diff --git a/defaults/main.yml b/defaults/main.yml
index 3a6a356..d37ae5e 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -665,7 +665,6 @@ ubtu24cis_apparmor_mode: complain
 # HAVING THAT PW EXPOSED IN RAW TEXT IS NOT SECURE!!!!
 ubtu24cis_grub_user: root
 ubtu24cis_set_grub_user_pass: false
-ubtu24cis_grub_user_passwd: '$y$j9T$MBA5l/tQyWifM869nQjsi.$cTy0ConcNjIYOn6Cppo5NAky20osrkRxz4fEWA8xac6'  # Set to changeme
 ubtu24cis_grub_user_file: /etc/grub.d/00_user
 ubtu24cis_bootloader_password_hash: "grub.pbkdf2.sha512.changethispassword"  # pragma: allowlist secret
 ubtu24cis_set_boot_pass: false
@@ -1069,6 +1068,9 @@ ubtu24cis_shell_session_file: /etc/profile.d/tmout.sh
 # journald or rsyslog
 ubtu24cis_syslog_service: 'journald'
 
+# Enable rsyslog logging to be managed by ansible
+ubtu24cis_rsyslog_ansible_managed: true
+
 ## Controls 6.1.1.x journald
 
 # This variable specifies the address of the remote log host where logs are being sent.
@@ -1107,7 +1109,12 @@ ubtu24cis_journald_runtimekeepfree: "#RuntimeKeepFree="
 # ATTENTION: Uncomment the keyword below when values are set!
 ubtu24cis_journald_maxfilesec: "#MaxFileSec="
 
-# 6.1.3.8
+# 6.1.3.8 LOGRotate
+# Optional to alow logrotate to be installed
+# While it is required for 6.1.3.8 its not installed by default on minimal image
+# or required for CIS to be installed, but in order to achieve ability to install has been added
+ubtu24cis_logrotate_pkg_install: false
+
 # ubtu24cis_logrotate sets the daily, weekly, monthly, yearly value for the log rotation
 # To conform to CIS standards this just needs to comply with your site policy
 ubtu24cis_logrotate: "daily"
diff --git a/handlers/main.yml b/handlers/main.yml
index e3a9c38..64b0aad 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -237,9 +237,7 @@
   changed_when: true
 
 - name: Auditd rules reload
-  when:
-    - not prelim_auditd_immutable_check or
-      '"No change" not in ubtu24cis_rule_6_2_3_21_grep -iR augen_check.stdout'
+  when: ('"No change" not in discovered_augenrules_check.stdout') or prelim_auditd_immutable_check.rc == 1
   ansible.builtin.command: augenrules --load
   changed_when: true
 
diff --git a/tasks/main.yml b/tasks/main.yml
index e246e7f..cfdb641 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -62,31 +62,6 @@
     that: ubtu24cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and ubtu24cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword'  # pragma: allowlist secret
     msg: "This role will not be able to run single user password commands as ubtu24cis_bootloader_password_hash variable has not been set correctly"
 
-- name: Check ubtu24cis_grub_user password variable has been changed
-  when: ubtu24cis_rule_1_4_1
-  tags: always
-  block:
-    - name: Check ubtu24cis_grub_user password variable has been changed | check password is set
-      ansible.builtin.shell: "grep ^{{ ubtu24cis_grub_user }} /etc/shadow | awk -F : '{print $2}'"
-      changed_when: false
-      register: ubtu24cis_password_set_grub_user
-
-    - name: Check ubtu24cis_grub_user password variable has been changed | check password is set
-      when:
-        - "'$y$' in ubtu24cis_password_set_grub_user.stdout"
-        - ubtu24cis_set_grub_user_pass
-        - ubtu24cis_rule_1_4_1
-      ansible.builtin.assert:
-        that: ubtu24cis_password_set_grub_user.stdout.find('$y$') != -1 or ubtu24cis_grub_user_passwd.find('$y$') != -1 and ubtu24cis_grub_user_passwd != '$y$j9T$MBA5l/tQyWifM869nQjsi.$cTy0ConcNjIYOn6Cppo5NAky20osrkRxz4fEWA8xac6'
-        msg: "This role will not set the {{ ubtu24cis_grub_user }} user password is not set or ubtu24cis_grub_user_passwd variable has not been set correctly"
-
-    - name: Check ubtu24cis_grub_user password variable has been changed | if password blank or incorrect type and not being set
-      when: not ubtu24cis_set_grub_user_pass
-      ansible.builtin.assert:
-        that: ( ubtu24cis_password_set_grub_user.stdout | length > 10 ) and '$y$' in ubtu24cis_password_set_grub_user.stdout
-        fail_msg: "Grub User {{ ubtu24cis_grub_user }} has no password set or incorrect encryption"
-        success_msg: "Grub User {{ ubtu24cis_grub_user }} has a valid password set to be used in single user mode"
-
 - name: Setup rules if container
   when:
     - ansible_connection == 'docker' or
diff --git a/tasks/prelim.yml b/tasks/prelim.yml
index 518cfe3..74ee0c7 100644
--- a/tasks/prelim.yml
+++ b/tasks/prelim.yml
@@ -7,7 +7,7 @@
   changed_when: false
 
