diff --git a/components/pam.yml b/components/pam.yml
index af9441e878a..65053d0571d 100644
--- a/components/pam.yml
+++ b/components/pam.yml
@@ -185,6 +185,7 @@ rules:
- no_legacy_plus_entries_etc_passwd
- no_legacy_plus_entries_etc_shadow
- no_netrc_files
+- no_nologin_in_shells
- no_password_auth_for_systemaccounts
- no_root_webbrowsing
- no_shelllogin_for_systemaccounts
diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml
index a65a4d83f94..16d75fecf79 100644
--- a/controls/cis_ubuntu2404.yml
+++ b/controls/cis_ubuntu2404.yml
@@ -2210,8 +2210,9 @@ controls:
levels:
- l2_server
- l2_workstation
- status: planned
- notes: TODO. Rule does not seem to be implemented, nor does it map to any rules in ubuntu2204 profile.
+ rules:
+ - no_nologin_in_shells
+ status: automated
- id: 5.4.3.2
title: Ensure default user shell timeout is configured (Automated)
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/no_nologin_in_shells/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/no_nologin_in_shells/bash/shared.sh
new file mode 100644
index 00000000000..7e73910ff58
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/no_nologin_in_shells/bash/shared.sh
@@ -0,0 +1,10 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+
+if grep -q -E "^[^#]*/nologin\b.*$" /etc/shells; then
+ sed -i --follow-symlinks 's/^[^#]*\/nologin\b.*$/#&/g' /etc/shells
+fi
+
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/no_nologin_in_shells/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/no_nologin_in_shells/oval/shared.xml
new file mode 100644
index 00000000000..6f9b847097b
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/no_nologin_in_shells/oval/shared.xml
@@ -0,0 +1,28 @@
+
+
+
+ Ensure nologin Shell is Not Listed in /etc/shells
+
+ multi_platform_all
+
+ The nologin shell should not be listed in /etc/shells.
+
+
+
+
+
+
+
+
+
+
+
+ /etc/shells
+ ^[^#]*/nologin\b.*$
+ 1
+
+
+
+
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/no_nologin_in_shells/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/no_nologin_in_shells/rule.yml
new file mode 100644
index 00000000000..9fdd34478aa
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/no_nologin_in_shells/rule.yml
@@ -0,0 +1,24 @@
+documentation_complete: true
+
+title: 'Ensure nologin Shell is Not Listed in /etc/shells'
+
+description: |-
+ The /sbin/nologin shell is used to restrict accounts from having login access
+ and should not be listed as a valid login shell in /etc/shells.
+ To verify that nologin is not listed in /etc/shells, run:
+ $ grep nologin /etc/shells
+ The command should return no output.
+
+rationale: |-
+ The /etc/shells is consulted by various programs to evaluate
+ whether the user is somehow restricted. For example, the chsh utility will
+ consult the file to determine if the user is allowed to change their shell.
+
+severity: medium
+
+ocil_clause: 'nologin is listed in /etc/shells'
+
+ocil: |-
+ To verify that nologin is not listed in /etc/shells, run:
+ $ grep nologin /etc/shells
+ The command should return no output.
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/no_nologin_in_shells/tests/commented.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/no_nologin_in_shells/tests/commented.pass.sh
new file mode 100644
index 00000000000..5d829b6ac0d
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/no_nologin_in_shells/tests/commented.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+sed -i --follow-symlinks '/nologin/d' /etc/shells
+echo "#/sbin/nologin" >> /etc/shells
+
+
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/no_nologin_in_shells/tests/exists.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/no_nologin_in_shells/tests/exists.fail.sh
new file mode 100644
index 00000000000..997c9c05c27
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/no_nologin_in_shells/tests/exists.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+sed -i --follow-symlinks '/nologin/d' /etc/shells
+echo "/sbin/nologin" >> /etc/shells
+
+
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/no_nologin_in_shells/tests/missing.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/no_nologin_in_shells/tests/missing.pass.sh
new file mode 100644
index 00000000000..5fec9291243
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/no_nologin_in_shells/tests/missing.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+sed -i --follow-symlinks '/nologin/d' /etc/shells
+
+
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/no_nologin_in_shells/tests/multiple.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/no_nologin_in_shells/tests/multiple.fail.sh
new file mode 100644
index 00000000000..55ce824ec11
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/no_nologin_in_shells/tests/multiple.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+sed -i --follow-symlinks '/nologin/d' /etc/shells
+echo "/sbin/nologin" >> /etc/shells
+echo "/usr/sbin/nologin" >> /etc/shells
+
+
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/no_nologin_in_shells/tests/similar.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/no_nologin_in_shells/tests/similar.pass.sh
new file mode 100644
index 00000000000..9fac8d13be9
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/no_nologin_in_shells/tests/similar.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+sed -i --follow-symlinks '/nologin/d' /etc/shells
+echo "/sbin/nologinormaybe" >> /etc/shells
+
+