Merge pull request #4 from ansible-lockdown/alignment

Alignment
2024-12-10 08:13:27 +00:00 · 2024-12-10 08:13:27 +00:00 · b87b6fbefd
parent edc2819272 21b0465270
commit b87b6fbefd
73 changed files with 1024 additions and 1253 deletions
--- a/.ansible-lint
+++ b/.ansible-lint
@ -3,21 +3,7 @@
 parseable: true
 quiet: true
 skip_list:
-    - 'schema'
+  - 'package-latest'
-    - 'no-changed-when'
+  - 'risky-shell-pipe'
    - 'var-spacing'
    - 'experimental'
    - 'name[play]'
    - 'name[casing]'
    - 'name[template]'
    - 'key-order[task]'
    - 'yaml[line-length]'
    - '204'
    - '305'
    - '303'
    - '403'
    - '306'
    - '602'
    - '208'
 use_default_rules: true
 verbosity: 0
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -2,12 +2,12 @@
 ##### CI for use by github no need for action to be added
 ##### Inherited
 ci:
-    autofix_prs: false
+  autofix_prs: false
-    skip: [detect-aws-credentials, ansible-lint ]
+  skip: [detect-aws-credentials, ansible-lint ]
 repos:
 - repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v4.6.0
+  rev: v5.0.0
  hooks:
  # Safety
  - id: detect-aws-credentials
@ -35,12 +35,12 @@ repos:
  - id: detect-secrets
 - repo: https://github.com/gitleaks/gitleaks
-  rev: v8.18.4
+  rev: v8.21.2
  hooks:
  - id: gitleaks
 - repo: https://github.com/ansible-community/ansible-lint
-  rev: v24.6.1
+  rev: v24.10.0
  hooks:
  - id: ansible-lint
    name: Ansible-lint
@ -56,7 +56,7 @@ repos:
    # If you want to use specific version of ansible-core or ansible, feel
    # free to override `additional_dependencies` in your own hook config
    # file.
-    - ansible-core>=2.10.1
+    #- ansible-core>=2.10.1
 - repo: https://github.com/adrienverge/yamllint.git
  rev: v1.35.1  # or higher tag
--- a/.yamllint
+++ b/.yamllint
@ -1,31 +1,38 @@
 ---
 extends: default
-
+locale: en_US.UTF-8
 ignore: |
    tests/
    molecule/
    .github/
    .gitlab-ci.yml
    *molecule.yml
 rules:
  indentation:
    # Requiring consistent indentation within a file, either indented or not
    indent-sequences: consistent
  braces:
    max-spaces-inside: 1
    level: error
  brackets:
    max-spaces-inside: 1
    level: error
  comments:
    ignore-shebangs: true
    min-spaces-from-content: 1 # prettier compatibility
  comments-indentation: false
  empty-lines:
    max: 1
-  line-length: disable
+  indentation:
    # Requiring 2 space indentation
    spaces: 2
    # Requiring consistent indentation within a file, either indented or not
    indent-sequences: consistent
  key-duplicates: enable
  line-length: disable
  new-line-at-end-of-file: enable
  new-lines:
    type: unix
  octal-values:
    forbid-implicit-octal: true # yamllint defaults to false
    forbid-explicit-octal: true
  trailing-spaces: enable
  truthy:
    allowed-values: ['true', 'false']
--- a/Changelog.md
+++ b/Changelog.md
@ -2,4 +2,11 @@
 ## Based on CIS v1.0.0
 ### 0.9.0
 Updated lint configs
 many tests improved
 spacing aligned
 lint updates
 ### Initial
--- a/2
+++ b/2
@ -1,6 +1,6 @@
 MIT License
-Copyright (c) 2023 MindPoint Group / Lockdown Enterprise / Lockdown Enterprise Releases
+Copyright (c) 2025 Mindpoint Group - A Tyto Athene Company / Ansible Lockdown
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
--- a/collections/requirements.yml
+++ b/collections/requirements.yml
@ -1,14 +1,14 @@
 ---
 collections:
-    - name: community.general
+  - name: community.general
-      source: https://github.com/ansible-collections/community.general
+    source: https://github.com/ansible-collections/community.general
-      type: git
+    type: git
-    - name: community.crypto
+  - name: community.crypto
-      source: https://github.com/ansible-collections/community.crypto
+    source: https://github.com/ansible-collections/community.crypto
-      type: git
+    type: git
-    - name: ansible.posix
+  - name: ansible.posix
-      source: https://github.com/ansible-collections/ansible.posix
+    source: https://github.com/ansible-collections/ansible.posix
-      type: git
+    type: git
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -828,67 +828,67 @@ ubtu24cis_sshd_default_kex_algorithms:
  - diffie-hellman-group18-sha512
  - diffie-hellman-group14-sha256
-ubtu24cis_sshd:
+# SSH Settings
-  # This variable is used to control the verbosity of the logging produced by the SSH server.
