Merge pull request #444 from ansible-lockdown/april26

April26
2026-05-09 23:33:53 +00:00 · 2026-04-16 17:03:34 +01:00 · 2026-04-16 17:03:34 +01:00 · c7ed4de9a8
commit c7ed4de9a8
parent bbc7eada94 2ac71da85c
50 changed files with 845 additions and 972 deletions
--- a/.github/workflows/devel_pipeline_validation.yml
+++ b/.github/workflows/devel_pipeline_validation.yml
@ -1,162 +1,163 @@
 ---
-  name: Devel pipeline
+name: Devel pipeline
-  on: # yamllint disable-line rule:truthy
+on: # yamllint disable-line rule:truthy
-    pull_request_target:
+  pull_request_target:
-      types: [opened, reopened, synchronize]
+    types: [opened, reopened, synchronize]
-      branches:
+    branches:
-        - devel
+      - devel
-        - benchmark*
+      - benchmark*
-      paths:
+    paths:
-        - '**.yml'
+      - '**.yml'
-        - '**.sh'
+      - '**.sh'
-        - '**.j2'
+      - '**.j2'
-        - '**.ps1'
+      - '**.ps1'
-        - '**.cfg'
+      - '**.cfg'
-    # Allow manual running of workflow
+  # Allow manual running of workflow
-    workflow_dispatch:
+  workflow_dispatch:
-  # A workflow run is made up of one or more jobs
+# A workflow run is made up of one or more jobs
-  # that can run sequentially or in parallel
+# that can run sequentially or in parallel
-  jobs:
+jobs:
-    # This will create messages for first time contributers and direct them to the Discord server
+  # This will create messages for first time contributers and direct them to the Discord server
-    welcome:
+  welcome:
-      runs-on: ubuntu-latest
+    runs-on: ubuntu-latest
-      permissions:
+    permissions:
-        issues: write
+      issues: write
-        pull-requests: write
+      pull-requests: write
-      steps:
+    steps:
-        - uses: actions/first-interaction@main
+      - uses: actions/first-interaction@main
-          with:
+        with:
-            repo_token: ${{ secrets.GITHUB_TOKEN }}
+          repo_token: ${{ secrets.GITHUB_TOKEN }}
-            issue_message: |-
+          issue_message: |-
-                Congrats on opening your first issue and thank you for taking the time to help improve Ansible-Lockdown!
+              Congrats on opening your first issue and thank you for taking the time to help improve Ansible-Lockdown!
-                Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
+              Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
-            pr_message: |-
+          pr_message: |-
-                Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
+              Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
-                Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
+              Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
-    # This workflow contains a single job that tests the playbook
+  # This workflow contains a single job that tests the playbook
-    playbook-test:
+  playbook-test:
-      # The type of runner that the job will run on
+    # The type of runner that the job will run on
-      runs-on: self-hosted
+    runs-on: self-hosted
-      # Allow permissions for AWS auth
+    # Allow permissions for AWS auth
-      permissions:
+    permissions:
-        id-token: write
+      id-token: write
-        contents: read
+      contents: read
-        pull-requests: read
+      pull-requests: read
-      env:
+    env:
-        ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }}
+      ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }}
-        # Imported as a variable by terraform
+      # Imported as a variable by terraform
-        TF_VAR_repository: ${{ github.event.repository.name }}
+      TF_VAR_repository: ${{ github.event.repository.name }}
-        AWS_REGION: "us-east-1"
+      AWS_REGION: "us-east-1"
-        ANSIBLE_VERSION: ${{ vars.ANSIBLE_RUNNER_VERSION }}
+      ANSIBLE_VERSION: ${{ vars.ANSIBLE_RUNNER_VERSION }}
-      defaults:
+    defaults:
-        run:
+      run:
-          shell: bash
+        shell: bash
-          working-directory: .github/workflows/github_linux_IaC
+        working-directory: .github/workflows/github_linux_IaC
-          # working-directory: .github/workflows
+        # working-directory: .github/workflows
-      steps:
+    steps:
-        - name: Git clone the lockdown repository to test
+      - name: Git clone the lockdown repository to test
-          uses: actions/checkout@v4
+        uses: actions/checkout@v6.0.2
-          with:
+        with:
-            ref: ${{ github.event.pull_request.head.sha }}
+          ref: ${{ github.event.pull_request.head.sha }}
-        - name: If a variable for IAC_BRANCH is set use that branch
+      - name: If a variable for IAC_BRANCH is set use that branch
-          working-directory: .github/workflows
+        working-directory: .github/workflows
-          run: |
+        run: |
-            if [ ${{ vars.IAC_BRANCH }} != '' ]; then
+          if [ ${{ vars.IAC_BRANCH }} != '' ]; then
-                echo "IAC_BRANCH=${{ vars.IAC_BRANCH }}" >> $GITHUB_ENV
+              echo "IAC_BRANCH=${{ vars.IAC_BRANCH }}" >> $GITHUB_ENV
-                echo "Pipeline using the following IAC branch ${{ vars.IAC_BRANCH }}"
+              echo "Pipeline using the following IAC branch ${{ vars.IAC_BRANCH }}"
-            else
+          else
-                echo IAC_BRANCH=main >> $GITHUB_ENV
+              echo IAC_BRANCH=main >> $GITHUB_ENV
-            fi
+          fi
-        # Pull in terraform code for linux servers
+      # Pull in terraform code for linux servers
-        - name: Clone GitHub IaC plan
+      - name: Clone GitHub IaC plan
-          uses: actions/checkout@v4
+        uses: actions/checkout@v6.0.2
-          with:
+        with:
-            repository: ansible-lockdown/github_linux_IaC
+          repository: ansible-lockdown/github_linux_IaC
-            path: .github/workflows/github_linux_IaC
+          path: .github/workflows/github_linux_IaC
-            ref: ${{ env.IAC_BRANCH }}
+          ref: ${{ env.IAC_BRANCH }}
-        # Uses dedicated restricted role and policy to enable this only for this task
+      # Uses dedicated restricted role and policy to enable this only for this task
-        # No credentials are part of github for AWS auth
+      # No credentials are part of github for AWS auth
-        - name: configure aws credentials
+      - name: configure aws credentials
-          uses: aws-actions/configure-aws-credentials@main
+        uses: aws-actions/configure-aws-credentials@main
-          with:
+        with:
-            role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
+          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
-            role-session-name: ${{ secrets.AWS_ROLE_SESSION }}
+          role-session-name: ${{ secrets.AWS_ROLE_SESSION }}
-            aws-region: ${{ env.AWS_REGION }}
+          aws-region: ${{ env.AWS_REGION }}
-        - name: DEBUG - Show IaC files
+      - name: DEBUG - Show IaC files
-          if: env.ENABLE_DEBUG == 'true'
+        if: env.ENABLE_DEBUG == 'true'
-          run: |
+        run: |
-            echo "OSVAR = $OSVAR"
+          echo "OSVAR = $OSVAR"
-            echo "benchmark_type = $benchmark_type"
+          echo "benchmark_type = $benchmark_type"
-            pwd
+          pwd
-          env:
+        env:
-            # Imported from GitHub variables this is used to load the relevant OS.tfvars file
+          # Imported from GitHub variables this is used to load the relevant OS.tfvars file
-            OSVAR: ${{ vars.OSVAR }}
+          OSVAR: ${{ vars.OSVAR }}
-            benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+          benchmark_type: ${{ vars.BENCHMARK_TYPE }}
-        - name: Tofu init
+      - name: Tofu init
-          id: init
+        id: init
-          run: tofu init
+        run: tofu init
-          env:
+        env:
-            # Imported from GitHub variables this is used to load the relevant OS.tfvars file
+          # Imported from GitHub variables this is used to load the relevant OS.tfvars file
-            OSVAR: ${{ vars.OSVAR }}
+          OSVAR: ${{ vars.OSVAR }}
-            TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+          TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
-        - name: Tofu validate
+      - name: Tofu validate
-          id: validate
+        id: validate
-          run: tofu validate
+        run: tofu validate
-          env:
+        env:
-            # Imported from GitHub variables this is used to load the relevant OS.tfvars file
+          # Imported from GitHub variables this is used to load the relevant OS.tfvars file
-            OSVAR: ${{ vars.OSVAR }}
+          OSVAR: ${{ vars.OSVAR }}
-            TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+          TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
-        - name: Tofu apply
+      - name: Tofu apply
-          id: apply
+        id: apply
-          env:
+        env:
-            OSVAR: ${{ vars.OSVAR }}
+          OSVAR: ${{ vars.OSVAR }}
-            TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+          TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
-            TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }}
+          TF_VAR_ansible_version: ${{ vars.ANSIBLE_RUNNER_VERSION }}
-            TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }}
+          TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }}
-          run: tofu apply -var-file "${OSVAR}.tfvars" --auto-approve -input=false
+          TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }}
        run: tofu apply -var-file "${OSVAR}.tfvars" --auto-approve -input=false
 ## Debug Section
-        - name: DEBUG - Show Ansible hostfile
+      - name: DEBUG - Show Ansible hostfile
-          if: env.ENABLE_DEBUG == 'true'
+        if: env.ENABLE_DEBUG == 'true'
-          run: cat hosts.yml
+        run: cat hosts.yml
-  # Aws deployments taking a while to come up insert sleep or playbook fails
+# Aws deployments taking a while to come up insert sleep or playbook fails
-        - name: Sleep to allow system to come up
+      - name: Sleep to allow system to come up
-          run: sleep ${{ vars.BUILD_SLEEPTIME }}
+        run: sleep ${{ vars.BUILD_SLEEPTIME }}
-      # Run the Ansible playbook
+    # Run the Ansible playbook
-        - name: Run_Ansible_Playbook
+      - name: Run_Ansible_Playbook
-          env:
+        env:
-            ANSIBLE_HOST_KEY_CHECKING: "false"
+          ANSIBLE_HOST_KEY_CHECKING: "false"
-            ANSIBLE_DEPRECATION_WARNINGS: "false"
+          ANSIBLE_DEPRECATION_WARNINGS: "false"
-          run: |
+        run: |
-            /opt/ansible_${{ env.ANSIBLE_VERSION }}_venv/bin/ansible-playbook -i hosts.yml --private-key ~/.ssh/le_runner ../../../site.yml
+          /opt/ansible_${{ env.ANSIBLE_VERSION }}_venv/bin/ansible-playbook -i hosts.yml --private-key ~/.ssh/le_runner ../../../site.yml
-      # Remove test system - User secrets to keep if necessary
+    # Remove test system - User secrets to keep if necessary
-        - name: Tofu Destroy
+      - name: Tofu Destroy
-          if: always() && env.ENABLE_DEBUG == 'false'
+        if: always() && env.ENABLE_DEBUG == 'false'
-          env:
+        env:
-            OSVAR: ${{ vars.OSVAR }}
+          OSVAR: ${{ vars.OSVAR }}
-            TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+          TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
-            TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }}
+          TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }}
-            TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }}
+          TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }}
-          run: tofu destroy -var-file "${OSVAR}.tfvars" --auto-approve -input=false
+        run: tofu destroy -var-file "${OSVAR}.tfvars" --auto-approve -input=false