 - name: "PRELIM | AUDIT | Register if snap being used"
-  when: ubtu24cis_rule_1_1_1_6
+  when: ubtu24cis_rule_1_1_1_7
   tags: always
   ansible.builtin.shell: df -h | grep -wc "/snap"
   changed_when: false
@@ -15,7 +15,7 @@
   register: prelim_snap_pkg_mgr
 
 - name: "PRELIM | AUDIT | Register if squashfs is built into the kernel"
-  when: ubtu24cis_rule_1_1_1_6
+  when: ubtu24cis_rule_1_1_1_7
   tags: always
   ansible.builtin.shell: cat /lib/modules/$(uname -r)/modules.builtin | grep -c "squashfs"
   changed_when: false
@@ -218,7 +218,7 @@
 - name: "PRELIM | AUDIT | Check if auditd is immutable before changes"
   when: "'auditd' in ansible_facts.packages"
   tags: always
-  ansible.builtin.shell: auditctl -l | grep -c '-e 2'
+  ansible.builtin.shell: auditctl -s | grep "enabled 2"
   changed_when: false
   failed_when: prelim_auditd_immutable_check.rc not in [ 0, 1 ]
   register: prelim_auditd_immutable_check
@@ -256,3 +256,11 @@
     regexp: ^IPT_SYSCTL=.*
     line: IPT_SYSCTL=/etc/sysctl.conf
     mode: 'u-x,go-wx'
+
+- name: "OPTIONAL | PATCH | Install Logrotate if missing"
+  when:
+    - ubtu24cis_rule_6_1_3_8
+    - ubtu24cis_logrotate_pkg_install
+  ansible.builtin.package:
+    name: logrotate
+    state: present
diff --git a/tasks/section_2/cis_2.3.1.x.yml b/tasks/section_2/cis_2.3.1.x.yml
index 2037c96..6242dee 100644
--- a/tasks/section_2/cis_2.3.1.x.yml
+++ b/tasks/section_2/cis_2.3.1.x.yml
@@ -26,14 +26,4 @@
       loop:
         - chrony
         - ntp
-
-    - name: "2.3.1.1 | PATCH | Ensure a single time synchronization daemon is in use | mask service"
-      when:
-        - ubtu24cis_time_sync_tool != "systemd-timesyncd"
-        - "'systemd-timesyncd' in ansible_facts.packages"
-      ansible.builtin.service:
-        name: systemd-timesyncd
-        state: stopped
-        enabled: false
-        masked: true
-        daemon_reload: true
+        - systemd-timesyncd
diff --git a/tasks/section_2/cis_2.3.2.x.yml b/tasks/section_2/cis_2.3.2.x.yml
index 5dcc083..3101212 100644
--- a/tasks/section_2/cis_2.3.2.x.yml
+++ b/tasks/section_2/cis_2.3.2.x.yml
@@ -23,7 +23,7 @@
       ansible.builtin.template:
         src: "{{ item }}.j2"
         dest: "/{{ item }}"
-        mode: 'go-r'
+        mode: 'go-wx'
         owner: root
         group: root
       loop:
diff --git a/tasks/section_2/cis_2.3.3.x.yml b/tasks/section_2/cis_2.3.3.x.yml
index 68af2fc..19177b9 100644
--- a/tasks/section_2/cis_2.3.3.x.yml
+++ b/tasks/section_2/cis_2.3.3.x.yml
@@ -58,19 +58,3 @@
         name: chrony
         state: started
         enabled: true
-
-    - name: "2.3.3.3 | PATCH | Ensure chrony is enabled and running | disable other time sources | timesyncd"
-      when: "'systemd-timesyncd' in ansible_facts.packages"
-      ansible.builtin.systemd:
-        name: systemd-timesyncd
-        state: stopped
-        enabled: false
-        masked: true
-
-    - name: "2.3.3.3 | PATCH | Ensure chrony is enabled and running | disable other time sources | ntpd"
-      when: "'ntpd' in ansible_facts.packages"
-      ansible.builtin.systemd:
-        name: ntpd
-        state: stopped
-        enabled: false
-        masked: true
diff --git a/tasks/section_5/cis_5.4.3.x.yml b/tasks/section_5/cis_5.4.3.x.yml
index e3e7d6b..bac9c32 100644
--- a/tasks/section_5/cis_5.4.3.x.yml
+++ b/tasks/section_5/cis_5.4.3.x.yml
@@ -34,7 +34,7 @@
     state: "{{ item.state }}"
     marker: "# {mark} - CIS benchmark - Ansible-lockdown"
     create: true
-    mode: 'go-r'
+    mode: 'go-wx'
     block: |
       TMOUT={{ ubtu24cis_shell_session_timeout }}
       readonly TMOUT
@@ -54,10 +54,20 @@
     - rule_5.4.3.3
     - NIST800-53R5_AC-3
     - NIST800-53R5_MP-2
-  ansible.builtin.replace:
-    path: "{{ item.path }}"
-    regexp: (?i)(umask\s+\d\d\d)
-    replace: '{{ item.line }} {{ ubtu24cis_bash_umask }}'
-  loop:
-    - { path: '/etc/profile', line: 'umask' }
-    - { path: '/etc/login.defs', line: 'UMASK' }
+  block:
+    - name: "5.4.3.3 | PATCH | Ensure default user umask is configured | update current settings"
+      ansible.builtin.replace:
+        path: "{{ item.path }}"
+        regexp: (?i)(umask\s+\d\d\d)
+        replace: '{{ item.line }} {{ ubtu24cis_bash_umask }}'
+      loop:
+        - { path: '/etc/profile', line: 'umask' }
+        - { path: '/etc/login.defs', line: 'UMASK' }
+
+    - name: "5.4.3.3 | PATCH | Ensure default user umask is configured | add profile script to set"
+      ansible.builtin.template:
+        src: etc/profile.d/50-umask.sh.j2
+        dest: /etc/profile.d/50-umask.sh
+        owner: root
+        group: root
+        mode: 'go+r,go-wx'
diff --git a/tasks/section_6/cis_6.1.3.8.yml b/tasks/section_6/cis_6.1.3.8.yml
index 932801e..1c68890 100644
--- a/tasks/section_6/cis_6.1.3.8.yml
+++ b/tasks/section_6/cis_6.1.3.8.yml
@@ -1,7 +1,9 @@
 ---
 