+# This variable is used to control the verbosity of the logging produced by the SSH server.
-  # The options for setting it are as follows:
+# The options for setting it are as follows:
-  # - `QUIET`: Minimal logging;
+# - `QUIET`: Minimal logging;
-  # - `FATAL`: logs only fatal errors;
+# - `FATAL`: logs only fatal errors;
-  # - `ERROR`: logs error messages;
+# - `ERROR`: logs error messages;
-  # - `INFO`: logs informational messages in addition to errors;
+# - `INFO`: logs informational messages in addition to errors;
-  # - `VERBOSE`: logs a higher level of detail, including login attempts and key exchanges;
+# - `VERBOSE`: logs a higher level of detail, including login attempts and key exchanges;
-  # - `DEBUG`: generates very detailed debugging information including sensitive information.
+# - `DEBUG`: generates very detailed debugging information including sensitive information.
-  log_level: "{{ ubtu24cis_sshd_default_log_level }}"
+ubtu24cis_sshd_log_level: "{{ ubtu24cis_sshd_default_log_level }}"
-  # This variable specifies the maximum number of authentication attempts that are
+# This variable specifies the maximum number of authentication attempts that are
-  # allowed for a single SSH session.
+# allowed for a single SSH session.
-  max_auth_tries: "{{ubtu24cis_sshd_default_max_auth_tries}}"
+ubtu24cis_sshd_max_auth_tries: "{{ ubtu24cis_sshd_default_max_auth_tries }}"
-  # This variable specifies the encryption algorithms that can be used for securing
+# This variable specifies the encryption algorithms that can be used for securing
-  # data transmission.
+# data transmission.
-  ciphers: "{{ ubtu24cis_sshd_default_ciphers }}"
+ubtu24cis_sshd_ciphers: "{{ ubtu24cis_sshd_default_ciphers }}"
-  # This variable specifies a list of message authentication code algorithms (MACs) that are allowed for verifying
+# This variable specifies a list of message authentication code algorithms (MACs) that are allowed for verifying
-  # the integrity of data exchanged.
+# the integrity of data exchanged.
-  macs: "{{ ubtu24cis_sshd_default_macs }}"
+ubtu24cis_sshd_macs: "{{ ubtu24cis_sshd_default_macs }}"
-  # This variable is used to state the key exchange algorithms used to establish secure encryption
+# This variable is used to state the key exchange algorithms used to establish secure encryption
-  # keys during the initial connection setup.
+# keys during the initial connection setup.
-  kex_algorithms: "{{ ubtu24cis_sshd_default_kex_algorithms }}"
+ubtu24cis_sshd_kex_algorithms: "{{ ubtu24cis_sshd_default_kex_algorithms }}"
-  # This variable sets the time interval in seconds between sending "keep-alive"
+# This variable sets the time interval in seconds between sending "keep-alive"
-  # messages from the server to the client. These types of messages are intended to
+# messages from the server to the client. These types of messages are intended to
-  # keep the connection alive and prevent it being terminated due to inactivity.
+# keep the connection alive and prevent it being terminated due to inactivity.
-  client_alive_interval: "{{ ubtu24cis_sshd_default_client_alive_interval }}"
+ubtu24cis_sshd_client_alive_interval: "{{ ubtu24cis_sshd_default_client_alive_interval }}"
-  # This variable sets the maximum number of unresponsive "keep-alive" messages
+# This variable sets the maximum number of unresponsive "keep-alive" messages
-  # that can be sent from the server to the client before the connection is considered
+# that can be sent from the server to the client before the connection is considered
-  # inactive and thus, closed.
+# inactive and thus, closed.
-  client_alive_count_max: "{{ ubtu24cis_sshd_default_client_alive_count_max }}"
+ubtu24cis_sshd_client_alive_count_max: "{{ ubtu24cis_sshd_default_client_alive_count_max }}"
-  # This variable specifies the amount of seconds allowed for successful authentication to
+# This variable specifies the amount of seconds allowed for successful authentication to
-  # the SSH server.
+# the SSH server.
-  login_grace_time: "{{ ubtu24cis_sshd_default_login_grace_time }}"
+ubtu24cis_sshd_login_grace_time: "{{ ubtu24cis_sshd_default_login_grace_time }}"
-  # This variables is used to set the maximum number of open sessions per connection.
+# This variables is used to set the maximum number of open sessions per connection.
-  max_sessions: "{{ ubtu24cis_sshd_default_max_sessions }}"
+ubtu24cis_sshd_max_sessions: "{{ ubtu24cis_sshd_default_max_sessions }}"
-  # This variable, if specified, configures a list of USER name patterns, separated by spaces, to allow SSH
+# This variable, if specified, configures a list of USER name patterns, separated by spaces, to allow SSH
-  # access for users whose user name matches one of the patterns. This is done
+# access for users whose user name matches one of the patterns. This is done
-  # by setting the value of `AllowUsers` option in `/etc/ssh/sshd_config` file.