--- a/.github/workflows/export_badges_private.yml
+++ b/.github/workflows/export_badges_private.yml
@ -2,12 +2,6 @@
 name: Export Private Repo Badges
 # Use different minute offsets with the same hourly pattern:
 # Repo Group Suggested Cron Expression Explanation
 # Group A 0 */6 * * * Starts at top of hour
 # Group B 10 */6 * * * Starts at 10 after
 # And So On
 on:
  push:
    branches:
--- a/.github/workflows/main_pipeline_validation.yml
+++ b/.github/workflows/main_pipeline_validation.yml
@ -1,141 +1,142 @@
 ---
-  name: Main pipeline
+name: Main pipeline
-  on: # yamllint disable-line rule:truthy
+on: # yamllint disable-line rule:truthy
-    pull_request_target:
+  pull_request_target:
-      types: [opened, reopened, synchronize]
+    types: [opened, reopened, synchronize]
-      branches:
+    branches:
-        - main
+      - main
-        - latest
+      - latest
-      paths:
+    paths:
-        - '**.yml'
+      - '**.yml'
-        - '**.sh'
+      - '**.sh'
-        - '**.j2'
+      - '**.j2'
-        - '**.ps1'
+      - '**.ps1'
-        - '**.cfg'
+      - '**.cfg'
-  # Allow permissions for AWS auth
+# Allow permissions for AWS auth
-  permissions:
+permissions:
-    id-token: write
+  id-token: write
-    contents: read
+  contents: read
-    pull-requests: read
+  pull-requests: read
-  # A workflow run is made up of one or more jobs
+# A workflow run is made up of one or more jobs
-  # that can run sequentially or in parallel
+# that can run sequentially or in parallel
-  jobs:
+jobs:
-    # This workflow contains a single job that tests the playbook
+  # This workflow contains a single job that tests the playbook
-    playbook-test:
+  playbook-test:
-      # The type of runner that the job will run on
+    # The type of runner that the job will run on
-      runs-on: self-hosted
+    runs-on: self-hosted
-      env:
+    env:
-        ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }}
+      ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }}
-        # Imported as a variable by terraform
+      # Imported as a variable by terraform
-        TF_VAR_repository: ${{ github.event.repository.name }}
+      TF_VAR_repository: ${{ github.event.repository.name }}
-        AWS_REGION : "us-east-1"
+      AWS_REGION: "us-east-1"
-        ANSIBLE_VERSION: ${{ vars.ANSIBLE_RUNNER_VERSION }}
+      ANSIBLE_VERSION: ${{ vars.ANSIBLE_RUNNER_VERSION }}
-      defaults:
+    defaults:
-        run:
+      run:
-          shell: bash
+        shell: bash
-          working-directory: .github/workflows/github_linux_IaC
+        working-directory: .github/workflows/github_linux_IaC
-          # working-directory: .github/workflows
+        # working-directory: .github/workflows
-      steps:
+    steps:
-        - name: Git clone the lockdown repository to test
+      - name: Git clone the lockdown repository to test
-          uses: actions/checkout@v4
+        uses: actions/checkout@v6.0.2
-          with:
+        with:
-            ref: ${{ github.event.pull_request.head.sha }}
+          ref: ${{ github.event.pull_request.head.sha }}
-        - name: If a variable for IAC_BRANCH is set use that branch
+      - name: If a variable for IAC_BRANCH is set use that branch
-          working-directory: .github/workflows
+        working-directory: .github/workflows
-          run: |
+        run: |
-            if [ ${{ vars.IAC_BRANCH }} != '' ]; then
+          if [ ${{ vars.IAC_BRANCH }} != '' ]; then
-              echo "IAC_BRANCH=${{ vars.IAC_BRANCH }}" >> $GITHUB_ENV
+            echo "IAC_BRANCH=${{ vars.IAC_BRANCH }}" >> $GITHUB_ENV
-              echo "Pipeline using the following IAC branch ${{ vars.IAC_BRANCH }}"
+            echo "Pipeline using the following IAC branch ${{ vars.IAC_BRANCH }}"
-            else
+          else
-              echo IAC_BRANCH=main >> $GITHUB_ENV
+            echo IAC_BRANCH=main >> $GITHUB_ENV
-            fi
+          fi
-        # Pull in terraform code for linux servers
+      # Pull in terraform code for linux servers
-        - name: Clone GitHub IaC plan
+      - name: Clone GitHub IaC plan
-          uses: actions/checkout@v4
+        uses: actions/checkout@v6.0.2
-          with:
+        with:
-            repository: ansible-lockdown/github_linux_IaC
+          repository: ansible-lockdown/github_linux_IaC
-            path: .github/workflows/github_linux_IaC
+          path: .github/workflows/github_linux_IaC
-            ref: ${{ env.IAC_BRANCH }}
+          ref: ${{ env.IAC_BRANCH }}
-        # Uses dedicated restricted role and policy to enable this only for this task
+      # Uses dedicated restricted role and policy to enable this only for this task
-        # No credentials are part of github for AWS auth
+      # No credentials are part of github for AWS auth
-        - name: configure aws credentials
+      - name: configure aws credentials
-          uses: aws-actions/configure-aws-credentials@main
+        uses: aws-actions/configure-aws-credentials@main
-          with:
+        with:
-            role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
+          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
-            role-session-name: ${{ secrets.AWS_ROLE_SESSION }}
+          role-session-name: ${{ secrets.AWS_ROLE_SESSION }}
-            aws-region: ${{ env.AWS_REGION }}
+          aws-region: ${{ env.AWS_REGION }}
-        - name: DEBUG - Show IaC files
+      - name: DEBUG - Show IaC files
-          if: env.ENABLE_DEBUG == 'true'
+        if: env.ENABLE_DEBUG == 'true'
-          run: |
+        run: |
-            echo "OSVAR = $OSVAR"
+          echo "OSVAR = $OSVAR"
-            echo "benchmark_type = $benchmark_type"
+          echo "benchmark_type = $benchmark_type"
-            pwd
+          pwd
-            ls
+          ls
-          env:
+        env:
-            # Imported from GitHub variables this is used to load the relevant OS.tfvars file
+          # Imported from GitHub variables this is used to load the relevant OS.tfvars file
-            OSVAR: ${{ vars.OSVAR }}
+          OSVAR: ${{ vars.OSVAR }}
-            benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+          benchmark_type: ${{ vars.BENCHMARK_TYPE }}
-        - name: Tofu init
+      - name: Tofu init
-          id: init
+        id: init
-          run: tofu init
+        run: tofu init
-          env:
+        env:
-            # Imported from GitHub variables this is used to load the relevant OS.tfvars file
+          # Imported from GitHub variables this is used to load the relevant OS.tfvars file
-            OSVAR: ${{ vars.OSVAR }}
+          OSVAR: ${{ vars.OSVAR }}
-            TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+          TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
-        - name: Tofu validate
+      - name: Tofu validate
-          id: validate
+        id: validate
-          run: tofu validate
+        run: tofu validate
-          env:
+        env:
-            # Imported from GitHub variables this is used to load the relevant OS.tfvars file
+          # Imported from GitHub variables this is used to load the relevant OS.tfvars file
-            OSVAR: ${{ vars.OSVAR }}
+          OSVAR: ${{ vars.OSVAR }}
-            TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+          TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
-        - name: Tofu apply
+      - name: Tofu apply
-          id: apply
+        id: apply
-          env:
+        env:
-            OSVAR: ${{ vars.OSVAR }}
+          OSVAR: ${{ vars.OSVAR }}
-            TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+          TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
-            TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }}
+          TF_VAR_ansible_version: ${{ vars.ANSIBLE_RUNNER_VERSION }}
-            TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }}
+          TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }}
-          run: tofu apply -var-file "${OSVAR}.tfvars" --auto-approve -input=false
+          TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }}
        run: tofu apply -var-file "${OSVAR}.tfvars" --auto-approve -input=false
 ## Debug Section
-        - name: DEBUG - Show Ansible hostfile
+      - name: DEBUG - Show Ansible hostfile
-          if: env.ENABLE_DEBUG == 'true'
+        if: env.ENABLE_DEBUG == 'true'
-          run: cat hosts.yml
+        run: cat hosts.yml
-  # Aws deployments taking a while to come up insert sleep or playbook fails
+# Aws deployments taking a while to come up insert sleep or playbook fails
-        - name: Sleep to allow system to come up
+      - name: Sleep to allow system to come up
-          run: sleep ${{ vars.BUILD_SLEEPTIME }}
+        run: sleep ${{ vars.BUILD_SLEEPTIME }}
-      # Run the Ansible playbook
+    # Run the Ansible playbook
-        - name: Run_Ansible_Playbook
+      - name: Run_Ansible_Playbook
-          env:
+        env:
-            ANSIBLE_HOST_KEY_CHECKING: "false"
+          ANSIBLE_HOST_KEY_CHECKING: "false"
-            ANSIBLE_DEPRECATION_WARNINGS: "false"
+          ANSIBLE_DEPRECATION_WARNINGS: "false"
-          run: |
+        run: |
-            /opt/ansible_${{ env.ANSIBLE_VERSION }}_venv/bin/ansible-playbook -i hosts.yml --private-key ~/.ssh/le_runner ../../../site.yml
+          /opt/ansible_${{ env.ANSIBLE_VERSION }}_venv/bin/ansible-playbook -i hosts.yml --private-key ~/.ssh/le_runner ../../../site.yml
-      # Remove test system - User secrets to keep if necessary
+    # Remove test system - User secrets to keep if necessary
-        - name: Tofu Destroy
+      - name: Tofu Destroy
-          if: always() && env.ENABLE_DEBUG == 'false'
+        if: always() && env.ENABLE_DEBUG == 'false'
-          env:
+        env:
-            OSVAR: ${{ vars.OSVAR }}
+          OSVAR: ${{ vars.OSVAR }}
-            TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+          TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
-            TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }}
+          TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }}
-            TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }}
+          TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }}
-          run: tofu destroy -var-file "${OSVAR}.tfvars" --auto-approve -input=false
+        run: tofu destroy -var-file "${OSVAR}.tfvars" --auto-approve -input=false
--- a/.gitignore
+++ b/.gitignore
@ -1,7 +1,6 @@
 .env
 *.log
 *.retry
 .cache
 .vagrant
 tests/*redhat-subscription
 tests/Dockerfile
@ -10,11 +9,9 @@ tests/Dockerfile
 packer_cache
 delete*
 ignore*
 test_inv
 # temp remove doc while this is built up
 doc/
 # VSCode
 .vscode
 vagrant
 # Byte-compiled / optimized / DLL files
 __pycache__/
@ -39,13 +36,29 @@ tramp
 rh-creds.env
 travis.env
 # Secret/key files
 *.vault
 *.key
 *.pem
 *.p12
 *.pfx
 *.keystore
 *.jks
 *.credentials
 *vault_pass*
 .vault_pass
 # Lockdown-specific
 benchparse/
 *xccdf.xml
 *.retry
 *.pdf
 *history.md
 *plan.md
 *qa_report*
 # GitHub Action/Workflow files
 .github/
-# Precommit exclusions
+# ansible-lint
 .ansible/
--- a/.yamllint
+++ b/.yamllint
@ -17,7 +17,7 @@ rules:
  comments:
    ignore-shebangs: true
    min-spaces-from-content: 1 # prettier compatibility
-  comments-indentation: enable
+  comments-indentation: disable
  empty-lines:
    max: 1
  indentation:
--- a/CONTRIBUTING.rst
+++ b/CONTRIBUTING.rst
@ -1,4 +1,4 @@
-Contributing to MindPoint Group Projects
+Contributing to Ansible-Lockdown Projects
 ========================================
 Rules
@ -20,7 +20,7 @@ Signing your contribution
 We've chosen to use the Developer's Certificate of Origin (DCO) method
 that is employed by the Linux Kernel Project, which provides a simple
-way to contribute to MindPoint Group projects.
+way to contribute to Ansible-Lockdown projects.
