diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 2561fb5..b4f6d0c 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -7,7 +7,7 @@ ci:
 
 repos:
 - repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v5.0.0
+  rev: v6.0.0
   hooks:
   # Safety
   - id: detect-aws-credentials
diff --git a/Changelog.md b/Changelog.md
index b6db646..b25de77 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -1,5 +1,29 @@
 # Changes to rhel9CIS
 
+## 2.0.3 - Based on CIS v2.0.0
+
+- Thanks to @numericillustration
+  - Public PR 380
+  - systemd_service rolled back to systemd for < ansible 2.14
+- Thanks to @bgro and @Kodebach
+  - Public PR 371
+  - updated to user sudo check 5.2.4
+- Thanks to @DianaMariaDDM
+  - Public PR 367
+  - updated several typos
+- Thanks to @polski-g
+  - Public PR 364
+  - gdm section 1.8 improvements
+- Thanks to @chrispipo
+  - Public PR 350
+  - change insert before for rsyslog setting
+- Thanks to @thesmilinglord
+  - public issue 377
+  - change 1.3 from include task to import for tagging
+- Thanks to @Fredouye
+  - public issue 372
+  - allow password with different locale
+
 ## 2.0.2 - Based on CIS v2.0.0
 
 - Update to audit_only to allow fetching results
diff --git a/defaults/main.yml b/defaults/main.yml
index 23312e5..bf40e8f 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -592,6 +592,8 @@ rhel9cis_warning_banner: Authorized users only. All activity may be monitored an
 # End Banner
 
 ## Control 1.8.x - Settings for GDM
+# do not run Control 1.8.x if using a display manager different than gdm
+rhel9cis_display_manager: "gdm"
 ## 1.8 GDM graphical interface
 rhel9cis_gui: "{{ prelim_gnome_present.stat.exists | default(false) }}"
 # This variable specifies the GNOME configuration database file to which configurations are written.
diff --git a/handlers/main.yml b/handlers/main.yml
index 71f5554..c6de8f3 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -263,7 +263,7 @@
   listen: Restart auditd
 
 - name: Start auditd process
-  ansible.builtin.systemd_service:
+  ansible.builtin.systemd:
     name: auditd
     state: started
   listen: Restart auditd
diff --git a/tasks/auditd.yml b/tasks/auditd.yml
index 0fa0b32..9ada459 100644
--- a/tasks/auditd.yml
+++ b/tasks/auditd.yml
@@ -25,7 +25,7 @@
     dest: /etc/audit/rules.d/99_auditd.rules
     owner: root
     group: root
-    mode: 'u-x,go-wx'
+    mode: 'u-x,g-wx,o-rwx'
   diff: "{{ discovered_auditd_rules_file.stat.exists }}"  # Only run diff if not a new file
   register: discovered_auditd_rules_template_updated
   notify:
diff --git a/tasks/main.yml b/tasks/main.yml
index 7912aca..ed2af41 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -91,11 +91,14 @@
       block:
         - name: "Check password set for {{ ansible_env.SUDO_USER }} | Assert local password set"  # noqa name[template]
           ansible.builtin.assert:
-            that:
-              - prelim_ansible_user_password_set.stdout | length != 0
-              - prelim_ansible_user_password_set.stdout != "!!"
-            fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access"
-            success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user"
+            that: |
+              (
+                ((prelim_ansible_user_password_set.stdout | length != 0) and (prelim_ansible_user_password_set.stdout != "!!" ))
+              or
+                (ansible_env.SUDO_USER in rhel9cis_sudoers_exclude_nopasswd_list)
+              )
+            fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set or or the user is not included in the exception list for rule 5.2.4 - It can break access"
+            success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user or the user is included in the exception list for rule 5.2.4"
 
         - name: "Check account is not locked for {{ ansible_env.SUDO_USER }} | Assert local account not locked"  # noqa name[template]
           ansible.builtin.assert:
@@ -129,7 +132,7 @@
     - rule_5.4.2.4
   block:
     - name: "Ensure root password is set"
-      ansible.builtin.shell: passwd -S root | grep -E "(Password set, SHA512 crypt|Password locked)"
+      ansible.builtin.shell: LC_ALL=C passwd -S root | grep -E "(Password set, SHA512 crypt|Password locked)"
       changed_when: false
       failed_when: prelim_root_passwd_set.rc not in [ 0, 1 ]
       register: prelim_root_passwd_set
diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml
index 68e7035..357a23f 100644
--- a/tasks/post_remediation_audit.yml
+++ b/tasks/post_remediation_audit.yml
@@ -1,22 +1,13 @@
 ---
 