+# by setting the value of `AllowUsers` option in `/etc/ssh/sshd_config` file.
-  # If an USER@HOST format will be used, the specified user will be allowed only on that particular host.
+# If an USER@HOST format will be used, the specified user will be allowed only on that particular host.
-  # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
+# The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
-  # For more info, see https://linux.die.net/man/5/sshd_config
+# For more info, see https://linux.die.net/man/5/sshd_config
-  allow_users: ""
+ubtu24cis_sshd_allow_users: ""
-  # (String) This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to allow SSH access
+# (String) This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to allow SSH access
-  # for users whose primary group or supplementary group list matches one of the patterns. This is done
+# for users whose primary group or supplementary group list matches one of the patterns. This is done
-  # by setting the value of `AllowGroups` option in `/etc/ssh/sshd_config` file.
+# by setting the value of `AllowGroups` option in `/etc/ssh/sshd_config` file.
-  # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
+# The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
-  # For more info, https://linux.die.net/man/5/sshd_config
+# For more info, https://linux.die.net/man/5/sshd_config
-  allow_groups: ""
+ubtu24cis_sshd_allow_groups: ""
-  # This variable, if specified, configures a list of USER name patterns, separated by spaces, to prevent SSH access
+# This variable, if specified, configures a list of USER name patterns, separated by spaces, to prevent SSH access
-  # for users whose user name matches one of the patterns. This is done
+# for users whose user name matches one of the patterns. This is done
-  # by setting the value of `DenyUsers` option in `/etc/ssh/sshd_config` file.
+# by setting the value of `DenyUsers` option in `/etc/ssh/sshd_config` file.
-  # If an USER@HOST format will be used, the specified user will be restricted only on that particular host.
+# If an USER@HOST format will be used, the specified user will be restricted only on that particular host.
-  # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
+# The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
-  # For more info, see https://linux.die.net/man/5/sshd_config
+# For more info, see https://linux.die.net/man/5/sshd_config
-  deny_users: ""
+ubtu24cis_sshd_deny_users: ""
-  # This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to prevent SSH access
+# This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to prevent SSH access
-  # for users whose primary group or supplementary group list matches one of the patterns. This is done
+# for users whose primary group or supplementary group list matches one of the patterns. This is done
-  # by setting the value of `DenyGroups` option in `/etc/ssh/sshd_config` file.
+# by setting the value of `DenyGroups` option in `/etc/ssh/sshd_config` file.
-  # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
+# The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
-  # For more info, see https://linux.die.net/man/5/sshd_config
+# For more info, see https://linux.die.net/man/5/sshd_config
-  deny_groups: ""
+ubtu24cis_sshd_deny_groups: ""
 ## Control 5.2.1
 # This variable represents the name of the sudo package to install
@ -1015,22 +1015,22 @@ ubtu24cis_pamd_pwhistory_remember: 24
 ## Controls 5.4.1.x - Password settings
 ubtu24cis_pass:
-  ## Control 5.4.1.1
+## Control 5.4.1.1
-  # This variable governs after how many days a  password expires.
+# This variable governs after how many days a  password expires.
-  # CIS requires a value of 365 or less.
+# CIS requires a value of 365 or less.
-  max_days: 365
+ubtu24cis_pass_max_days: 365
-  ## Control 5.4.1.2
+## Control 5.4.1.2
-  # This variable specifies the minimum number of days allowed between changing passwords.
+# This variable specifies the minimum number of days allowed between changing passwords.
-  # CIS requires a value of at least 1.
+# CIS requires a value of at least 1.
-  min_days: 1
+ubtu24cis_pass_min_days: 1
-  ## Control 5.5.1.3
+## Control 5.5.1.3
-  # This variable governs, how many days before a password expires, the user will be warned.
+# This variable governs, how many days before a password expires, the user will be warned.
-  # CIS requires a value of at least 7.
+# CIS requires a value of at least 7.
-  warn_age: 7
+ubtu24cis_pass_warn_age: 7
-  ## Control 5.4.1.5
+## Control 5.4.1.5
-  # This variable specifies the number of days of inactivity before an account will be locked.
+# This variable specifies the number of days of inactivity before an account will be locked.
-  # CIS requires a value of 45 days or less.
+# CIS requires a value of 45 days or less.