 The process is to certify the below DCO 1.1 text
 ::
--- a/Changelog.md
+++ b/Changelog.md
@ -1,7 +1,34 @@
 # Changes to RHEL9CIS
 ## 2.0.5 - Based on CIS v2.0.0
 ## April 2026
 - bootloader password logic improved thanks to skullbringer on discord community
 - 7.1.12 and 7.1.13 fixed thanks to @bubaimondalsch #440
 - 4.3 tags updated
 - 2.1.x - improve logic for mask/disable/stop thanks to @numericillustration #434
 ## March 2026 — workspace alignment
 - Common files aligned to std
 - workflows updates
 - titles updates
 - levels aligned
 - auditd improvement
 - grammar, lint
 - vars naming
 - Linting: converted ~75 single-item when: conditions from list to inline format
 - Linting: added blank line after --- YAML document marker in 10 files
 - Linting: fixed register: key order in 8 tasks (now appears after changed_when/failed_when)
 - Linting: fixed spelling typo sddr → saddr in cis_4.3.x.yml
 - Defaults: added justification comments for service client and bluetooth variables
 ## Based on CIS v2.0.0
 # Feb26 2
 #430 thanks to @numericillustration - 5.4.2.5 missing echo
 # Feb26 1
 - QA Fixes
 - .j2 Branding Update
 - Added rhel9cis_uses_root variable definition for 5.4.2.5 root PATH integrity task
@ -77,34 +104,6 @@ tidy up tags on tasks/main.yml
  - public issue 372
  - allow password with different locale
 ## 2.0.4 - Based on CIS v2.0.0
 - addressed issue #419, thank you @aaronk1
 - addressed issue #418 thank you @bbaassssiiee
 - addressed issue #416 thank you @georgenalen and @bbaassssiiee
 - addressed issue #393 thank you to @fragglexarmy
 - addressed issue #394 thank you to @dbeuker
 - addressed issues #390 and #391 thanks to @polski-g
 - addressed issue #398 & #399 thanks to trumbaut
 - Added max-concurrent options for audit
 - work flow updates
 - audit logic improvements
 - auditd template 2.19 compatible
 - pre-commit updates
 - #410 thanks to @kpi-nourman
 - #413 thanks to @bbaassssiiee
 ## 2.0.3 - Based on CIS v2.0.0
 - addressed issue #387, thank you @fragglexarmy
 - addressed issue #382 to improve regex logic on 5.4.2.4
 - improvement on crypto policy managed controls with var logic
 - addressed issue #384 thank you @polski-g
 - update command to shell module on tasks
 - addressed issue 371 thanks to @bgro and kodebach
 - addressed issue 350 thanks to @chrispipo
 - addressed issue 364 thanks to @polski-g
 - pre-commit update
 ## 2.0.2 - Based on CIS v2.0.0
 - Update to audit_only to allow fetching results
--- a/defaults/main.yml
+++ b/defaults/main.yml
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -246,18 +246,21 @@
 ## Auditd tasks note order for handlers to run
- name: Auditd immutable check
+- name: Auditd rules reload
-  ansible.builtin.command: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules
+  when: prelim_auditd_immutable_check.rc == 1 or discovered_augenrules_check.stdout is search('No change')
-  changed_when: false
+  ansible.builtin.command: augenrules --load
-  register: discovered_auditd_immutable_check
+  changed_when: true
  failed_when: discovered_augenrule_check.rc not in [ 0, 1 ]
  register: discovered_augenrule_check
 - name: Audit immutable fact
-  when: discovered_auditd_immutable_check.stdout == '1'
+  when: prelim_auditd_immutable_check is defined
  ansible.builtin.debug:
    msg: "Reboot required for auditd to apply new rules as immutable set"
  notify: Set reboot required
 - name: Stop auditd process
  when: prelim_auditd_immutable_check is defined
  ansible.builtin.command: systemctl kill auditd
  changed_when: true
  listen: Restart auditd
--- a/tasks/LE_audit_setup.yml
+++ b/tasks/LE_audit_setup.yml
@ -25,7 +25,7 @@
 - name: Pre Audit Setup | Copy audit binary
  when: get_audit_binary_method == 'copy'
  ansible.builtin.copy:
-    src: "{{ audit_bin_copy_location }}/goss-linux-{{ audit_pkg_arch_name }}"
+    src: "{{ audit_bin_copy_location }}"
    dest: "{{ audit_bin }}"
    owner: root
    group: root
--- a/tasks/auditd.yml
+++ b/tasks/auditd.yml
@ -3,59 +3,47 @@
 # Since auditd rules are dependent on syscalls and syscall tables are architecture specific,
 # we need to update the auditd rules depending on the architecture of the system.
 # This task passed the syscalls table to the auditd template and updates the auditd rules
 - name: "POST | AUDITD | Set supported_syscalls variable"
  ansible.builtin.shell: ausyscall --dump |  awk  '{print $2}'
  changed_when: false
  check_mode: false
  failed_when: discovered_auditd_syscalls.rc not in [ 0, 1 ]
  register: discovered_auditd_syscalls
- name: POST | AUDITD | Apply auditd template will for section 6.3.3 - only required rules will be added | stat file
+- name: "POST | AUDITD | Ensure use of privileged commands is collected"
-  ansible.builtin.stat:
+  ansible.builtin.shell: |
-    path: /etc/audit/rules.d/99_auditd.rules
+    {%- set egrep_exclude = "(asdfmnop|{{ rhel9cis_priv_command_excluded_mounts | join('|') }})" -%}
-  register: discovered_auditd_rules_file
+    for i in $(df | grep '^/dev' | grep -Ev '{{ egrep_exclude }}' | awk '{ print $NF }'); do
      find $i -xdev -type f -perm /6000 2>/dev/null;
    done
  changed_when: false
  failed_when: false
  check_mode: false
  register: discovered_privileged_commands
- name: POST | Apply auditd template for section 6.3.3.x
+- name: "POST | AUDITD | Apply auditd template for section 6.2.4.x"
  when: update_audit_template
  vars:
    supported_syscalls: "{{ discovered_auditd_syscalls.stdout_lines }}"
  ansible.builtin.template:
-    src: audit/99_auditd.rules.j2
+    src: etc/audit/rules.d/99_auditd.rules.j2
    dest: /etc/audit/rules.d/99_auditd.rules
    owner: root
    group: root
-    mode: 'u-x,g-wx,o-rwx'
+    mode: 'u-x,go-wx'
-  diff: "{{ discovered_auditd_rules_file.stat.exists }}"  # Only run diff if not a new file
+  register: discovered_audit_rules_updated
  register: discovered_auditd_rules_template_updated
  notify:
-    - Auditd immutable check
+    - Auditd rules reload
    - Audit immutable fact
    - Restart auditd
- name: POST | AUDITD | Add Warning count for changes to template file | Warn Count  # noqa no-handler
+- name: POST | AUDITD | Set up auditd user logging exceptions
-  when:
+  when: rhel9cis_allow_auditd_uid_user_exclusions
    - discovered_auditd_rules_template_updated.changed
    - discovered_auditd_rules_file.stat.exists
  ansible.builtin.import_tasks:
    file: warning_facts.yml
  vars:
    warn_control_id: 'Auditd template updated, validate as expected'
 - name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added | stat file
  ansible.builtin.stat:
    path: /etc/audit/rules.d/98_auditd_exceptions.rules
  register: discovered_auditd_exception_file
 - name: POST | Set up auditd user logging exceptions | setup file
  when:
    - rhel9cis_allow_auditd_uid_user_exclusions
    - rhel9cis_auditd_uid_exclude | length > 0
  ansible.builtin.template:
-    src: audit/98_auditd_exception.rules.j2
+    src: etc/audit/rules.d/98_auditd_exception.rules.j2
    dest: /etc/audit/rules.d/98_auditd_exceptions.rules
    owner: root
    group: root
-    mode: '0640'
+    mode: 'u-x,go-rwx'
  diff: "{{ discovered_auditd_exception_file.stat.exists }}"
  notify: Restart auditd
 - name: POST | AUDITD | Flush handlers
  ansible.builtin.meta: flush_handlers
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -200,15 +200,13 @@
    file: auditd.yml
 - name: "Run post remediation tasks"
-  tags:
+  tags: always
    - post_tasks
    - always
  ansible.builtin.import_tasks:
    file: post.yml
- name: "Run post_remediation audit"
+- name: "Run post remediation audit"
  when: run_audit
-  tags: always
+  tags: run_audit
  ansible.builtin.import_tasks:
    file: post_remediation_audit.yml
--- a/tasks/post_remediation_audit.yml
+++ b/tasks/post_remediation_audit.yml
@ -1,6 +1,6 @@
 ---
- name: Post Audit | Run post_remediation {{ benchmark }} audit  # noqa name[template]
+- name: Post Audit | Run post_remediation {{ benchmark }} audit # noqa name[template]
  ansible.builtin.shell: "umask 0022 && {{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -m {{ audit_max_concurrent }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\""  # noqa yaml[line-length]
  changed_when: true
  environment:
@ -14,11 +14,11 @@
    - name: Post Audit | Capture audit data if json format
      ansible.builtin.shell: grep -E '"summary-line.*Count:.*Failed' "{{ post_audit_outfile }}" | cut -d'"' -f4
      changed_when: false
-      register: post_audit_summary
+      register: post_audit_summary_json
    - name: Post Audit | Set Fact for audit summary
      ansible.builtin.set_fact:
-        post_audit_results: "{{ post_audit_summary.stdout }}"
+        post_audit_results: "{{ post_audit_summary_json.stdout }}"
 - name: Post Audit | Capture audit data if documentation format
  when: audit_format == "documentation"
@ -26,8 +26,8 @@
    - name: Post Audit | Capture audit data if documentation format
      ansible.builtin.shell: tail -2 "{{ post_audit_outfile }}"  | tac | tr '\n' ' '
      changed_when: false
-      register: post_audit_summary
+      register: post_audit_summary_documentation
    - name: Post Audit | Set Fact for audit summary
      ansible.builtin.set_fact:
-        post_audit_results: "{{ post_audit_summary.stdout }}"
+        post_audit_results: "{{ post_audit_summary_documentation.stdout }}"
--- a/tasks/pre_remediation_audit.yml
+++ b/tasks/pre_remediation_audit.yml
@ -6,7 +6,7 @@
  ansible.builtin.include_tasks:
    file: LE_audit_setup.yml
- name: Pre Audit Setup | Ensure existence of {{ audit_conf_dir }}  # noqa name[template]
+- name: Pre Audit Setup | Ensure existence of {{ audit_conf_dir }} # noqa name[template]
  ansible.builtin.file:
    path: "{{ audit_conf_dir }}"
    mode: 'go-w'
@ -71,8 +71,8 @@
    dest: "{{ audit_vars_path }}"
    mode: 'go-rwx'
- name: Pre Audit | Run pre_remediation audit {{ benchmark }}  # noqa name[template]
+- name: Pre Audit | Run pre_remediation audit {{ benchmark }} # noqa name[template]
-  ansible.builtin.shell: "umask 0022 && {{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -m {{ audit_max_concurrent }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\"" # noqa yaml[line-length]
+  ansible.builtin.shell: "umask 0022 && {{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -m {{ audit_max_concurrent }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\""  # noqa yaml[line-length]
  changed_when: true
  environment:
    AUDIT_BIN: "{{ audit_bin }}"
@ -85,12 +85,11 @@
    - name: Pre Audit | Capture audit data if json format
      ansible.builtin.shell: grep -E '\"summary-line.*Count:.*Failed' "{{ pre_audit_outfile }}" | cut -d'"' -f4
      changed_when: false
-      failed_when: pre_audit_summary.stderr | length > 0
+      register: pre_audit_summary_json
      register: pre_audit_summary
    - name: Pre Audit | Set Fact for audit summary
      ansible.builtin.set_fact:
-        pre_audit_results: "{{ pre_audit_summary.stdout }}"
+        pre_audit_results: "{{ pre_audit_summary_json.stdout }}"
 - name: Pre Audit | Capture audit data if documentation format
  when: audit_format == "documentation"
@ -98,12 +97,11 @@
    - name: Pre Audit | Capture audit data if documentation format
