diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml
index 07869e17a53..a8d68d805d8 100644
--- a/controls/cis_ubuntu2404.yml
+++ b/controls/cis_ubuntu2404.yml
@@ -2052,10 +2052,11 @@ controls:
levels:
- l1_server
- l1_workstation
- related_rules:
+ rules:
- set_password_hashing_algorithm_logindefs
- status: planned
- notes: TODO. Partial/incorrect implementation exists.See related rules. Analogous to ubuntu2204/5.4.4.
+ - var_password_hashing_algorithm=cis_ubuntu2404
+ status: automated
+ notes: Rule allows either SHA512 or YESCRYPT
- id: 5.4.1.5
title: Ensure inactive password lock is configured (Automated)
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/ansible/shared.yml
index e0b6d68db53..ff6e962100a 100644
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/ansible/shared.yml
@@ -9,6 +9,6 @@
lineinfile:
dest: /etc/login.defs
regexp: ^#?ENCRYPT_METHOD
- line: ENCRYPT_METHOD {{ var_password_hashing_algorithm }}
+ line: ENCRYPT_METHOD {{ var_password_hashing_algorithm.split('|')[0] }}
state: present
create: yes
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/bash/shared.sh
index c8a246b9048..2508c43d03c 100644
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/bash/shared.sh
@@ -1,4 +1,9 @@
# platform = multi_platform_all
{{{ bash_instantiate_variables("var_password_hashing_algorithm") }}}
+
+# Allow multiple algorithms, but choose the first one for remediation
+#
+var_password_hashing_algorithm="$(echo $var_password_hashing_algorithm | cut -d \| -f 1)"
+
{{{ bash_replace_or_append('/etc/login.defs', '^ENCRYPT_METHOD', "$var_password_hashing_algorithm", '%s %s') }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/oval/shared.xml
index 0b81eed1cfc..596c265c458 100644
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/oval/shared.xml
@@ -37,9 +37,17 @@
-
+
+
+
+ ^
+
+ $
+
+
+
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/tests/default_multivalue.fail.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/tests/default_multivalue.fail.sh
new file mode 100644
index 00000000000..6970170d33d
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/tests/default_multivalue.fail.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# variables = var_password_hashing_algorithm=good_value1|good_value2
+
+if grep -q "^ENCRYPT_METHOD" /etc/login.defs; then
+ sed -i "s/^ENCRYPT_METHOD\b.*/ENCRYPT_METHOD wrong_value/" /etc/login.defs
+else
+ echo "ENCRYPT_METHOD wrong_value" >> /etc/login.defs
+fi
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/tests/default_multivalue.pass.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/tests/default_multivalue.pass.sh
new file mode 100644
index 00000000000..741e6ecec62
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/tests/default_multivalue.pass.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# variables = var_password_hashing_algorithm=good_value1|good_value2
+
+if grep -q "^ENCRYPT_METHOD" /etc/login.defs; then
+ sed -i "s/^ENCRYPT_METHOD\b.*/ENCRYPT_METHOD good_value2/" /etc/login.defs
+else
+ echo "ENCRYPT_METHOD good_value2" >> /etc/login.defs
+fi
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/tests/default_multivalue2.pass.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/tests/default_multivalue2.pass.sh
new file mode 100644
index 00000000000..efdaf91799d
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/tests/default_multivalue2.pass.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# variables = var_password_hashing_algorithm=good_value1|good_value2
+
+if grep -q "^ENCRYPT_METHOD" /etc/login.defs; then
+ sed -i "s/^ENCRYPT_METHOD\b.*/ENCRYPT_METHOD good_value1/" /etc/login.defs
+else
+ echo "ENCRYPT_METHOD good_value1" >> /etc/login.defs
+fi
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/tests/default_partial.fail.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/tests/default_partial.fail.sh
new file mode 100644
index 00000000000..707b7fe4bb9
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/tests/default_partial.fail.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+# variables = var_password_hashing_algorithm=value1|value2
+
+# test that partial match fails
+if grep -q "^ENCRYPT_METHOD" /etc/login.defs; then
+ sed -i "s/^ENCRYPT_METHOD\b.*/ENCRYPT_METHOD value/" /etc/login.defs
+else
+ echo "ENCRYPT_METHOD value" >> /etc/login.defs
+fi
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/tests/default_yescrypt.pass.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/tests/default_yescrypt.pass.sh
new file mode 100644
index 00000000000..dff8684b0bb
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/tests/default_yescrypt.pass.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+# variables = var_password_hashing_algorithm=YESCRYPT
+
+# Make sure ENCRYPT_METHOD is YESCRYPT
+if grep -q "^ENCRYPT_METHOD" /etc/login.defs; then
+ sed -i "s/^ENCRYPT_METHOD\b.*/ENCRYPT_METHOD YESCRYPT/" /etc/login.defs
+else
+ echo "ENCRYPT_METHOD YESCRYPT" >> /etc/login.defs
+fi
diff --git a/linux_os/guide/system/accounts/accounts-pam/var_password_hashing_algorithm.var b/linux_os/guide/system/accounts/accounts-pam/var_password_hashing_algorithm.var
index a7ca858e731..6e3148bb804 100644
--- a/linux_os/guide/system/accounts/accounts-pam/var_password_hashing_algorithm.var
+++ b/linux_os/guide/system/accounts/accounts-pam/var_password_hashing_algorithm.var
@@ -17,3 +17,4 @@ options:
SHA512: SHA512
SHA256: SHA256
yescrypt: YESCRYPT
+ cis_ubuntu2404: SHA512|YESCRYPT