-  inactive: 45
+ubtu24cis_pass_inactive: 45
 # 5.4.2.6 root umask
 ubtu24cis_root_umask: '0027'  # 0027 or more restrictive
@ -1062,7 +1062,6 @@ ubtu24cis_shell_session_file: /etc/profile.d/tmout.sh
 ##
 ## Section 6 Control Variables
 ##
 # Set which syslog service
 # journald or rsyslog
 ubtu24cis_syslog_service: 'journald'
@ -1105,6 +1104,11 @@ ubtu24cis_journald_runtimekeepfree: "#RuntimeKeepFree="
 # ATTENTION: Uncomment the keyword below when values are set!
 ubtu24cis_journald_maxfilesec: "#MaxFileSec="
 # 6.1.3.8
 # ubtu24cis_logrotate sets the daily, weekly, monthly, yearly value for the log rotation
 # To conform to CIS standards this just needs to comply with your site policy
 ubtu24cis_logrotate: "daily"
 ## Controls 6.2.3.x - Audit template
 # This variable is set to true by tasks 6.2.3.1 to 6.2.3.20. As a result, the
 # audit settings are overwritten with the role's template. In order to exclude
@ -1120,11 +1124,6 @@ ubtu24cis_allow_auditd_uid_user_exclusions: false
 ubtu24cis_auditd_uid_exclude:
  - 1999
 # 6.1.3.8
 # ubtu24cis_logrotate sets the daily, weekly, monthly, yearly value for the log rotation
 # To conform to CIS standards this just needs to comply with your site policy
 ubtu24cis_logrotate: "daily"
 ##  Control 6.2.1.4 - Ensure audit_backlog_limit is sufficient
 # This variable represents the audit backlog limit, i.e., the maximum number of audit records that the
 # system can buffer in memory, if the audit subsystem is unable to process them in real-time.
@ -1177,7 +1176,7 @@ ubtu24cis_auditd_disk_error_action: syslog
 ubtu24cis_auditd_space_left_action: email
 ubtu24cis_auditd_admin_space_left_action: halt
-## Control 6.2.x - allow aide to be configured
+## Control 6.3.x - allow aide to be configured
 # AIDE is a file integrity checking tool, similar in nature to Tripwire.
 # While it cannot prevent intrusions, it can detect unauthorized changes
 # to configuration files by alerting when the files are changed. Review
@ -1185,15 +1184,24 @@ ubtu24cis_auditd_admin_space_left_action: halt
 # By setting this variable to `true`, all of the settings related to AIDE will be applied!
 ubtu24cis_config_aide: true
 # If DB file older than below will automatically rebuild DB
 # e.g. options:1w = 1 week, 1d = 1day 1h = 1 hour
 ubtu24cis_aide_db_file_age: 1w
 # If aide already setup this forces a new DB to be created
 ubtu24cis_aide_db_recreate: false
 # allows to change db file, not config need to be adjusted too
 ubtu24cis_aide_db_file: /var/lib/aide/aide.db
 ## When Initializing aide this can take longer on some systems
 # changing the values enables user to change to thier own requirements
-ubtu24cis_aide_init:
+# Maximum Time in seconds
-  # Maximum Time in seconds
+ubtu24cis_aide_init_async: 600
-  async: 45
+# Polling Interval in seconds
-  # Polling Interval in seconds
+ubtu24cis_aide_init_poll: 15
  poll: 0
-## Control 6.3
+## Control 6.3.x
 # Set how aide is scanned either cron or timer
 ubtu24cis_aide_scan: cron
 # These are the crontab settings for periodical checking of the filesystem's integrity using AIDE.
@ -1201,36 +1209,36 @@ ubtu24cis_aide_scan: cron
 # the cron job on the target system.
 # Cron is a time-based job scheduling program in Unix OS, which allows tasks to be scheduled
 # and executed automatically at a certain point in time.
-ubtu24cis_aide_cron:
+
-  # This variable represents the user account under which the cron job for AIDE will run.
+# This variable represents the user account under which the cron job for AIDE will run.
-  cron_user: root
+ubtu24cis_aide_cron_user: root
-  # This variable represents the path to the AIDE crontab file.
+# This variable represents the path to the AIDE crontab file.
-  cron_file: /etc/cron.d/aide_cron
+ubtu24cis_aide_cron_file: /etc/cron.d/aide_cron
-  # This variable represents the actual command or script that the cron job
+# This variable represents the actual command or script that the cron job
-  # will execute for running AIDE.
+# will execute for running AIDE.
-  aide_job: '/usr/bin/aide --config /etc/aide/aide.conf --check'
+ubtu24cis_aide_cron_job: '/usr/bin/aide --config /etc/aide/aide.conf --check'
-  # These variables define the schedule for the cron job
+# These variables define the schedule for the cron job
-  # This variable governs the minute of the time of day when the AIDE cronjob is run.
+# This variable governs the minute of the time of day when the AIDE cronjob is run.
-  # It must be in the range `0-59`.
+# It must be in the range `0-59`.
-  aide_minute: 0
+ubtu24cis_aide_cron_minute: 0
-  # This variable governs the hour of the time of day when the AIDE cronjob is run.
+# This variable governs the hour of the time of day when the AIDE cronjob is run.
-  # It must be in the range `0-23`.
+# It must be in the range `0-23`.
-  aide_hour: 5
+ubtu24cis_aide_cron_hour: 5
-  # This variable governs the day of the month when the AIDE cronjob is run.
+# This variable governs the day of the month when the AIDE cronjob is run.