      ansible.builtin.shell: tail -2 "{{ pre_audit_outfile }}"  | tac | tr '\n' ' '
      changed_when: false
-      failed_when: pre_audit_summary.stderr | length > 0
+      register: pre_audit_summary_documentation
      register: pre_audit_summary
    - name: Pre Audit | Set Fact for audit summary
      ansible.builtin.set_fact:
-        pre_audit_results: "{{ pre_audit_summary.stdout }}"
+        pre_audit_results: "{{ pre_audit_summary_documentation.stdout }}"
 - name: Audit_Only | Run Audit Only
  when: audit_only
--- a/tasks/prelim.yml
+++ b/tasks/prelim.yml
@ -295,6 +295,13 @@
    state: directory
    mode: 'u+x,g-w,o-rwx'
 - name: "PRELIM | AUDIT | Discover if auditd is immutable"
  tags: always
  ansible.builtin.command: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules
  changed_when: false
  failed_when: prelim_auditd_immutable_check.rc not in [ 0, 1, 2 ]
  register: prelim_auditd_immutable_check
 - name: "PRELIM | PATCH | Configure System Accounting (auditd)"
  when:
    - '"auditd" not in ansible_facts.packages'
--- a/tasks/section_1/cis_1.1.2.3.x.yml
+++ b/tasks/section_1/cis_1.1.2.3.x.yml
@ -1,12 +1,12 @@
 ---
- name: "1.1.2.3.1 | PATCH | Ensure /home is a separate partition"
+- name: "1.1.2.3.1 | PATCH | Ensure separate partition exists for /home"
  when:
    - rhel9cis_rule_1_1_2_3_1
    - required_mount not in prelim_mount_names
  tags:
-    - level1-server
+    - level2-server
-    - level1-workstation
+    - level2-workstation
    - audit
    - mounts
    - rule_1.1.2.3.1
--- a/tasks/section_1/cis_1.1.2.4.x.yml
+++ b/tasks/section_1/cis_1.1.2.4.x.yml
@ -1,12 +1,12 @@
 ---
- name: "1.1.2.4.1 | PATCH | Ensure /var is a separate partition"
+- name: "1.1.2.4.1 | PATCH | Ensure separate partition exists for /var"
  when:
    - rhel9cis_rule_1_1_2_4_1
    - required_mount not in prelim_mount_names
  tags:
-    - level1-server
+    - level2-server
-    - level1-workstation
+    - level2-workstation
    - audit
    - mounts
    - rule_1.1.2.4.1
--- a/tasks/section_1/cis_1.1.2.5.x.yml
+++ b/tasks/section_1/cis_1.1.2.5.x.yml
@ -1,12 +1,12 @@
 ---
- name: "1.1.2.5.1 | PATCH | Ensure /var/tmp is a separate partition"
+- name: "1.1.2.5.1 | PATCH | Ensure separate partition exists for /var/tmp"
  when:
    - rhel9cis_rule_1_1_2_5_1
    - required_mount not in prelim_mount_names
  tags:
-    - level1-server
+    - level2-server
-    - level1-workstation
+    - level2-workstation
    - audit
    - mounts
    - rule_1.1.2.5.1
--- a/tasks/section_1/cis_1.1.2.6.x.yml
+++ b/tasks/section_1/cis_1.1.2.6.x.yml
@ -1,12 +1,12 @@
 ---
- name: "1.1.2.6.1 | PATCH | Ensure /var/log is a separate partition"
+- name: "1.1.2.6.1 | PATCH | Ensure separate partition exists for /var/log"
  when:
    - rhel9cis_rule_1_1_2_6_1
    - required_mount not in prelim_mount_names
  tags:
-    - level1-server
+    - level2-server
-    - level1-workstation
+    - level2-workstation
    - audit
    - mounts
    - rule_1.1.2.6.1
--- a/tasks/section_1/cis_1.1.2.7.x.yml
+++ b/tasks/section_1/cis_1.1.2.7.x.yml
@ -1,12 +1,12 @@
 ---
- name: "1.1.2.7.1 | PATCH | Ensure /var/log/audit is a separate partition"
+- name: "1.1.2.7.1 | PATCH | Ensure separate partition exists for /var/log/audit"
  when:
    - rhel9cis_rule_1_1_2_7_1
    - required_mount not in prelim_mount_names
  tags:
-    - level1-server
+    - level2-server
-    - level1-workstation
+    - level2-workstation
    - audit
    - mounts
    - rule_1.1.2.7.1
--- a/tasks/section_1/cis_1.3.1.x.yml
+++ b/tasks/section_1/cis_1.3.1.x.yml
@ -55,7 +55,7 @@
    policy: "{{ rhel9cis_selinux_pol }}"
    state: "{{ rhel9cis_selinux_enforce }}"
- name: "1.3.1.4 | PATCH | Ensure the SELinux state is not disabled"
+- name: "1.3.1.4 | PATCH | Ensure the SELinux mode is not disabled"
  when:
    - rhel9cis_rule_1_3_1_4
    - not rhel9cis_selinux_disable
@ -72,7 +72,7 @@
    policy: "{{ rhel9cis_selinux_pol }}"
    state: "{{ rhel9cis_selinux_enforce }}"
- name: "1.3.1.5 | PATCH | Ensure the SELinux state is enforcing"
+- name: "1.3.1.5 | PATCH | Ensure the SELinux mode is enforcing"
  when:
    - rhel9cis_selinux_enforce == 'enforcing'
    - rhel9cis_rule_1_3_1_5
--- a/tasks/section_1/cis_1.4.x.yml
+++ b/tasks/section_1/cis_1.4.x.yml
@ -11,15 +11,27 @@
    - patch
    - rule_1.4.1
    - NIST800-53R5_AC-3
-  ansible.builtin.copy:
+  block:
-    dest: /boot/grub2/user.cfg
+    - name: "1.4.1 | PATCH | Ensure bootloader password is set | Set fact if using salt (no python passlib required)"
-    content: "GRUB2_PASSWORD={{ rhel9_compiled_bootloader_password }}" # noqa template-instead-of-copy
+      when: rhel9cis_bootloader_salt | length == 0
-    owner: root
+      ansible.builtin.set_fact:
-    group: root
+        rhel9cis_compiled_bootloader_password: "{{ rhel9cis_bootloader_password_hash }}"
    mode: 'go-rwx'
  notify: Grub2cfg
- name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured"
+    - name: "1.4.1 | PATCH | Ensure bootloader password is set | Set fact if using salt (python passlib required)"
      when: rhel9cis_bootloader_salt | length > 0
      ansible.builtin.set_fact:
        rhel9cis_compiled_bootloader_password: "{{ (rhel9cis_bootloader_password | grub_hash(salt=rhel9cis_bootloader_salt)) }}" # noqa template-instead-of-copy
    - name: "1.4.1 | PATCH | Ensure bootloader password is set"
      ansible.builtin.copy:
        dest: /boot/grub2/user.cfg
        content: "GRUB2_PASSWORD={{ rhel9cis_compiled_bootloader_password }}" # noqa template-instead-of-copy
        owner: root
        group: root
        mode: 'go-rwx'
      notify: Grub2cfg
 - name: "1.4.2 | PATCH | Ensure access to bootloader config is configured"
  when: rhel9cis_rule_1_4_2
  tags:
    - level1-server
@ -29,7 +41,7 @@
    - rule_1.4.2
    - NIST800-53R5_AC-3
  block:
-    - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | bios based system"
+    - name: "1.4.2 | PATCH | Ensure access to bootloader config is configured | bios based system"
      when: rhel9cis_legacy_boot
      ansible.builtin.file:
        path: "/boot/grub2/{{ item.path }}"
@ -44,7 +56,7 @@
        - { path: 'grubenv', mode: 'u-x,go-rwx' }
        - { path: 'user.cfg', mode: 'u-x,go-rwx' }
-    - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | efi based system"
+    - name: "1.4.2 | PATCH | Ensure access to bootloader config is configured | efi based system"
      when: not rhel9cis_legacy_boot
      vars:
        efi_mount_options: ['umask=0077', 'fmask=0077', 'uid=0', 'gid=0']
@ -55,13 +67,13 @@
          check_mode: false
          register: discovered_efi_fstab
-        - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | efi based system | Build Options"
+        - name: "1.4.2 | PATCH | Ensure access to bootloader config is configured | efi based system | Build Options"
          when: item not in discovered_efi_fstab.stdout
          ansible.builtin.set_fact:
            efi_mount_opts_addition: "{{ efi_mount_opts_addition + ',' + item }}"
          loop: "{{ efi_mount_options }}"
-        - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | efi based system | Add mount options"
+        - name: "1.4.2 | PATCH | Ensure access to bootloader config is configured | efi based system | Add mount options"
          when: efi_mount_opts_addition | length > 0
          ansible.builtin.lineinfile:
            path: /etc/fstab
--- a/tasks/section_1/cis_1.5.x.yml
+++ b/tasks/section_1/cis_1.5.x.yml
@ -1,6 +1,6 @@
 ---
- name: "1.5.1 | PATCH | Ensure address space layout randomization (ASLR) is enabled"
+- name: "1.5.1 | PATCH | Ensure address space layout randomization is enabled"
  when: rhel9cis_rule_1_5_1
  tags:
    - level1-server
@ -11,11 +11,11 @@
    - NIST800-53R5_CM-6
    - NIST800-53R5_CM-6.1
  block:
-    - name: "1.5.1 | PATCH | Ensure address space layout randomization (ASLR) is enabled"
+    - name: "1.5.1 | PATCH | Ensure address space layout randomization is enabled"
      ansible.builtin.set_fact:
        rhel9cis_sysctl_update: true
-    - name: "1.5.1 | PATCH | Ensure address space layout randomization (ASLR) is enabled"
+    - name: "1.5.1 | PATCH | Ensure address space layout randomization is enabled"
      ansible.builtin.debug:
        msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-kernel_sysctl.conf"
--- a/tasks/section_1/cis_1.6.x.yml
+++ b/tasks/section_1/cis_1.6.x.yml
@ -130,7 +130,7 @@
        - Update Crypto Policy
        - Set Crypto Policy
- name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20-poly1305 for ssh"
+- name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20- poly1305 for ssh"
  when:
    - rhel9cis_rule_1_6_6
    - "'NO-SSHWEAKCIPHERS' not in rhel9cis_crypto_policy_module"
@ -144,7 +144,7 @@
    - rule_1.6.6
    - NIST800-53R5_SC-6
  block:
-    - name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20-poly1305 for ssh | Add submodule exclusion"
+    - name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20- poly1305 for ssh | Add submodule exclusion"
      ansible.builtin.template:
        src: etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod.j2
        dest: /etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod
@ -153,7 +153,7 @@
        mode: 'g-wx,o-rwx'
      register: discovered_no_sshweakciphers_template
-    - name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20-poly1305 for ssh | submodule to crypto policy modules"
+    - name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20- poly1305 for ssh | submodule to crypto policy modules"
      ansible.builtin.set_fact:
        rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SSHWEAKCIPHERS' }}"
      changed_when: discovered_no_sshweakciphers_template is changed  # noqa: no-handler
--- a/tasks/section_1/cis_1.7.x.yml
+++ b/tasks/section_1/cis_1.7.x.yml
@ -53,7 +53,7 @@
    group: root
    mode: 'go-wx'
- name: "1.7.4 | PATCH | Ensure permissions on /etc/motd are configured"
+- name: "1.7.4 | PATCH | Ensure access to /etc/motd is configured"
  when: rhel9cis_rule_1_7_4
  tags:
    - level1-server
@ -69,7 +69,7 @@
    group: root
    mode: 'go-wx'
- name: "1.7.5 | PATCH | Ensure permissions on /etc/issue are configured"
+- name: "1.7.5 | PATCH | Ensure access to /etc/issue is configured"
  when: rhel9cis_rule_1_7_5
  tags:
    - level1-server
@ -85,7 +85,7 @@
    group: root
    mode: 'go-wx'
- name: "1.7.6 | PATCH | Ensure permissions on /etc/issue.net are configured"
+- name: "1.7.6 | PATCH | Ensure access to /etc/issue.net is configured"
  when: rhel9cis_rule_1_7_6
  tags:
    - level1-server
--- a/tasks/section_1/cis_1.8.x.yml
+++ b/tasks/section_1/cis_1.8.x.yml
@ -198,7 +198,7 @@
    - rhel9cis_gui
  tags:
    - level1-server
-    - level2-workstation
+    - level1-workstation
    - patch
    - gui
    - rule_1.8.8
@ -226,7 +226,7 @@
    - rhel9cis_gui
  tags:
    - level1-server
-    - level2-workstation
+    - level1-workstation
    - patch
    - gui
    - rule_1.8.9
--- a/tasks/section_2/cis_2.1.x.yml
+++ b/tasks/section_2/cis_2.1.x.yml
@ -28,8 +28,8 @@
      notify: Systemd daemon reload
      ansible.builtin.systemd:
        name: autofs
-        enabled: false