 - name: Post Audit | Run post_remediation {{ benchmark }} audit  # noqa name[template]
-  ansible.builtin.command: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\""
+  ansible.builtin.shell: "umask 0022 && {{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\""  # noqa yaml[line-length]
   changed_when: true
   environment:
     AUDIT_BIN: "{{ audit_bin }}"
     AUDIT_CONTENT_LOCATION: "{{ audit_conf_dest | default('/opt') }}"
     AUDIT_FILE: goss.yml
 
-- name: Post Audit | ensure audit files readable by users
-  ansible.builtin.file:
-    path: "{{ item }}"
-    mode: '0644'
-    state: file
-  loop:
-    - "{{ post_audit_outfile }}"
-    - "{{ pre_audit_outfile }}"
-
 - name: Post Audit | Capture audit data if json format
   when: audit_format == "json"
   block:
diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml
index 80df209..ff6aad0 100644
--- a/tasks/pre_remediation_audit.yml
+++ b/tasks/pre_remediation_audit.yml
@@ -47,7 +47,7 @@
     remote_src: "{{ (audit_conf_source is contains('http')) | ternary(true, false) }}"
     extra_opts: "{{ (audit_conf_source is contains('github')) | ternary('--strip-components=1', []) }}"
 
-- name: Pre Audit Setup | Check goss is available
+- name: Pre Audit Setup | Check Goss is available
   when: run_audit
   block:
     - name: Pre Audit Setup | Check for goss file
@@ -71,7 +71,7 @@
     mode: 'go-rwx'
 
 - name: Pre Audit | Run pre_remediation audit {{ benchmark }}  # noqa name[template]
-  ansible.builtin.command: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\""  # noqa yaml[line-length]
+  ansible.builtin.shell: "umask 0022 && {{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\""  # noqa yaml[line-length]
   changed_when: true
   environment:
     AUDIT_BIN: "{{ audit_bin }}"
diff --git a/tasks/section_1/cis_1.1.2.6.x.yml b/tasks/section_1/cis_1.1.2.6.x.yml
index 765de3d..b27e4cc 100644
--- a/tasks/section_1/cis_1.1.2.6.x.yml
+++ b/tasks/section_1/cis_1.1.2.6.x.yml
@@ -1,6 +1,6 @@
 ---
 
-- name: "1/.1 | PATCH | Ensure /var/log is a separate partition"
+- name: "1.1.2.6.1 | PATCH | Ensure /var/log is a separate partition"
   when:
     - rhel9cis_rule_1_1_2_6_1
     - required_mount not in prelim_mount_names
diff --git a/tasks/section_1/cis_1.1.2.7.x.yml b/tasks/section_1/cis_1.1.2.7.x.yml
index 2dc5939..b4513dd 100644
--- a/tasks/section_1/cis_1.1.2.7.x.yml
+++ b/tasks/section_1/cis_1.1.2.7.x.yml
@@ -1,6 +1,6 @@
 ---
 
-- name: "1/.1 | PATCH | Ensure /var/log/audit is a separate partition"
+- name: "1.1.2.7.1 | PATCH | Ensure /var/log/audit is a separate partition"
   when:
     - rhel9cis_rule_1_1_2_7_1
     - required_mount not in prelim_mount_names
diff --git a/tasks/section_1/main.yml b/tasks/section_1/main.yml
index 5d99f48..fff557b 100644
--- a/tasks/section_1/main.yml
+++ b/tasks/section_1/main.yml
@@ -41,7 +41,7 @@
     file: cis_1.2.2.x.yml
 
 - name: "SECTION | 1.3.1 | Configure SELinux"
-  ansible.builtin.include_tasks:
+  ansible.builtin.import_tasks:
     file: cis_1.3.1.x.yml
 
 - name: "SECTION | 1.4 | Configure Bootloader"
@@ -61,5 +61,6 @@
     file: cis_1.7.x.yml
 