-  # `*` signifies that the job is run on all days; furthermore, specific days
+# `*` signifies that the job is run on all days; furthermore, specific days
-  # can be given in the range `1-31`; several days can be concatenated with a comma.
+# can be given in the range `1-31`; several days can be concatenated with a comma.
-  # The specified day(s) can must be in the range  `1-31`.
+# The specified day(s) can must be in the range  `1-31`.
-  aide_day: '*'
+ubtu24cis_aide_cron_day: '*'
-  # This variable governs months when the AIDE cronjob is run.
+# This variable governs months when the AIDE cronjob is run.
-  # `*` signifies that the job is run in every month; furthermore, specific months
+# `*` signifies that the job is run in every month; furthermore, specific months
-  # can be given in the range `1-12`; several months can be concatenated with commas.
+# can be given in the range `1-12`; several months can be concatenated with commas.
-  # The specified month(s) can must be in the range  `1-12`.
+# The specified month(s) can must be in the range  `1-12`.
-  aide_month: '*'
+ubtu24cis_aide_cron_month: '*'
-  # This variable governs the weekdays, when the AIDE cronjob is run.
+# This variable governs the weekdays, when the AIDE cronjob is run.
-  # `*` signifies that the job is run on all weekdays; furthermore, specific weekdays
+# `*` signifies that the job is run on all weekdays; furthermore, specific weekdays
-  # can be given in the range `0-7` (both `0` and `7` represent Sunday); several weekdays
+# can be given in the range `0-7` (both `0` and `7` represent Sunday); several weekdays
-  # can be concatenated with commas.
+# can be concatenated with commas.
-  aide_weekday: '*'
+ubtu24cis_aide_cron_weekday: '*'
 ##
 ## Section 7 Control Variables
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -10,7 +10,7 @@
    dest: /etc/systemd/system/tmp.mount
    owner: root
    group: root
-    mode: '0644'
+    mode: 'u-x,go-wx'
  with_items:
    - "{{ ansible_facts.mounts }}"
  loop_control:
@ -35,15 +35,16 @@
  listen: Writing and remounting tmp
 - name: Update_Initramfs
-  ansible.builtin.shell: update-initramfs -u
+  ansible.builtin.command: update-initramfs -u
  changed_when: true
  notify: Set_reboot_required
 - name: Remount tmp
  when:
    - "'/tmp' in mount_names"
  ansible.posix.mount:
    path: /tmp
    state: remounted
  when:
    - "'/tmp' in mount_names"
  listen: Writing and remounting tmp
 - name: Remount var
@ -78,7 +79,8 @@
    state: remounted
 - name: Grub update
-  ansible.builtin.shell: update-grub
+  ansible.builtin.command: update-grub
  changed_when: true
  failed_when: false
  notify: Set_reboot_required
@ -92,7 +94,8 @@
    daemon_reload: true
 - name: Update dconf
-  ansible.builtin.shell: dconf update
+  ansible.builtin.command: dconf update
  changed_when: true
  failed_when: false
 - name: Restart postfix
@ -136,51 +139,51 @@
    state: reloaded
 - name: Iptables persistent
-  ansible.builtin.shell: bash -c "iptables-save > /etc/iptables/rules.v4"
+  ansible.builtin.command: bash -c "iptables-save > /etc/iptables/rules.v4"
-  changed_when: ubtu24cis_iptables_save.rc == 0
+  changed_when: true
  failed_when: ubtu24cis_iptables_save.rc > 0
  register: ubtu24cis_iptables_save
 - name: Ip6tables persistent
-  ansible.builtin.shell: bash -c "ip6tables-save > /etc/iptables/rules.v6"
+  ansible.builtin.command: bash -c "ip6tables-save > /etc/iptables/rules.v6"
-  changed_when: ubtu24cis_ip6tables_save.rc == 0
+  changed_when: true
  failed_when: ubtu24cis_ip6tables_save.rc > 0
  register: ubtu24cis_ip6tables_save
 - name: Pam_auth_update_pwunix
-  ansible.builtin.shell: pam-auth-update --enable {{ ubtu24cis_pam_pwunix_file }}
+  ansible.builtin.command: pam-auth-update --enable {{ ubtu24cis_pam_pwunix_file }}
  changed_when: true
 - name: Pam_auth_update_pwfaillock
-  ansible.builtin.shell: pam-auth-update --enable {{ ubtu24cis_pam_faillock_file }}
+  ansible.builtin.command: pam-auth-update --enable {{ ubtu24cis_pam_faillock_file }}
  changed_when: true
 - name: Pam_auth_update_pwfaillock_notify
-  ansible.builtin.shell: pam-auth-update --enable {{ ubtu24cis_pam_faillock_notify_file }}
+  ansible.builtin.command: pam-auth-update --enable {{ ubtu24cis_pam_faillock_notify_file }}
  changed_when: true
 - name: Pam_auth_update_pwquality
-  ansible.builtin.shell: pam-auth-update --enable {{ ubtu24cis_pam_pwquality_file }}
+  ansible.builtin.command: pam-auth-update --enable {{ ubtu24cis_pam_pwquality_file }}
  changed_when: true
 - name: Pam_auth_update_pwhistory
-  ansible.builtin.shell: pam-auth-update --enable {{ ubtu24cis_pam_pwhistory_file }}