+        enabled: "{{ ('autofs' in ansible_facts.packages) | ternary(false, omit) }}"
-        state: stopped
+        state: "{{ ('autofs' in ansible_facts.packages) | ternary('stopped', omit) }}"
        masked: true
 - name: "2.1.2 | PATCH | Ensure avahi daemon services are not in use"
@ -60,8 +60,8 @@
      notify: Systemd daemon reload
      ansible.builtin.systemd:
        name: "{{ item }}"
-        enabled: false
+        enabled: "{{ ('avahi-daemon' in ansible_facts.packages) | ternary(false, omit) }}"
-        state: stopped
+        state: "{{ ('avahi-daemon' in ansible_facts.packages) | ternary('stopped', omit) }}"
        masked: true
      loop:
        - avahi-daemon.socket
@ -93,8 +93,8 @@
      notify: Systemd daemon reload
      ansible.builtin.systemd:
        name: "{{ item }}"
-        enabled: false
+        enabled: "{{ ('dhcp-server' in ansible_facts.packages) | ternary(false, omit) }}"
-        state: stopped
+        state: "{{ ('dhcp-server' in ansible_facts.packages) | ternary('stopped', omit) }}"
        masked: true
      loop:
        - dhcpd.service
@ -126,11 +126,11 @@
      notify: Systemd daemon reload
      ansible.builtin.systemd:
        name: named.service
-        enabled: false
+        enabled: "{{ ('bind' in ansible_facts.packages) | ternary(false, omit) }}"
-        state: stopped
+        state: "{{ ('bind' in ansible_facts.packages) | ternary('stopped', omit) }}"
        masked: true
- name: "2.1.5 | PATCH | Ensure dnsmasq server services are not in use"
+- name: "2.1.5 | PATCH | Ensure dnsmasq services are not in use"
  when: rhel9cis_rule_2_1_5
  tags:
    - level1-server
@ -141,7 +141,7 @@
    - NIST800-53R5_CM-7
    - rule_2.1.5
  block:
-    - name: "2.1.5 | PATCH | Ensure dnsmasq server services are not in use | Remove package"
+    - name: "2.1.5 | PATCH | Ensure dnsmasq services are not in use | Remove package"
      when:
        - not rhel9cis_dnsmasq_server
        - not rhel9cis_dnsmasq_mask
@ -149,15 +149,15 @@
        name: dnsmasq
        state: absent
-    - name: "2.1.5 | PATCH | Ensure dnsmasq server services are not in use | Mask service"
+    - name: "2.1.5 | PATCH | Ensure dnsmasq services are not in use | Mask service"
      when:
        - not rhel9cis_dnsmasq_server
        - rhel9cis_dnsmasq_mask
      notify: Systemd daemon reload
      ansible.builtin.systemd:
        name: dnsmasq.service
-        enabled: false
+        enabled: "{{ ('dnsmasq' in ansible_facts.packages) | ternary(false, omit) }}"
-        state: stopped
+        state: "{{ ('dnsmasq' in ansible_facts.packages) | ternary('stopped', omit) }}"
        masked: true
 - name: "2.1.6 | PATCH | Ensure samba file server services are not in use"
@ -187,8 +187,8 @@
      notify: Systemd daemon reload
      ansible.builtin.systemd:
        name: smb.service
-        enabled: false
+        enabled: "{{ ('samba' in ansible_facts.packages) | ternary(false, omit) }}"
-        state: stopped
+        state: "{{ ('samba' in ansible_facts.packages) | ternary('stopped', omit) }}"
        masked: true
 - name: "2.1.7 | PATCH | Ensure ftp server services are not in use"
@ -218,8 +218,8 @@
      notify: Systemd daemon reload
      ansible.builtin.systemd:
        name: vsftpd.service
-        enabled: false
+        enabled: "{{ ('vsftpd' in ansible_facts.packages) | ternary(false, omit) }}"
-        state: stopped
+        state: "{{ ('vsftpd' in ansible_facts.packages) | ternary('stopped', omit) }}"
        masked: true
 - name: "2.1.8 | PATCH | Ensure message access server services are not in use"
@ -252,8 +252,8 @@
      notify: Systemd daemon reload
      ansible.builtin.systemd:
        name: "{{ item }}"
-        enabled: false
+        enabled: "{{ ('dovecot' in ansible_facts.packages) | ternary(false, omit) }}"
-        state: stopped
+        state: "{{ ('dovecot' in ansible_facts.packages) | ternary('stopped', omit) }}"
        masked: true
      loop:
        - "dovecot.socket"
@ -288,8 +288,8 @@
      notify: Systemd daemon reload
      ansible.builtin.systemd:
        name: nfs-server.service
-        enabled: false
+        enabled: "{{ ('nfs-utils' in ansible_facts.packages) | ternary(false, omit) }}"
-        state: stopped
+        state: "{{ ('nfs-utils' in ansible_facts.packages) | ternary('stopped', omit) }}"
        masked: true
 - name: "2.1.10 | PATCH | Ensure nis server services are not in use"
@ -318,8 +318,8 @@
        - rhel9cis_nis_mask
      ansible.builtin.systemd:
        name: ypserv.service
-        enabled: false
+        enabled: "{{ ('ypserv' in ansible_facts.packages) | ternary(false, omit) }}"
-        state: stopped
+        state: "{{ ('ypserv' in ansible_facts.packages) | ternary('stopped', omit) }}"
        masked: true
 - name: "2.1.11 | PATCH | Ensure print server services are not in use"
@ -347,8 +347,8 @@
      notify: Systemd daemon reload
      ansible.builtin.systemd:
        name: "{{ item }}"
-        enabled: false
+        enabled: "{{ ('cups' in ansible_facts.packages) | ternary(false, omit) }}"
-        state: stopped
+        state: "{{ ('cups' in ansible_facts.packages) | ternary('stopped', omit) }}"
        masked: true
      loop:
        - "cups.socket"
@ -381,8 +381,8 @@
      notify: Systemd daemon reload
      ansible.builtin.systemd:
        name: "{{ item }}"
-        enabled: false
+        enabled: "{{ ('rpcbind' in ansible_facts.packages) | ternary(false, omit) }}"
-        state: stopped
+        state: "{{ ('rpcbind' in ansible_facts.packages) | ternary('stopped', omit) }}"
        masked: true
      loop:
        - rpcbind.service
@ -415,8 +415,8 @@
      notify: Systemd daemon reload
      ansible.builtin.systemd:
        name: "{{ item }}"
-        enabled: false
+        enabled: "{{ ('rsync-daemon' in ansible_facts.packages) | ternary(false, omit) }}"
-        state: stopped
+        state: "{{ ('rsync-daemon' in ansible_facts.packages) | ternary('stopped', omit) }}"
        masked: true
      loop:
        - 'rsyncd.socket'
@ -448,8 +448,8 @@
      notify: Systemd daemon reload
      ansible.builtin.systemd:
        name: snmpd.service
-        enabled: false
+        enabled: "{{ ('net-snmp' in ansible_facts.packages) | ternary(false, omit) }}"
-        state: stopped
+        state: "{{ ('net-snmp' in ansible_facts.packages) | ternary('stopped', omit) }}"
        masked: true
 - name: "2.1.15 | PATCH | Ensure telnet server services are not in use"
@ -479,8 +479,8 @@
      notify: Systemd daemon reload
      ansible.builtin.systemd:
        name: telnet.socket
-        enabled: false
+        enabled: "{{ ('telnet-server' in ansible_facts.packages) | ternary(false, omit) }}"
-        state: stopped
+        state: "{{ ('telnet-server' in ansible_facts.packages) | ternary('stopped', omit) }}"
        masked: true
 - name: "2.1.16 | PATCH | Ensure tftp server services are not in use"
@ -509,8 +509,8 @@
      notify: Systemd daemon reload
      ansible.builtin.systemd:
        name: "{{ item }}"
-        enabled: false
+        enabled: "{{ ('tftp-server' in ansible_facts.packages) | ternary(false, omit) }}"
-        state: stopped
+        state: "{{ ('tftp-server' in ansible_facts.packages) | ternary('stopped', omit) }}"
        masked: true
      loop:
        - 'tftp.socket'
@ -543,8 +543,8 @@
      notify: Systemd daemon reload
      ansible.builtin.systemd:
        name: squid.service
-        enabled: false
+        enabled: "{{ ('squid' in ansible_facts.packages) | ternary(false, omit) }}"
-        state: stopped
+        state: "{{ ('squid' in ansible_facts.packages) | ternary('stopped', omit) }}"
        masked: true
 - name: "2.1.18 | PATCH | Ensure web server services are not in use"
@ -583,8 +583,8 @@
      notify: Systemd daemon reload
      ansible.builtin.systemd:
        name: httpd.service
-        enabled: false
+        enabled: "{{ ('httpd' in ansible_facts.packages) | ternary(false, omit) }}"
-        state: stopped
+        state: "{{ ('httpd' in ansible_facts.packages) | ternary('stopped', omit) }}"
        masked: true
    - name: "2.1.18 | PATCH | Ensure web server services are not in use | Mask nginx service"
@ -594,8 +594,8 @@
      notify: Systemd daemon reload
      ansible.builtin.systemd:
        name: ngnix.service
-        enabled: false
+        enabled: "{{ ('nginx' in ansible_facts.packages) | ternary(false, omit) }}"
-        state: stopped
+        state: "{{ ('nginx' in ansible_facts.packages) | ternary('stopped', omit) }}"
        masked: true
 - name: "2.1.19 | PATCH | Ensure xinetd services are not in use"
@ -624,8 +624,8 @@
      notify: Systemd daemon reload
      ansible.builtin.systemd:
        name: xinetd.service
-        enabled: false
+        enabled: "{{ ('xinetd' in ansible_facts.packages) | ternary(false, omit) }}"
-        state: stopped
+        state: "{{ ('xinetd' in ansible_facts.packages) | ternary('stopped', omit) }}"
        masked: true
 - name: "2.1.20 | PATCH | Ensure X window server services are not in use"
@ -633,8 +633,7 @@
    - not rhel9cis_xwindow_server
    - rhel9cis_rule_2_1_20
  tags:
-    - level1-server
+    - level2-server
    - level1-workstation
    - automated
    - patch
    - xwindow
--- a/tasks/section_2/cis_2.2.x.yml
+++ b/tasks/section_2/cis_2.2.x.yml
@ -64,7 +64,7 @@
    name: telnet
    state: absent
- name: "2.2.5 | PATCH | Ensure TFTP client is not installed"
+- name: "2.2.5 | PATCH | Ensure tftp client is not installed"
  when:
    - not rhel9cis_tftp_client
    - rhel9cis_rule_2_2_5
--- a/tasks/section_2/cis_2.4.x.yml
+++ b/tasks/section_2/cis_2.4.x.yml
@ -1,6 +1,6 @@
 ---
- name: "2.4.1.1 | PATCH | Ensure cron daemon is enabled"
+- name: "2.4.1.1 | PATCH | Ensure cron daemon is enabled and active"
  when: rhel9cis_rule_2_4_1_1
  tags:
    - level1-server
--- a/tasks/section_3/cis_3.1.x.yml
+++ b/tasks/section_3/cis_3.1.x.yml
@ -105,6 +105,6 @@
      notify: Systemd daemon reload
      ansible.builtin.systemd:
        name: bluetooth.service
-        enabled: false
+        enabled: "{{ ('bluez' in ansible_facts.packages) | ternary(false, omit) }}"
-        state: stopped
+        state: "{{ ('bluez' in ansible_facts.packages) | ternary('stopped', omit) }}"
        masked: true
--- a/tasks/section_3/cis_3.3.x.yml
+++ b/tasks/section_3/cis_3.3.x.yml
@ -1,6 +1,6 @@
 ---
- name: "3.3.1 | PATCH | Ensure IP forwarding is disabled"
+- name: "3.3.1 | PATCH | Ensure ip forwarding is disabled"
  when:
    - not rhel9cis_is_router
    - rhel9cis_rule_3_3_1
@ -16,23 +16,23 @@
    - NIST800-53R5_CM-7
    - NIST800-53R5_IA-5
  block:
-    - name: "3.3.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv4 forwarding | Set Fact"
+    - name: "3.3.1 | PATCH | Ensure ip forwarding is disabled | Disable IPv4 forwarding | Set Fact"
      ansible.builtin.set_fact:
        rhel9cis_sysctl_update: true
        rhel9cis_flush_ipv4_route: true
-    - name: "3.3.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv4 forwarding"
+    - name: "3.3.1 | PATCH | Ensure ip forwarding is disabled | Disable IPv4 forwarding"
      ansible.builtin.debug:
        msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
-    - name: "3.3.1 | PATCH | Ensure IP forwarding is disabled | IPv6"
