diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7cba4d2..e4c6d6b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,10 @@
 # CHANGELOG
 
+## 0.1.24
+
+* **pam::lockout**
+  - added support for **Ubuntu 18.04**
+
 ## 0.1.23
 
 * Added support for **RHEL 8**
diff --git a/examples/cis_demo.pp b/examples/cis_demo.pp
new file mode 100644
index 0000000..6c8ddac
--- /dev/null
+++ b/examples/cis_demo.pp
@@ -0,0 +1,11 @@
+class { 'pam::lockout': }
+
+class { 'pam::wheel': }
+
+class { 'pam::cracklib':
+  minlen => '7',
+}
+
+class { 'pam::unix':
+  remember => '10',
+}
diff --git a/examples/lockout.pp b/examples/lockout.pp
new file mode 100644
index 0000000..67d74ed
--- /dev/null
+++ b/examples/lockout.pp
@@ -0,0 +1 @@
+class { 'pam::lockout': }
diff --git a/manifests/lockout/config.pp b/manifests/lockout/config.pp
index 367c807..40cde04 100644
--- a/manifests/lockout/config.pp
+++ b/manifests/lockout/config.pp
@@ -45,6 +45,20 @@
         }
       }
     }
+    'tally2':
+    {
+      # sed 's/\(^account.*pam_unix\.so.*$\)/\naccount required pam_tally2.so\n\n\1\n/'
+      exec { 'update common account':
+        command => "sed 's/\\(^account.*pam_unix\\.so.*$\\)/\\naccount required pam_tally2.so\\n\\n\\1\\n/' -i /etc/pam.d/common-account",
+        unless  => "grep -P 'account required pam_tally2.so' /etc/pam.d/common-account",
+      }
+      
+      # /etc/pam.d/common-auth
+      exec { 'update common auth':
+        command => "sed 's/\\(^auth.*pam_unix\\.so.*$\\)/auth required pam_tally2.so deny=${pam::lockout::deny_failed} unlock_time=${pam::lockout::unlock_time}\\n\\n\\1/' -i /etc/pam.d/common-auth",
+        unless  => "grep -E 'auth required pam_tally2.so deny=${pam::lockout::deny_failed} unlock_time=${pam::lockout::unlock_time}' /etc/pam.d/common-auth",
+      }
+    }
     default:
     {
       fail("${pam::params::pam_lockout} currently not implemented")
diff --git a/manifests/lockout/install.pp b/manifests/lockout/install.pp
index c5da1a5..a5e9bee 100644
--- a/manifests/lockout/install.pp
+++ b/manifests/lockout/install.pp
@@ -5,6 +5,9 @@
     'faillock':
     {
     }
+    'tally2':
+    {
+    }
     default:
     {
       fail("${pam::params::pam_lockout} currently not implemented")
diff --git a/metadata.json b/metadata.json
index a1377c3..cc6bb37 100644
--- a/metadata.json
+++ b/metadata.json
@@ -1,6 +1,6 @@
 {
   "name": "eyp-pam",
-  "version": "0.1.23",
+  "version": "0.1.24",
   "author": "eyp",
   "summary": "PAM modules, /etc/security/limits.conf and /etc/securetty management",
   "license": "Apache-2.0",