+  ansible.builtin.command: pam-auth-update --enable {{ ubtu24cis_pam_pwhistory_file }}
  changed_when: true
 - name: Auditd rules reload
  when:
    - not prelim_auditd_immutable_check or
      '"No change" not in ubtu24cis_rule_6_2_3_21_grep -iR augen_check.stdout'
-  ansible.builtin.shell: augenrules --load
+  ansible.builtin.command: augenrules --load
  changed_when: true
 - name: Audit_immutable_fact
  when:
-    - audit_rules_updated.changed
+    - discovered_audit_rules_updated.changed
    - auditd_immutable_check is defined
  ansible.builtin.debug:
    msg: "Reboot required for auditd to apply new rules as immutable set"
  notify: Set_reboot_required
 - name: Restart auditd
-  when:
+  when: discovered_audit_rules_updated is defined
-    - audit_rules_updated is defined
+  tags: skip_ansible_lint
  tags:
    - skip_ansible_lint
  ansible.builtin.shell: service auditd restart
 - name: Restart sshd
--- a/meta/main.yml
+++ b/meta/main.yml
@ -1,28 +1,28 @@
 ---
 galaxy_info:
-    author: "Mark Bolwell"
+  author: "Mark Bolwell"
-    description: "Apply the Ubuntu 24 CIS benchmarks"
+  description: "Apply the Ubuntu 24 CIS benchmarks"
-    company: "MindPoint Group"
+  company: "MindPoint Group"
-    license: MIT
+  license: MIT
-    namespace: mindpointgroup
+  namespace: mindpointgroup
-    role_name: ubuntu24_cis
+  role_name: ubuntu24_cis
-    min_ansible_version: 2.12.1
+  min_ansible_version: 2.12.1
-    platforms:
+  platforms:
-        - name: Ubuntu
+    - name: Ubuntu
-          versions:
+      versions:
-              - jammy
+        - jammy
-    galaxy_tags:
+  galaxy_tags:
-        - system
+    - system
-        - security
+    - security
-        - cis
+    - cis
-        - hardening
+    - hardening
-        - benchmark
+    - benchmark
-        - compliance
+    - compliance
-        - complianceascode
+    - complianceascode
-        - ubuntu24
+    - ubuntu24
 collections:
-    - community.general
+  - community.general
-    - community.crypto
+  - community.crypto
-    - ansible.posix
+  - ansible.posix
 dependencies: []
--- a/site.yml
+++ b/site.yml
@ -1,8 +1,7 @@
 ---
- hosts: all
+- name: Run CIS benchmark
  hosts: all
  become: true
  roles:
-
+    - role: "{{ playbook_dir }}"
      - role: "{{ playbook_dir }}"
--- a/tasks/LE_audit_setup.yml
+++ b/tasks/LE_audit_setup.yml
@ -20,13 +20,13 @@
    owner: root
    group: root
    checksum: "{{ audit_bin_version[audit_pkg_arch_name + '_checksum'] }}"
-    mode: '0555'
+    mode: 'u+x,go-w'
 - name: Pre Audit Setup | Copy audit binary
  when: get_audit_binary_method == 'copy'
  ansible.builtin.copy:
    src: "{{ audit_bin_copy_location }}"
    dest: "{{ audit_bin }}"
    mode: '0555'
    owner: root
    group: root
    mode: 'u+x,go-w'
--- a/tasks/audit_only.yml
+++ b/tasks/audit_only.yml
@ -2,29 +2,27 @@
 - name: Audit_Only | Create local Directories for hosts
  when: fetch_audit_files
  delegate_to: localhost
  become: false
  ansible.builtin.file:
-    mode: '0755'
+    mode: 'u+x,go-w'
    path: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}"
    recurse: true
    state: directory
  delegate_to: localhost
  become: false
 - name: Audit_only | Get audits from systems and put in group dir
  when: fetch_audit_files
  ansible.builtin.fetch:
    dest: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}/"
    flat: true
-    mode: '0644'
+    mode: 'go-wx'
    src: "{{ pre_audit_outfile }}"
 - name: Audit_only | Show Audit Summary
-  when:
+  when: audit_only
    - audit_only
  ansible.builtin.debug:
    msg: "{{ audit_results.split('\n') }}"
 - name: Audit_only | Stop Playbook Audit Only selected
-  when:
+  when: audit_only
    - audit_only
  ansible.builtin.meta: end_play
--- a/tasks/auditd.yml
+++ b/tasks/auditd.yml
@ -7,8 +7,8 @@
    dest: /etc/audit/rules.d/99_auditd.rules
    owner: root
    group: root
-    mode: '0640'
+    mode: 'u-x,go-wx'
-  register: audit_rules_updated
+  register: discovered_audit_rules_updated
  notify:
    - Auditd rules reload
    - Audit_immutable_fact
@ -22,7 +22,7 @@
    dest: /etc/audit/rules.d/98_auditd_exceptions.rules
    owner: root
    group: root
-    mode: '0600'
+    mode: 'u-x,go-rwx'
  notify: Restart auditd
 - name: POST | AUDITD | Flush handlers
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -4,14 +4,12 @@
  when:
    - ansible_facts.distribution == 'Ubuntu'
    - ansible_facts.distribution_major_version is version_compare('24', '!=')
-  tags:
+  tags: always
    - always
  ansible.builtin.fail:
    msg: "This role can only be run against Ubuntu 24. {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }} is not supported."