+    - name: "3.3.1 | PATCH | Ensure ip forwarding is disabled | IPv6"
      when: rhel9cis_ipv6_required
      block:
-        - name: "3.3.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding | Set Fact"
+        - name: "3.3.1 | PATCH | Ensure ip forwarding is disabled | Disable IPv6 forwarding | Set Fact"
          ansible.builtin.set_fact:
            rhel9cis_flush_ipv6_route: true
-        - name: "3.3.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding"
+        - name: "3.3.1 | PATCH | Ensure ip forwarding is disabled | Disable IPv6 forwarding"
          ansible.builtin.debug:
            msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf"
@ -60,7 +60,7 @@
      ansible.builtin.debug:
        msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
- name: "3.3.3 | PATCH | Ensure bogus ICMP responses are ignored"
+- name: "3.3.3 | PATCH | Ensure bogus icmp responses are ignored"
  when: rhel9cis_rule_3_3_3
  tags:
    - level1-server
@ -74,16 +74,16 @@
    - NIST800-53R5_CM-7
    - NIST800-53R5_IA-5
  block:
-    - name: "3.3.3 | PATCH | Ensure bogus ICMP responses are ignored | Set Fact"
+    - name: "3.3.3 | PATCH | Ensure bogus icmp responses are ignored | Set Fact"
      ansible.builtin.set_fact:
        rhel9cis_sysctl_update: true
        rhel9cis_flush_ipv4_route: true
-    - name: "3.3.3 | PATCH | Ensure bogus ICMP responses are ignored"
+    - name: "3.3.3 | PATCH | Ensure bogus icmp responses are ignored"
      ansible.builtin.debug:
        msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
- name: "3.3.4 | PATCH | Ensure broadcast ICMP requests are ignored"
+- name: "3.3.4 | PATCH | Ensure broadcast icmp requests are ignored"
  when: rhel9cis_rule_3_3_4
  tags:
    - level1-server
@ -97,7 +97,7 @@
    - NIST800-53R5_CM-7
    - NIST800-53R5_IA-5
  block:
-    - name: "3.3.4 | PATCH | Ensure broadcast ICMP requests are ignored | Set Fact"
+    - name: "3.3.4 | PATCH | Ensure broadcast icmp requests are ignored | Set Fact"
      ansible.builtin.set_fact:
        rhel9cis_sysctl_update: true
        rhel9cis_flush_ipv4_route: true
@ -106,7 +106,7 @@
      ansible.builtin.debug:
        msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
- name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted"
+- name: "3.3.5 | PATCH | Ensure icmp redirects are not accepted"
  when: rhel9cis_rule_3_3_5
  tags:
    - level1-server
@ -120,27 +120,27 @@
    - NIST800-53R5_CM-7
    - NIST800-53R5_IA-5
  block:
-    - name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted | Set Fact"
+    - name: "3.3.5 | PATCH | Ensure icmp redirects are not accepted | Set Fact"
      ansible.builtin.set_fact:
        rhel9cis_sysctl_update: true
        rhel9cis_flush_ipv4_route: true
-    - name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted"
+    - name: "3.3.5 | PATCH | Ensure icmp redirects are not accepted"
      ansible.builtin.debug:
        msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
-    - name: "3.3.5 | PATCH | Ensure  ICMP redirects are not accepted | IPv6"
+    - name: "3.3.5 | PATCH | Ensure icmp redirects are not accepted | IPv6"
      when: rhel9cis_ipv6_required
      block:
-        - name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted | IPv6 | Set Fact"
+        - name: "3.3.5 | PATCH | Ensure icmp redirects are not accepted | IPv6 | Set Fact"
          ansible.builtin.set_fact:
            rhel9cis_flush_ipv6_route: true
-        - name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted | IPv6"
+        - name: "3.3.5 | PATCH | Ensure icmp redirects are not accepted | IPv6"
          ansible.builtin.debug:
            msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf"
- name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted"
+- name: "3.3.6 | PATCH | Ensure secure icmp redirects are not accepted"
  when: rhel9cis_rule_3_3_6
  tags:
    - level1-server
@ -154,27 +154,27 @@
    - NIST800-53R5_CM-7
    - NIST800-53R5_IA-5
  block:
-    - name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted | IPv4 | Set Fact"
+    - name: "3.3.6 | PATCH | Ensure secure icmp redirects are not accepted | IPv4 | Set Fact"
      ansible.builtin.set_fact:
        rhel9cis_sysctl_update: true
        rhel9cis_flush_ipv4_route: true
-    - name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted | IPv4"
+    - name: "3.3.6 | PATCH | Ensure secure icmp redirects are not accepted | IPv4"
      ansible.builtin.debug:
        msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
-    - name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted | IPv6"
+    - name: "3.3.6 | PATCH | Ensure secure icmp redirects are not accepted | IPv6"
      when: rhel9cis_ipv6_required
      block:
-        - name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted | IPv6 | Set Fact"
+        - name: "3.3.6 | PATCH | Ensure secure icmp redirects are not accepted | IPv6 | Set Fact"
          ansible.builtin.set_fact:
            rhel9cis_flush_ipv6_route: true
-        - name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted | IPv6"
+        - name: "3.3.6 | PATCH | Ensure secure icmp redirects are not accepted | IPv6"
          ansible.builtin.debug:
            msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf"
- name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled"
+- name: "3.3.7 | PATCH | Ensure reverse path filtering is enabled"
  when: rhel9cis_rule_3_3_7
  tags:
    - level1-server
@ -188,12 +188,12 @@
    - NIST800-53R5_CM-7
    - NIST800-53R5_IA-5
  block:
-    - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled | Set Fact"
+    - name: "3.3.7 | PATCH | Ensure reverse path filtering is enabled | Set Fact"
      ansible.builtin.set_fact:
        rhel9cis_sysctl_update: true
        rhel9cis_flush_ipv4_route: true
-    - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled"
+    - name: "3.3.7 | PATCH | Ensure reverse path filtering is enabled"
      ansible.builtin.debug:
        msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
@ -249,7 +249,7 @@
      ansible.builtin.debug:
        msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
- name: "3.3.10 | PATCH | Ensure TCP SYN Cookies is enabled"
+- name: "3.3.10 | PATCH | Ensure tcp syn cookies is enabled"
  when: rhel9cis_rule_3_3_10
  tags:
    - level1-server
@ -263,22 +263,22 @@
    - NIST800-53R5_CM-7
    - NIST800-53R5_IA-5
  block:
-    - name: "3.3.10 | PATCH | Ensure TCP SYN Cookies is enabled | Set Fact"
+    - name: "3.3.10 | PATCH | Ensure tcp syn cookies is enabled | Set Fact"
      ansible.builtin.set_fact:
        rhel9cis_sysctl_update: true
        rhel9cis_flush_ipv4_route: true
-    - name: "3.3.10 | PATCH | Ensure TCP SYN Cookies is enabled"
+    - name: "3.3.10 | PATCH | Ensure tcp syn cookies is enabled"
      ansible.builtin.debug:
        msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
- name: "3.3.11 | PATCH | Ensure IPv6 router advertisements are not accepted"
+- name: "3.3.11 | PATCH | Ensure ipv6 router advertisements are not accepted"
  when:
    - rhel9cis_ipv6_required
    - rhel9cis_rule_3_3_11
  tags:
-    - level2-server
+    - level1-server
-    - level2-workstation
+    - level1-workstation
    - sysctl
    - patch
    - rule_3.3.11
@ -288,11 +288,11 @@
    - NIST800-53R5_CM-7
    - NIST800-53R5_IA-5
  block:
-    - name: "3.3.11 | PATCH | Ensure IPv6 router advertisements are not accepted | IPv6 | Set Fact"
+    - name: "3.3.11 | PATCH | Ensure ipv6 router advertisements are not accepted | IPv6 | Set Fact"
      ansible.builtin.set_fact:
        rhel9cis_sysctl_update: true
        rhel9cis_flush_ipv6_route: true
-    - name: "3.3.11 | PATCH | Ensure IPv6 router advertisements are not accepted | IPv6"
+    - name: "3.3.11 | PATCH | Ensure ipv6 router advertisements are not accepted | IPv6"
      ansible.builtin.debug:
        msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl"
--- a/tasks/section_4/cis_4.3.x.yml
+++ b/tasks/section_4/cis_4.3.x.yml
@ -7,7 +7,11 @@
    - rhel9cis_rule_4_3_2
    - rhel9cis_rule_4_3_3
    - rhel9cis_rule_4_3_4
-  tags: always
+  tags:
    - rule_4.3.1
    - rule_4.3.2
    - rule_4.3.3
    - rule_4.3.4
  ansible.builtin.command: "nft add table inet {{ rhel9cis_nft_tables_tablename }}"
  changed_when: true
@ -210,7 +214,7 @@
      ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input iif lo accept
      changed_when: true
-    - name: "4.3.4 | PATCH | Ensure nftables loopback traffic is configured | Set ip sddr rule | nftables"
+    - name: "4.3.4 | PATCH | Ensure nftables loopback traffic is configured | Set ip saddr rule | nftables"
      when: '"ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop" not in discovered_nftables_ipsaddr.stdout'
      ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip saddr 127.0.0.0/8 counter drop
      changed_when: true
--- a/tasks/section_5/cis_5.1.x.yml
+++ b/tasks/section_5/cis_5.1.x.yml
@ -134,7 +134,7 @@
      ansible.builtin.set_fact:
        rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':NO-SHA1' }}"
- name: "5.1.6 | PATCH | Ensure sshd KexAlgorithms is configured"
+- name: "5.1.6 | PATCH | Ensure sshd MACs are configured"
  when:
    - rhel9cis_rule_5_1_6
    - "'NO-SSHWEAKMACS' not in rhel9cis_crypto_policy_module"
@ -148,7 +148,7 @@
    - rule_5.1.6
    - NIST800-53R5_SC-6
  block:
-    - name: "5.1.6 | PATCH | Ensure sshd KexAlgorithms is configured | Add submodule exclusion"
+    - name: "5.1.6 | PATCH | Ensure sshd MACs are configured | Add submodule exclusion"
      ansible.builtin.template:
        src: etc/crypto-policies/policies/modules/NO-SSHWEAKMACS.pmod.j2
        dest: /etc/crypto-policies/policies/modules/NO-SSHWEAKMACS.pmod
@ -159,7 +159,7 @@
        - Update Crypto Policy
        - Set Crypto Policy
-    - name: "5.1.6 | PATCH | Ensure sshd KexAlgorithms is configured | submodule to crypto policy modules"
+    - name: "5.1.6 | PATCH | Ensure sshd MACs are configured | submodule to crypto policy modules"
      ansible.builtin.set_fact:
        rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SSHWEAKMACS' }}"
@ -290,7 +290,7 @@
 - name: "5.1.11 | PATCH | Ensure sshd GSSAPIAuthentication is disabled"
  when: rhel9cis_rule_5_1_11
  tags:
-    - level1-server
+    - level2-server
    - level1-workstation
    - patch
    - sshd
@ -360,7 +360,7 @@
    validate: sshd -t -f %s
  notify: Restart sshd
- name: "5.1.14 | PATCH | Ensure sshd LoginGraceTime is set to one minute or less"
+- name: "5.1.14 | PATCH | Ensure sshd LoginGraceTime is configured"
  when: rhel9cis_rule_5_1_14
  tags:
    - level1-server
@ -378,7 +378,7 @@
    validate: sshd -t -f %s
  notify: Restart sshd
- name: "5.1.15 | PATCH | Ensure sshd LogLevel is appropriate"
+- name: "5.1.15 | PATCH | Ensure sshd LogLevel is configured"
  when: rhel9cis_rule_5_1_15
  tags:
    - level1-server
@ -398,7 +398,7 @@
    validate: sshd -t -f %s
  notify: Restart sshd
- name: "5.1.16 | PATCH | Ensure sshd MaxAuthTries is set to 4 or less"
+- name: "5.1.16 | PATCH | Ensure sshd MaxAuthTries is configured"
  when: rhel9cis_rule_5_1_16
  tags:
    - level1-server
@ -438,7 +438,7 @@