 - name: "SECTION | 1.8 | Gnome Display Manager"
+  when: rhel9cis_display_manager == 'gdm'
   ansible.builtin.import_tasks:
     file: cis_1.8.x.yml
diff --git a/tasks/section_3/cis_3.3.x.yml b/tasks/section_3/cis_3.3.x.yml
index 123928e..0281f12 100644
--- a/tasks/section_3/cis_3.3.x.yml
+++ b/tasks/section_3/cis_3.3.x.yml
@@ -240,12 +240,12 @@
     - rule_3.3.9
     - NIST800-53R5_AU-3
   block:
-    - name: "3.3.4 | PATCH | Ensure suspicious packets are logged | Set Fact"
+    - name: "3.3.9 | PATCH | Ensure suspicious packets are logged | Set Fact"
       ansible.builtin.set_fact:
         rhel9cis_sysctl_update: true
         rhel9cis_flush_ipv4_route: true
 
-    - name: "3.3.4 | PATCH | Ensure suspicious packets are logged"
+    - name: "3.3.9 | PATCH | Ensure suspicious packets are logged"
       ansible.builtin.debug:
         msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
 
diff --git a/tasks/section_5/cis_5.4.2.x.yml b/tasks/section_5/cis_5.4.2.x.yml
index 37a4e11..b3dd7d9 100644
--- a/tasks/section_5/cis_5.4.2.x.yml
+++ b/tasks/section_5/cis_5.4.2.x.yml
@@ -61,7 +61,7 @@
     - level1-server
     - level1-workstation
     - patch
-    - rule_5.4.2.2
+    - rule_5.4.2.3
     - user
     - system
     - NIST800-53R5_CM-1
@@ -135,6 +135,22 @@
       ansible.builtin.set_fact:
         root_paths: "{{ discovered_root_paths.stdout }}"
 
+    - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Check for presence of non-dirs"
+      ansible.builtin.stat:
+        path: "{{ item }}"
+      loop: "{{ discovered_root_paths_split.stdout_lines }}"
+      register: paths_stat
+
+    - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Create dirs for some paths that are not dirs"
+      ansible.builtin.file:
+        path: "{{ item.item }}"
+        state: directory
+        owner: root
+        group: root
+        mode: 'go-w'
+      loop: "{{ paths_stat.results }}"
+      when: not item.stat.exists
+
     - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Check for empty dirs"
       when: discovered_root_paths is defined
       ansible.builtin.shell: 'echo {{ root_paths }} | grep -q "::" && echo "roots path contains a empty directory (::)"'
diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml
index 1db531b..a29118a 100644
--- a/tasks/section_6/cis_6.1.x.yml
+++ b/tasks/section_6/cis_6.1.x.yml
@@ -91,13 +91,13 @@
 
     - name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked | aide service"
       when: rhel9cis_aide_scan == "timer"
-      ansible.builtin.systemd_service:
+      ansible.builtin.systemd:
         name: aidecheck.service
         enabled: true
 
     - name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked | aide service"
       when: rhel9cis_aide_scan == "timer"
-      ansible.builtin.systemd_service:
+      ansible.builtin.systemd:
         name: aidecheck.timer
         state: started
         enabled: true
diff --git a/tasks/section_6/cis_6.2.3.x.yml b/tasks/section_6/cis_6.2.3.x.yml
index 9d26acf..eaa3bd1 100644
--- a/tasks/section_6/cis_6.2.3.x.yml
+++ b/tasks/section_6/cis_6.2.3.x.yml
@@ -131,7 +131,7 @@
           *.=warning;*.=err                                        -/var/log/warn
           *.crit                                                   /var/log/warn
           *.*;mail.none;news.none                                  /var/log/messages
-        insertafter: '#### RULES ####'
+        insertbefore: '# ### sample forwarding rule ###'
       notify: Restart rsyslog
 
     - name: "6.2.3.5 | PATCH | Ensure logging is configured | Local log settings"
diff --git a/tasks/section_6/cis_6.3.4.x.yml b/tasks/section_6/cis_6.3.4.x.yml
index 74de70a..b044abc 100644
--- a/tasks/section_6/cis_6.3.4.x.yml
+++ b/tasks/section_6/cis_6.3.4.x.yml
@@ -27,9 +27,9 @@
     - level2-workstation
     - patch
     - auditd
-    - rule_6.3.4.1
     - rule_6.3.4.2
     - rule_6.3.4.3
+    - rule_6.3.4.4
     - NIST800-53R5_AU-3
   ansible.builtin.file:
     path: "{{ prelim_auditd_logfile.stdout }}"