 - name: Check ansible version
-  tags:
+  tags: always
    - always
  ansible.builtin.assert:
    that: ansible_version.full is version_compare(min_ansible_version, '>=')
    fail_msg: "You must use Ansible {{ min_ansible_version }} or greater"
@ -22,39 +20,36 @@
  when:
    - ubtu24cis_rule_5_2_4
    - ansible_env.SUDO_USER is defined
-  tags:
+  tags: always
    - always
  block:
    - name: Capture current password state of connecting user"
      ansible.builtin.shell: "grep -w {{ ansible_env.SUDO_USER }} /etc/shadow | awk -F: '{print $2}'"
      changed_when: false
      failed_when: false
      check_mode: false
-      register: ansible_user_password_set
+      register: prelim_ansible_user_password_set
-    - name: "Assert that password set for {{ ansible_env.SUDO_USER }} and account not locked"
+    - name: "Assert that password set for {{ ansible_env.SUDO_USER }} and account not locked"  # noqa name[template]
      ansible.builtin.assert:
-        that: ansible_user_password_set.stdout != "!!" and ansible_user_password_set.stdout | length > 10
+        that: prelim_ansible_user_password_set.stdout != "!!" and prelim_ansible_user_password_set.stdout | length > 10
        fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access"
        success_msg: "You have a password set for sudo user {{ ansible_env.SUDO_USER }}"
      vars:
        sudo_password_rule: ubtu24cis_rule_5_2_4  # pragma: allowlist secret
 - name: Ensure root password is set
-  when:
+  when: ubtu24cis_rule_5_4_2_4
-    - ubtu24cis_rule_5_4_2_4
+  tags: always
  tags:
    - always
  block:
    - name: Ensure root password is set
      ansible.builtin.shell: passwd -S root | egrep -e "(Password set, SHA512 crypt|root P |Password locked)"
      changed_when: false
      failed_when: false
-      register: root_passwd_set
+      register: prelim_root_passwd_set
    - name: Ensure root password is set
      ansible.builtin.assert:
-        that: root_passwd_set.rc == 0
+        that: prelim_root_passwd_set.rc == 0
        fail_msg: "You have rule 5.4.2.4 enabled this requires that you have a root password set - Please manually set a root password"
        success_msg: "You have a root password set"
@ -62,16 +57,14 @@
  when:
    - ubtu24cis_set_boot_pass
    - ubtu24cis_rule_1_4_1
-  tags:
+  tags: always
    - always
  ansible.builtin.assert:
    that: ubtu24cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and ubtu24cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword'  # pragma: allowlist secret
    msg: "This role will not be able to run single user password commands as ubtu24cis_bootloader_password_hash variable has not been set correctly"
 - name: Check ubtu24cis_grub_user password variable has been changed
  when: ubtu24cis_rule_1_4_1
-  tags:
+  tags: always
    - always
  block:
    - name: Check ubtu24cis_grub_user password variable has been changed | check password is set
      ansible.builtin.shell: "grep ^{{ ubtu24cis_grub_user }} /etc/shadow | awk -F : '{print $2}'"
@ -88,8 +81,7 @@
        msg: "This role will not set the {{ ubtu24cis_grub_user }} user password is not set or ubtu24cis_grub_user_passwd variable has not been set correctly"
    - name: Check ubtu24cis_grub_user password variable has been changed | if password blank or incorrect type and not being set
-      when:
+      when: not ubtu24cis_set_grub_user_pass
        - not ubtu24cis_set_grub_user_pass
      ansible.builtin.assert:
        that: ( ubtu24cis_password_set_grub_user.stdout | length > 10 ) and '$y$' in ubtu24cis_password_set_grub_user.stdout
        fail_msg: "Grub User {{ ubtu24cis_grub_user }} has no password set or incorrect encryption"
@ -99,9 +91,7 @@
  when:
    - ansible_connection == 'docker' or
      ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"]
-  tags:
+  tags: always
    - container_discovery
    - always
  block:
    - name: Discover and set container variable if required
      ansible.builtin.set_fact:
@ -112,28 +102,22 @@
        file: "{{ container_vars_file }}"
    - name: Output if discovered is a container
-      when:
+      when: system_is_container
        - system_is_container
      ansible.builtin.debug:
        msg: system has been discovered as a container
