ['ol8', 'ol9', 'rhel8', 'rhel9'] %}}
+authselect create-profile testingProfile --base-on sssd
+
+for file in ${configuration_files[@]}; do
+ sed -i --follow-symlinks "/pam_pwquality\.so/d" \
+ "/etc/authselect/custom/testingProfile/$file"
+done
+authselect select --force custom/testingProfile
+{{% elif 'ubuntu' in product %}}
+rm -f /usr/share/pam-configs/pwquality
+DEBIAN_FRONTEND=noninteractive pam-auth-update
+{{% else %}}
+for file in ${configuration_files[@]}; do
+ sed -i --follow-symlinks "/pam_pwquality\.so/d" "/etc/pam.d/$file"
+done
+{{% endif%}}
+
+truncate -s 0 /etc/security/pwquality.conf
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/tests/correct.pass.sh
new file mode 100644
index 00000000000..a74d14e7eb3
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/tests/correct.pass.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+cat << EOF > /usr/share/pam-configs/pwquality
+Name: Pwquality password strength checking
+Default: yes
+Priority: 1024
+Conflicts: cracklib
+Password-Type: Primary
+Password:
+ requisite pam_pwquality.so
+EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/tests/missing.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/tests/missing.fail.sh
new file mode 100644
index 00000000000..feb4afc273d
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/tests/missing.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+source common.sh