    validate: sshd -t -f %s
  notify: Restart sshd
- name: "5.1.18 | PATCH | Ensure SSH MaxSessions is set to 10 or less"
+- name: "5.1.18 | PATCH | Ensure sshd MaxSessions is configured"
  when: rhel9cis_rule_5_1_18
  tags:
    - level1-server
@ -522,7 +522,7 @@
    validate: sshd -t -f %s
  notify: Restart sshd
- name: "5.1.22 | PATCH | Ensure SSH PAM is enabled"
+- name: "5.1.22 | PATCH | Ensure sshd UsePAM is enabled"
  when: rhel9cis_rule_5_1_22
  tags:
    - level1-server
--- a/tasks/section_5/cis_5.3.1.x.yml
+++ b/tasks/section_5/cis_5.3.1.x.yml
@ -39,7 +39,7 @@
      ansible.builtin.set_fact:
        authselect_update: OK
- name: "5.3.1.3 | PATCH | Ensure libpwquality is installed"
+- name: "5.3.1.3 | PATCH | Ensure latest version of libpwquality is installed"
  when:
    - rhel9cis_rule_5_3_1_3
    - ansible_facts.packages['libpwquality'][0]['version'] is version('1.4.4-8', '<') or
--- a/tasks/section_5/cis_5.3.2.x.yml
+++ b/tasks/section_5/cis_5.3.2.x.yml
@ -65,7 +65,7 @@
          failed_when: discovered_authselect_current_faillock.rc not in [ 0, 1 ]
          register: discovered_authselect_current_faillock
-        - name: "5.3.2.2 | PATCH | Ensure pam_faillock module is enabled | Add feature if missing authselect"  # noqa syntax-check[specific]"
+        - name: '5.3.2.2 | PATCH | Ensure pam_faillock module is enabled | Add feature if missing authselect"  # noqa syntax-check[specific]'
          when:
            - rhel9cis_allow_authselect_updates
            - discovered_authselect_current_faillock.rc != 0
--- a/tasks/section_5/cis_5.3.3.1.x.yml
+++ b/tasks/section_5/cis_5.3.3.1.x.yml
@ -87,8 +87,8 @@
 - name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account"
  when: rhel9cis_rule_5_3_3_1_3
  tags:
-    - level1-server
+    - level2-server
-    - level1-workstation
+    - level2-workstation
    - automated
    - patch
    - pam
--- a/tasks/section_5/cis_5.3.3.2.x.yml
+++ b/tasks/section_5/cis_5.3.3.2.x.yml
@ -67,7 +67,7 @@
    - NIST800-53R5_IA-5
    - pam
  block:
-    - name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Remove minlen from conf files except expected file"
+    - name: "5.3.3.2.2 | PATCH | Ensure password length is configured | Remove minlen from conf files except expected file"
      when:
        - item != rhel9cis_passwd_minlen_file
        - rhel9cis_disruption_high
@ -81,7 +81,7 @@
        - /etc/pam.d/password-auth
        - "{{ prelim_pam_pwquality_confs.files | default([]) }}"
-    - name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Ensure minlen file exists"
+    - name: "5.3.3.2.2 | PATCH | Ensure password length is configured | Ensure minlen file exists"
      ansible.builtin.template:
        src: "{{ rhel9cis_passwd_minlen_file }}.j2"
        dest: "/{{ rhel9cis_passwd_minlen_file }}"
@ -89,7 +89,7 @@
        group: root
        mode: 'go-rwx'
-    - name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Remove minlen from pam files NOT AuthSelect"
+    - name: "5.3.3.2.2 | PATCH | Ensure password length is configured | Remove minlen from pam files NOT AuthSelect"
      when:
        - not rhel9cis_allow_authselect_updates
        - rhel9cis_disruption_high
@ -101,7 +101,7 @@
        - password
        - system
-    - name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Remove minlen from pam files AuthSelect"
+    - name: "5.3.3.2.2 | PATCH | Ensure password length is configured | Remove minlen from pam files AuthSelect"
      when:
        - rhel9cis_allow_authselect_updates
        - rhel9cis_disruption_high
@ -226,7 +226,7 @@
        - system
      notify: Authselect update
- name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is is configured"
+- name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured"
  when: rhel9cis_rule_5_3_3_2_5
  tags:
    - level1-server
--- a/tasks/section_5/cis_5.3.3.3.x.yml
+++ b/tasks/section_5/cis_5.3.3.3.x.yml
@ -15,13 +15,13 @@
      failed_when: discovered_pwhistory_remember.rc not in [0, 1]
      register: discovered_pwhistory_remember
-    - name: "5.3.3.3.1 | PATCH | Ensure password number of changed characters is configured | Ensure remember is set pwhistory file"
+    - name: "5.3.3.3.1 | PATCH | Ensure password history remember is configured | Ensure remember is set pwhistory file"
      ansible.builtin.lineinfile:
        path: "/etc/security/pwhistory.conf"
        regexp: remember\s*=\s*\d*
        line: remember = {{ rhel9cis_pamd_pwhistory_remember }}
-    - name: "5.3.3.3.1 | PATCH | Ensure password number of changed characters is configured | Remove remember from pam files NOT AuthSelect"
+    - name: "5.3.3.3.1 | PATCH | Ensure password history remember is configured | Remove remember from pam files NOT AuthSelect"
      when:
        - not rhel9cis_allow_authselect_updates
        - rhel9cis_disruption_high
@ -33,7 +33,7 @@
        - password
        - system
-    - name: "5.3.3.3.1 | PATCH | Ensure password number of changed characters is configured | Remove remember from pam files AuthSelect"
+    - name: "5.3.3.3.1 | PATCH | Ensure password history remember is configured | Remove remember from pam files AuthSelect"
      when:
        - rhel9cis_allow_authselect_updates
        - rhel9cis_disruption_high
--- a/tasks/section_5/cis_5.3.3.4.x.yml
+++ b/tasks/section_5/cis_5.3.3.4.x.yml
@ -27,7 +27,7 @@
        replace: ''
      loop: "{{ discovered_pam_nullok.stdout_lines }}"
-    - name: "5.3.3.4.1 | PATCH | Ensure password number of changed characters is configured | Remove nullok from pam files AuthSelect"
+    - name: "5.3.3.4.1 | PATCH | Ensure pam_unix does not include nullok | Remove nullok from pam files AuthSelect"
      when: rhel9cis_allow_authselect_updates
      ansible.builtin.replace:
        path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"
@ -65,7 +65,7 @@
        replace: ''
      loop: "{{ discovered_pam_remember.stdout_lines }}"
-    - name: "5.3.3.4.2 | PATCH | Ensure pam_unix does not include remember  | Remove remember from pam files AuthSelect"
+    - name: "5.3.3.4.2 | PATCH | Ensure pam_unix does not include remember | Remove remember from pam files AuthSelect"
      when: rhel9cis_allow_authselect_updates
      ansible.builtin.replace:
        path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"
--- a/tasks/section_5/cis_5.4.1.x.yml
+++ b/tasks/section_5/cis_5.4.1.x.yml
@ -1,6 +1,6 @@
 ---
- name: "5.4.1.1 | PATCH | Ensure password expiration is 365 days or less"
+- name: "5.4.1.1 | PATCH | Ensure password expiration is configured"
  when: rhel9cis_rule_5_4_1_1
  tags:
    - level1-server
@ -14,7 +14,7 @@
    - NIST800-53R5_CM-7
    - NIST800-53R5_IA-5
  block:
-    - name: "5.4.1.1 | PATCH | Ensure password expiration is 365 days or less"
+    - name: "5.4.1.1 | PATCH | Ensure password expiration is configured"
      ansible.builtin.lineinfile:
        path: /etc/login.defs
        regexp: '^PASS_MAX_DAYS'
@ -27,7 +27,7 @@
      check_mode: false
      register: discovered_max_days
-    - name: "5.4.1.1 | PATCH | Ensure password expiration is 365 days or less | Set existing users PASS_MAX_DAYS"
+    - name: "5.4.1.1 | PATCH | Ensure password expiration is configured | Set existing users PASS_MAX_DAYS"
      when:
        - discovered_max_days.stdout_lines | length > 0
        - item in prelim_interactive_users | map(attribute='username') | list
@ -40,8 +40,8 @@
 - name: "5.4.1.2 | PATCH | Ensure minimum password days is configured"
  when: rhel9cis_rule_5_4_1_2
  tags:
-    - level1-server
+    - level2-server
-    - level1-workstation
+    - level2-workstation
    - patch
    - password
    - rule_5.4.1.2
@ -140,7 +140,7 @@
      check_mode: false
      register: discovered_passwdlck_user_list
-    - name: "5.4.1.5 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts"
+    - name: "5.4.1.5 | PATCH | Ensure inactive password lock is configured | Apply Inactive setting to existing accounts"
      when: item in prelim_interactive_users |  map(attribute='username') | list
      ansible.builtin.command: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}"
      changed_when: true
--- a/tasks/section_5/cis_5.4.2.x.yml
+++ b/tasks/section_5/cis_5.4.2.x.yml
@ -94,7 +94,7 @@
      vars:
        warn_control_id: '5.4.2.3'
- name: "5.4.2.4 | PATCH | Ensure root account access is controlled "
+- name: "5.4.2.4 | PATCH | Ensure root account access is controlled"
  when: rhel9cis_rule_5_4_2_4
  tags:
    - level1-server
@ -105,7 +105,7 @@
  ansible.builtin.debug:
    msg: "This is set as an assert in tasks/main"
- name: "5.4.2.5 | PATCH | Ensure root PATH Integrity"
+- name: "5.4.2.5 | PATCH | Ensure root path integrity"
  when: rhel9cis_rule_5_4_2_5
  tags:
    - level1-server
--- a/tasks/section_6/cis_6.2.2.1.x.yml
+++ b/tasks/section_6/cis_6.2.2.1.x.yml
@ -72,8 +72,8 @@
    - NIST800-53R5_AU-12
  ansible.builtin.systemd:
    name: "{{ item }}"
-    state: stopped
+    state: "{{ ('systemd-journal-upload' in ansible_facts.packages) | ternary('stopped', omit) }}"
-    enabled: false
+    enabled: "{{ ('systemd-journal-upload' in ansible_facts.packages) | ternary(false, omit) }}"
    masked: true
  loop:
    - systemd-journal-remote.socket
--- a/tasks/section_6/cis_6.2.2.x.yml
+++ b/tasks/section_6/cis_6.2.2.x.yml
@ -4,7 +4,7 @@
  when: rhel9cis_rule_6_2_2_2
  tags:
    - level1-server
-    - level2-workstation
+    - level1-workstation
    - patch
    - journald
    - rule_6.2.2.2
--- a/tasks/section_6/cis_6.2.3.x.yml
+++ b/tasks/section_6/cis_6.2.3.x.yml
@ -1,6 +1,6 @@
 ---
- name: "6.2.3.1 | PATCH | Ensure rsyslog installed"
+- name: "6.2.3.1 | PATCH | Ensure rsyslog is installed"
  when:
    - "'rsyslog' not in ansible_facts.packages"
    - rhel9cis_rule_6_2_3_1
@ -17,7 +17,7 @@
    name: rsyslog
    state: present
- name: "6.2.3.2 | PATCH | Ensure rsyslog Service is enabled and active"
+- name: "6.2.3.2 | PATCH | Ensure rsyslog service is enabled and active"
  when: rhel9cis_rule_6_2_3_2
  tags:
    - level1-server
@ -68,7 +68,7 @@
    line: '$FileCreateMode 0640'
  notify: Restart rsyslog
- name: "6.2.3.5 | PATCH | Ensure logging is configured"
+- name: "6.2.3.5 | PATCH | Ensure rsyslog logging is configured"
  when: rhel9cis_rule_6_2_3_5
  tags:
    - level1-server
@ -93,7 +93,7 @@
          - "These are the current logging configurations for rsyslog, please review:"
          - "{{ discovered_configured_rsyslog.stdout_lines }}"
-    - name: "6.2.3.5 | PATCH | Ensure logging is configured | mail.* log setting"
+    - name: "6.2.3.5 | PATCH | Ensure rsyslog logging is configured | mail.* log setting"
      when: rhel9cis_rsyslog_ansiblemanaged
      ansible.builtin.blockinfile:
        path: /etc/rsyslog.conf
@ -107,7 +107,7 @@
        insertafter: '# Log all the mail messages in one place.'
      notify: Restart rsyslog
-    - name: "6.2.3.5 | PATCH | Ensure logging is configured | news.crit log setting"
+    - name: "6.2.3.5 | PATCH | Ensure rsyslog logging is configured | news.crit log setting"
      when: rhel9cis_rsyslog_ansiblemanaged
      ansible.builtin.blockinfile:
        path: /etc/rsyslog.conf
@ -120,7 +120,7 @@
        insertafter: '# Save news errors of level crit and higher in a special file.'
