diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/oval/shared.xml
index a83774dfd98..b87d8152982 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/oval/shared.xml
@@ -10,14 +10,33 @@
+
+
+ obj_test_use_authtok_password_lines_except_first
+ ste_test_use_authtok_pam_unix_lines
+
+
+
+
+ ^[^#\n\r]+[ \t]+pam_unix\.so[ \t]+[^#\n\r]+use_authtok.*$
+
+
+
+
{{{ accounts_password_pam_unix_file }}}
- ^[ \t]*password[ \t]+([^\n\r]+)[\n\r]+[ \t]*password[ \t]+([^#\n\r]+)[ \t]+pam_unix\.so[ \t]+([^#\n\r]+[ \t]+)?use_authtok.*$
- 1
+ ^[ \t]*password[ \t]+(.+)$
+ 2
+
+
+ ^[^#\n\r]+[ \t]+pam_unix\.so.*$
+
+
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_common.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_common.sh
new file mode 100644
index 00000000000..8bc825f2336
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_common.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+# remove all pam-auth-update configs which update the
+# primary password block and create a config with well defined
+# high priority to ensure correct stacking of our module
+grep -il "Password-Type: Primary" /usr/share/pam-configs/* | grep -v "/unix$" | xargs rm -f
+
+cat << EOF > /usr/share/pam-configs/cac_test_echo
+Name: Echo
+Default: yes
+Priority: 10000
+Password-Type: Primary
+Password:
+ password optional pam_echo.so
+Password-Initial:
+ password optional pam_echo.so
+EOF
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_conflicting_values.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_conflicting_values.fail.sh
new file mode 100644
index 00000000000..80394934931
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_conflicting_values.fail.sh
@@ -0,0 +1,39 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+source ubuntu_common.sh
+
+config_file=/usr/share/pam-configs/tmpunix
+
+# lower priority to ensure the config is below the cac_test_echo
+# on the stack, thus using the "Password:" configuration
+cat << EOF > "$config_file"
+Name: Unix authentication
+Default: yes
+Priority: 1024
+Conflicts: unix
+Auth-Type: Primary
+Auth:
+ [success=end default=ignore] pam_unix.so try_first_pass
+Auth-Initial:
+ [success=end default=ignore] pam_unix.so
+Account-Type: Primary
+Account:
+ [success=end new_authtok_reqd=done default=ignore] pam_unix.so
+Account-Initial:
+ [success=end new_authtok_reqd=done default=ignore] pam_unix.so
+Session-Type: Additional
+Session:
+ required pam_unix.so
+Session-Initial:
+ required pam_unix.so
+Password-Type: Primary
+Password:
+ [success=end default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt
+ [success=end default=ignore] pam_unix.so obscure try_first_pass yescrypt
+Password-Initial:
+ [success=end default=ignore] pam_unix.so obscure yescrypt
+EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
+rm "$config_file"
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_conflicting_values2.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_conflicting_values2.fail.sh
new file mode 100644
index 00000000000..6aff7903b99
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_conflicting_values2.fail.sh
@@ -0,0 +1,39 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+source ubuntu_common.sh
+
+config_file=/usr/share/pam-configs/tmpunix
+
+# lower priority to ensure the config is below the cac_test_echo
+# on the stack, thus using the "Password:" configuration
+cat << EOF > "$config_file"
+Name: Unix authentication
+Default: yes
+Priority: 1024
+Conflicts: unix
+Auth-Type: Primary
+Auth:
+ [success=end default=ignore] pam_unix.so try_first_pass
+Auth-Initial:
+ [success=end default=ignore] pam_unix.so
+Account-Type: Primary
+Account:
+ [success=end new_authtok_reqd=done default=ignore] pam_unix.so
+Account-Initial:
+ [success=end new_authtok_reqd=done default=ignore] pam_unix.so
+Session-Type: Additional
+Session:
+ required pam_unix.so
+Session-Initial:
+ required pam_unix.so
+Password-Type: Primary
+Password:
+ [success=end default=ignore] pam_unix.so obscure try_first_pass yescrypt
+ [success=end default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt
+Password-Initial:
+ [success=end default=ignore] pam_unix.so obscure yescrypt
+EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
+rm "$config_file"
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_correct_value.pass.sh
index bef6483a480..1a8af633232 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_correct_value.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_correct_value.pass.sh
@@ -1,12 +1,17 @@
#!/bin/bash
# platform = multi_platform_ubuntu
+source ubuntu_common.sh
+
config_file=/usr/share/pam-configs/tmpunix
+# lower priority to ensure the config is below the cac_test_echo
+# on the stack, thus using the "Password:" configuration
cat << EOF > "$config_file"
Name: Unix authentication
Default: yes
-Priority: 0
+Priority: 1024
+Conflicts: unix
Auth-Type: Primary
Auth:
[success=end default=ignore] pam_unix.so try_first_pass
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_missing_value.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_missing_value.fail.sh
index 904456b6ada..42d499b7c2f 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_missing_value.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_missing_value.fail.sh
@@ -1,12 +1,17 @@
#!/bin/bash
# platform = multi_platform_ubuntu
+source ubuntu_common.sh
+
config_file=/usr/share/pam-configs/tmpunix
+# lower priority to ensure the config is below the cac_test_echo
+# on the stack, thus using the "Password:" configuration
cat << EOF > "$config_file"
Name: Unix authentication
Default: yes
Priority: 1024
+Conflicts: unix
Auth-Type: Primary
Auth:
[success=end default=ignore] pam_unix.so try_first_pass
@@ -29,5 +34,5 @@ Password-Initial:
[success=end default=ignore] pam_unix.so obscure yescrypt
EOF
-DEBIAN_FRONTEND=noninteractive pam-auth-update --remove unix --enable tmpunix
+DEBIAN_FRONTEND=noninteractive pam-auth-update
rm "$config_file"
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_missing_value_initial.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_missing_value_initial.pass.sh
new file mode 100644
index 00000000000..a8ef5c3e10e
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_missing_value_initial.pass.sh
@@ -0,0 +1,38 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+source ubuntu_common.sh
+
+config_file=/usr/share/pam-configs/tmpunix
+
+# higher priority to ensure the config is above the cac_test_echo
+# on the stack, thus using the "Password-Initial:" configuration
+cat << EOF > "$config_file"
+Name: Unix authentication
+Default: yes
+Priority: 1000000
+Conflicts: unix
+Auth-Type: Primary
+Auth:
+ [success=end default=ignore] pam_unix.so try_first_pass
+Auth-Initial:
+ [success=end default=ignore] pam_unix.so
+Account-Type: Primary
+Account:
+ [success=end new_authtok_reqd=done default=ignore] pam_unix.so
+Account-Initial:
+ [success=end new_authtok_reqd=done default=ignore] pam_unix.so
+Session-Type: Additional
+Session:
+ required pam_unix.so
+Session-Initial:
+ required pam_unix.so
+Password-Type: Primary
+Password:
+ [success=end default=ignore] pam_unix.so obscure try_first_pass yescrypt
+Password-Initial:
+ [success=end default=ignore] pam_unix.so obscure yescrypt
+EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
+rm "$config_file"