 - name: "6.1.3.8 | PATCH | Ensure logrotate is configured"
-  when: ubtu24cis_rule_6_1_3_8
+  when:
+    - ubtu24cis_rule_6_1_3_8
+    - "'logrotate' in ansible_facts.packages"
   tags:
     - level1-server
     - level1-workstation
diff --git a/tasks/section_6/cis_6.2.3.x.yml b/tasks/section_6/cis_6.2.3.x.yml
index 58db7d6..dbcbfa4 100644
--- a/tasks/section_6/cis_6.2.3.x.yml
+++ b/tasks/section_6/cis_6.2.3.x.yml
@@ -277,3 +277,4 @@
     - auditd
   ansible.builtin.command: augenrules --check
   changed_when: false
+  register: discovered_augenrules_check
diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2
index 7ddf258..02d8c3e 100644
--- a/templates/ansible_vars_goss.yml.j2
+++ b/templates/ansible_vars_goss.yml.j2
@@ -484,7 +484,7 @@ ubtu24cis_apparmor_disable: {{ ubtu24cis_apparmor_disable }}
 # THIS VALUE IS WHAT THE ROOT PW WILL BECOME!!!!!!!!
 # HAVING THAT PW EXPOSED IN RAW TEXT IS NOT SECURE!!!!
 ubtu24cis_grub_user: {{ ubtu24cis_grub_user }}
-ubtu24cis_bootloader_password_hash: {{ grub_user_pass }}  # pragma: allowlist secret
+ubtu24cis_bootloader_password_hash: {{ ubtu24cis_bootloader_password_hash }}  # pragma: allowlist secret
 
 ## Controls 1.5.x
 
@@ -580,7 +580,7 @@ ubtu24cis_ftp_client: {{ ubtu24cis_ftp_client }}
 ## Control 2.3.1.1
 # This variable choses the tool used for time synchronization
 # The two options are `chrony`and `systemd-timesyncd`.
-ubtu24cis_time_sync_tool: "systemd-timesyncd"
+ubtu24cis_time_sync_tool: {{ ubtu24cis_time_sync_tool }}
 
 ## Controls 2.3.x - Configure time pools & servers for chrony and timesyncd
 # The following variable represents a list of of time server pools used
@@ -588,7 +588,7 @@ ubtu24cis_time_sync_tool: "systemd-timesyncd"
 # Each list item contains two settings, `name` (the domain name of the pool) and synchronization `options`.
 # The default setting for the `options` is `iburst maxsources 4` -- please refer to the documentation
 # of the time synchronization mechanism you are using.
-ubtu24cis_time_pool_name:
+ubtu24cis_time_pool:
 {% for pool in ubtu24cis_time_pool %}
 - name: {{ pool.name }}
   options: {{ pool.options }}
@@ -733,6 +733,9 @@ ubtu24_varlog_location: {{ ubtu24cis_sudo_logfile }}
 
 # Section 6
 
+# This variable specifies the address of the remote log host where logs are being sent.
+ubtu24cis_remote_log_server: {{ ubtu24cis_remote_log_server }}
+
 # 6.1.2
 
 # AIDE
diff --git a/templates/etc/profile.d/50-umask.sh.j2 b/templates/etc/profile.d/50-umask.sh.j2
new file mode 100644
index 0000000..e300e9c
--- /dev/null
+++ b/templates/etc/profile.d/50-umask.sh.j2
@@ -0,0 +1,7 @@
+## Ansible controlled file
+# Added as part of ansible-lockdown CIS baseline
+# provided by Mindpoint Group - A Tyto Athene Company / Ansible Lockdown
+
+# Set umask with highest precedence
+
+umask 027