      notify: Restart rsyslog
-    - name: "6.2.3.5 | PATCH | Ensure logging is configured | Misc. log setting"
+    - name: "6.2.3.5 | PATCH | Ensure rsyslog logging is configured | Misc. log setting"
      when: rhel9cis_rsyslog_ansiblemanaged
      ansible.builtin.blockinfile:
        path: /etc/rsyslog.conf
@ -134,7 +134,7 @@
        insertbefore: '# ### sample forwarding rule ###'
      notify: Restart rsyslog
-    - name: "6.2.3.5 | PATCH | Ensure logging is configured | Local log settings"
+    - name: "6.2.3.5 | PATCH | Ensure rsyslog logging is configured | Local log settings"
      ansible.builtin.blockinfile:
        path: /etc/rsyslog.conf
        state: present
@ -149,7 +149,7 @@
        insertafter: '#### RULES ####'
      notify: Restart rsyslog
-    - name: "6.2.3.5 | PATCH | Ensure logging is configured | Auth Settings"
+    - name: "6.2.3.5 | PATCH | Ensure rsyslog logging is configured | Auth Settings"
      ansible.builtin.blockinfile:
        path: /etc/rsyslog.conf
        state: present
@ -160,7 +160,7 @@
        insertafter: '#### RULES ####'
      notify: Restart rsyslog
-    - name: "6.2.3.5 | PATCH | Ensure logging is configured | Cron Settings"
+    - name: "6.2.3.5 | PATCH | Ensure rsyslog logging is configured | Cron Settings"
      ansible.builtin.blockinfile:
        path: /etc/rsyslog.conf
        state: present
@ -208,7 +208,7 @@
    - NIST800-53R5_AU-12
    - NIST800-53R5_CM-6
  block:
-    - name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote client. | When not log host"
+    - name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote client | When not log host"
      when: not rhel9cis_system_is_log_server
      ansible.builtin.replace:
        path: /etc/rsyslog.conf
@ -221,7 +221,7 @@
        - '^(module\(load="imtcp"\))'
        - '^(input\(type="imtcp")'
-    - name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote clients. | When log host"
+    - name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote client | When log host"
      when: rhel9cis_system_is_log_server
      ansible.builtin.replace:
        path: /etc/rsyslog.conf
@ -254,7 +254,7 @@
        state: started
        enabled: true
-    - name: "6.2.3.8 | PATCH | Ensure logrotate is configured | set rsyslog conf"
+    - name: "6.2.3.8 | PATCH | Ensure rsyslog logrotate is configured | set rsyslog conf"
      ansible.builtin.template:
        src: etc/logrotate.d/rsyslog_log.j2
        dest: /etc/logrotate.d/rsyslog_log
--- a/tasks/section_6/cis_6.3.1.x.yml
+++ b/tasks/section_6/cis_6.3.1.x.yml
@ -1,6 +1,6 @@
 ---
- name: "6.3.1.1 | PATCH | Ensure auditd is installed"
+- name: "6.3.1.1 | PATCH | Ensure auditd packages are installed"
  when: rhel9cis_rule_6_3_1_1
  tags:
    - level2-server
@ -13,13 +13,13 @@
    - NIST800-53R5_AU-12
    - NIST800-53R5_SI-5
  block:
-    - name: "6.3.1.1 | PATCH | Ensure auditd is installed | Install auditd packages"
+    - name: "6.3.1.1 | PATCH | Ensure auditd packages are installed | Install auditd packages"
      when: '"auditd" not in ansible_facts.packages'
      ansible.builtin.package:
        name: audit
        state: present
-    - name: "6.3.1.1 | PATCH | Ensure auditd is installed | Install auditd-lib packages"
+    - name: "6.3.1.1 | PATCH | Ensure auditd packages are installed | Install auditd-lib packages"
      when: '"auditd-lib" not in ansible_facts.packages'
      ansible.builtin.package:
        name: audit-libs
--- a/tasks/section_6/cis_6.3.3.x.yml
+++ b/tasks/section_6/cis_6.3.3.x.yml
@ -67,7 +67,7 @@
    update_audit_template: true
 # All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.6 | PATCH | Ensure use of privileged commands is collected"
+- name: "6.3.3.6 | PATCH | Ensure use of privileged commands are collected"
  when: rhel9cis_rule_6_3_3_6
  tags:
    - level2-server
@ -77,14 +77,14 @@
    - rule_6.3.3.6
    - NIST800-53R5_AU-3
  block:
-    - name: "6.3.3.6 | PATCH | Ensure use of privileged commands is collected"
+    - name: "6.3.3.6 | PATCH | Ensure use of privileged commands are collected"
      ansible.builtin.shell: for i in  $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm /6000 2>/dev/null; done
      changed_when: false
      failed_when: false
      check_mode: false
      register: discovered_priv_procs
-    - name: "6.3.3.6 | PATCH | Ensure use of privileged commands is collected"
+    - name: "6.3.3.6 | PATCH | Ensure use of privileged commands are collected"
      ansible.builtin.set_fact:
        update_audit_template: true
      notify: update auditd
@ -197,11 +197,11 @@
    update_audit_template: true
 # All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.15 | PATCH | Ensure successful and unsuccessful attempts to use the chcon command are recorded"
+- name: "6.3.3.15 | PATCH | Ensure successful and unsuccessful attempts to use the chcon command are collected"
  when: rhel9cis_rule_6_3_3_15
  tags:
    - level2-server
-    - level2- workstation
+    - level2-workstation
    - patch
    - auditd
    - rule_6.3.3.15
@ -212,7 +212,7 @@
    update_audit_template: true
 # All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.16 | PATCH | Ensure successful and unsuccessful attempts to use the setfacl command are recorded"
+- name: "6.3.3.16 | PATCH | Ensure successful and unsuccessful attempts to use the setfacl command are collected"
  when: rhel9cis_rule_6_3_3_16
  tags:
    - level2-server
@ -227,7 +227,7 @@
    update_audit_template: true
 # All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.17 | PATCH | Ensure successful and unsuccessful attempts to use the chacl command are recorded"
+- name: "6.3.3.17 | PATCH | Ensure successful and unsuccessful attempts to use the chacl command are collected"
  when: rhel9cis_rule_6_3_3_17
  tags:
    - level2-server
@ -242,7 +242,7 @@
    update_audit_template: true
 # All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.18 | PATCH | Ensure successful and unsuccessful attempts to use the usermod command are recorded"
+- name: "6.3.3.18 | PATCH | Ensure successful and unsuccessful attempts to use the usermod command are collected"
  when: rhel9cis_rule_6_3_3_18
  tags:
    - level2-server
@ -257,7 +257,7 @@
    update_audit_template: true
 # All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.19 | PATCH | Ensure kernel module loading and unloading and modification is collected"
+- name: "6.3.3.19 | PATCH | Ensure kernel module loading unloading and modification is collected"
  when: rhel9cis_rule_6_3_3_19
  tags:
    - level2-server
@ -295,9 +295,9 @@
    - auditd
    - rule_6.3.3.21
    - NIST800-53R5_AU-3
-  ansible.builtin.debug:
+  ansible.builtin.command: augenrules --check
-    msg:
+  changed_when: false
-      - "Please run augenrules --load if you suspect there is a configuration that is not active"
+  register: discovered_augenrules_check
 - name: Auditd | 6.3.3.x | Auditd controls updated
  when: update_audit_template
--- a/tasks/section_7/cis_7.1.x.yml
+++ b/tasks/section_7/cis_7.1.x.yml
@ -1,8 +1,7 @@
 ---
 - name: "7.1.1 | PATCH | Ensure permissions on /etc/passwd are configured"
-  when:
+  when: rhel9cis_rule_7_1_1
    - rhel9cis_rule_7_1_1
  tags:
    - level1-server
    - level1-workstation
@ -18,8 +17,7 @@
    mode: 'u-x,go-wx'
 - name: "7.1.2 | PATCH | Ensure permissions on /etc/passwd- are configured"
-  when:
+  when: rhel9cis_rule_7_1_2
    - rhel9cis_rule_7_1_2
  tags:
    - level1-server
    - level1-workstation
@ -35,8 +33,7 @@
    mode: 'u-x,go-wx'
 - name: "7.1.3 | PATCH | Ensure permissions on /etc/group are configured"
-  when:
+  when: rhel9cis_rule_7_1_3
    - rhel9cis_rule_7_1_3
  tags:
    - level1-server
    - level1-workstation
@ -52,8 +49,7 @@
    mode: 'u-x,go-wx'
 - name: "7.1.4 | PATCH | Ensure permissions on /etc/group- are configured"
-  when:
+  when: rhel9cis_rule_7_1_4
    - rhel9cis_rule_7_1_4
  tags:
    - level1-server
    - level1-workstation
@ -69,8 +65,7 @@
    mode: 'u-x,go-wx'
 - name: "7.1.5 | PATCH | Ensure permissions on /etc/shadow are configured"
-  when:
+  when: rhel9cis_rule_7_1_5
    - rhel9cis_rule_7_1_5
  tags:
    - level1-server
    - level1-workstation
@ -86,8 +81,7 @@
    mode: 'ugo-rwx'
 - name: "7.1.6 | PATCH | Ensure permissions on /etc/shadow- are configured"
-  when:
+  when: rhel9cis_rule_7_1_6
    - rhel9cis_rule_7_1_6
  tags:
    - level1-server
    - level1-workstation
@ -103,8 +97,7 @@
    mode: 'ugo-rwx'
 - name: "7.1.7 | PATCH | Ensure permissions on /etc/gshadow are configured"
-  when:
+  when: rhel9cis_rule_7_1_7
    - rhel9cis_rule_7_1_7
  tags:
    - level1-server
    - level1-workstation
@ -120,8 +113,7 @@
    mode: 'ugo-rwx'
 - name: "7.1.8 | PATCH | Ensure permissions on /etc/gshadow- are configured"
-  when:
+  when: rhel9cis_rule_7_1_8
    - rhel9cis_rule_7_1_8
  tags:
    - level1-server
    - level1-workstation
@ -137,8 +129,7 @@
    mode: 'ugo-rwx'
 - name: "7.1.9 | PATCH | Ensure permissions on /etc/shells are configured"
-  when:
+  when: rhel9cis_rule_7_1_9
    - rhel9cis_rule_7_1_9
  tags:
    - level1-server
    - level1-workstation
@ -154,8 +145,7 @@
    mode: 'u-x,go-wx'
 - name: "7.1.10 | PATCH | Ensure permissions on /etc/security/opasswd are configured"
-  when:
+  when: rhel9cis_rule_7_1_10
    - rhel9cis_rule_7_1_10
  tags:
    - level1-server
    - level1-workstation
@ -173,8 +163,7 @@
  register: discovered_file_exists
 - name: "7.1.11 | PATCH | Ensure world writable files and directories are secured"
-  when:
+  when: rhel9cis_rule_7_1_11
    - rhel9cis_rule_7_1_11
  tags:
    - level1-server
    - level1-workstation
@ -191,7 +180,7 @@
      changed_when: false
      register: discovered_world_writable
-    - name: "7.1.11 | PATCH | Ensure no world writable files exist | Adjust world-writable files if they exist (Configurable)"
+    - name: "7.1.11 | PATCH | Ensure world writable files and directories are secured | Adjust world-writable files if they exist (Configurable)"
      when:
        - discovered_world_writable.stdout_lines is defined
        - discovered_world_writable.stdout_lines | length > 0
@ -202,15 +191,14 @@
        state: touch
      loop: "{{ discovered_world_writable.stdout_lines }}"
-    - name: "7.1.11 | PATCH | Ensure no world writable files exist | Adjust world-writable directories add sticky bit"
+    - name: "7.1.11 | PATCH | Ensure world writable files and directories are secured | Adjust world-writable directories add sticky bit"
      ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -o+w ! -perm -1002 2>/dev/null | xargs chmod a+t
      failed_when: discovered_set_stickybit.rc not in [ 0, 123 ]
      changed_when: discovered_set_stickybit.rc == 0
      register: discovered_set_stickybit
 - name: "7.1.12 | PATCH | Ensure no files or directories without an owner and a group exist"
-  when:
+  when: rhel9cis_rule_7_1_12
    - rhel9cis_rule_7_1_12
  tags:
    - level1-server
    - level1-workstation
@ -223,7 +211,7 @@
    warn_control_id: '7.1.12'
  block:
    - name: "7.1.12 | AUDIT | Ensure no files or directories without an owner and a group exist | Get list files or directories"
-      ansible.builtin.command: find {{ rhel9cis_exclude_unowned_search_path }} {{ item.mount }} -xdev \( -nouser -o -nogroup \) -not -fstype nfs
+      ansible.builtin.command: "find {{ item.mount }} -xdev {{ rhel9cis_exclude_unowned_search_path }} \\( -nouser -o -nogroup \\) -not -fstype nfs"
      changed_when: false
      failed_when: false
      check_mode: false
@ -266,8 +254,7 @@
        file: warning_facts.yml
 - name: "7.1.13 | AUDIT | Ensure SUID and SGID files are reviewed"
-  when:
+  when: rhel9cis_rule_7_1_13
    - rhel9cis_rule_7_1_13
  tags:
    - level1-server
    - level1-workstation
@ -285,7 +272,7 @@
    warn_control_id: '7.1.13'
  block:
    - name: "7.1.13 | AUDIT | Ensure SUID and SGID files are reviewed | Find SUID and SGID"
-      ansible.builtin.command: find {{ item.mount }} -xdev -type f -perm \( -02000 or -04000 \) -not -fstype nfs
+      ansible.builtin.command: find {{ item.mount }} -xdev -type f -perm \( -02000 -o -04000 \) -not -fstype nfs
      changed_when: false
      failed_when: false
      check_mode: false
@ -309,7 +296,7 @@
          - "The files are listed below, please confirm the integrity of these binaries"
          - "{{ discovered_suid_sgid_files_flatten }}"
-    - name: "7.1.13 | PATCH | Audit SUID executables | Remove SUID bit"
+    - name: "7.1.13 | PATCH | Ensure SUID and SGID files are reviewed | Remove SUID bit"
      when:
        - rhel9cis_suid_sgid_adjust
        - discovered_suid_sgid_files_flatten | length > 0
--- a/templates/etc/audit/rules.d/98_auditd_exception.rules.j2
+++ b/templates/etc/audit/rules.d/98_auditd_exception.rules.j2
--- a/templates/etc/audit/rules.d/99_auditd.rules.j2
+++ b/templates/etc/audit/rules.d/99_auditd.rules.j2
--- a/vars/main.yml
+++ b/vars/main.yml
@ -1,6 +1,10 @@
 ---
 # vars file for RHEL9-CIS
 # Set default value for reboot value
 change_requires_reboot: false
 min_ansible_version: 2.10.1
 rhel9cis_allowed_crypto_policies:
  - 'DEFAULT'
@ -24,8 +28,6 @@ rhel9cis_allowed_crypto_policies_modules:
  - 'NO-SSHWEAKMAC'
  - 'NO-WEAKMAC'
 rhel9_compiled_bootloader_password: "{% if rhel9cis_bootloader_salt != '' %}{{ (rhel9cis_bootloader_password | grub_hash(salt=rhel9cis_bootloader_salt)) }}{% else %}{{ rhel9cis_bootloader_password_hash }}{% endif %}" # noqa template-instead-of-copy
 # Used to control warning summary
 warn_control_list: ""
 warn_count: 0