 - name: Gather the package facts before prelim
-  tags:
+  tags: always
    - always
  ansible.builtin.package_facts:
    manager: auto
 - name: Run prelim tasks
-  tags:
+  tags: always
    - prelim_tasks
    - run_audit
    - always
  ansible.builtin.import_tasks:
    file: prelim.yml
 - name: Gather the package facts after prelim
-  tags:
+  tags: always
    - always
  ansible.builtin.package_facts:
    manager: auto
@ -142,8 +126,7 @@
    - ubtu24cis_section5 or
      ubtu24cis_section6 or
      ubtu24cis_section7
-  tags:
+  tags: always
    - always
  ansible.builtin.import_tasks:
    file: parse_etc_password.yml
@ -184,8 +167,7 @@
 - name: Run auditd logic
  when: update_audit_template
-  tags:
+  tags: always
    - always
  ansible.builtin.import_tasks:
    file: auditd.yml
@ -193,42 +175,33 @@
  ansible.builtin.meta: flush_handlers
 - name: Reboot system
-  tags:
+  when: change_requires_reboot
-    - always
+  tags: always
  block:
    - name: Reboot system if not skipped
-      when:
+      when: not skip_reboot
        - not skip_reboot
        - change_requires_reboot
      ansible.builtin.reboot:
    - name: Warning a reboot required but skip option set
-      when:
+      when: skip_reboot
        - skip_reboot
        - change_requires_reboot
      ansible.builtin.debug:
        msg: "Warning!! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results"
      changed_when: true
 - name: Run post remediation audit
-  when:
+  when: run_audit
-    - run_audit
+  tags: run_audit
  tags:
    - run_audit
  ansible.builtin.import_tasks:
    file: post_remediation_audit.yml
 - name: Show Audit Summary
-  when:
+  when: run_audit
-    - run_audit
+  tags: run_audit
  tags:
    - run_audit
  ansible.builtin.debug:
    msg: "{{ audit_results.split('\n') }}"
 - name: If Warnings found Output count and control IDs affected
  when: warn_count != 0
-  tags:
+  tags: always
    - always
  ansible.builtin.debug:
    msg: "You have {{ warn_count }} Warning(s) that require investigating that are related to the following benchmark ID(s) {{ warn_control_list }}"
--- a/tasks/parse_etc_password.yml
+++ b/tasks/parse_etc_password.yml
@ -5,29 +5,27 @@
    - always
  block:
    - name: "PRELIM | Parse /etc/passwd | Get /etc/password contents"
-      ansible.builtin.shell: cat /etc/passwd
+      ansible.builtin.command: cat /etc/passwd
      changed_when: false
      check_mode: false
-      register: ubtu24cis_passwd_file_audit
+      register: prelim_passwd_file_audit
    - name: "PRELIM | Parse /etc/passwd | Split passwd entries"
      ansible.builtin.set_fact:
-        ubtu24cis_passwd: "{{ ubtu24cis_passwd_file_audit.stdout_lines | map('regex_replace', ld_passwd_regex, ld_passwd_yaml) | map('from_yaml') | list }}"
+        ubtu24cis_passwd: "{{ prelim_passwd_file_audit.stdout_lines | map('regex_replace', ld_passwd_regex, ld_passwd_yaml) | map('from_yaml') | list }}"
      with_items: "{{ ubtu24cis_passwd_file_audit.stdout_lines }}"
      vars:
        ld_passwd_regex: >-
            ^(?P<id>[^:]*):(?P<password>[^:]*):(?P<uid>[^:]*):(?P<gid>[^:]*):(?P<gecos>[^:]*):(?P<dir>[^:]*):(?P<shell>[^:]*)
        ld_passwd_yaml: |  # pragma: allowlist secret
-            id: >-4
+          id: >-4
-                \g<id>
+              \g<id>
-            password: >-4
+          password: >-4
-                \g<password>
+              \g<password>
-            uid: \g<uid>
+          uid: \g<uid>
-            gid: \g<gid>
+          gid: \g<gid>
-            gecos: >-4
+          gecos: >-4
-                \g<gecos>
+              \g<gecos>
-            dir: >-4
+          dir: >-4
-                \g<dir>
+              \g<dir>
-            shell: >-4
+          shell: >-4
-                \g<shell>
+              \g<shell>
--- a/tasks/post_remediation_audit.yml
+++ b/tasks/post_remediation_audit.yml
@ -1,7 +1,7 @@
 ---
- name: Post Audit | Run post_remediation {{ benchmark }} audit
+- name: Post Audit | Run post_remediation {{ benchmark }} audit  # noqa name[template]
-  ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\""
+  ansible.builtin.command: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\""
  changed_when: true
  environment:
    AUDIT_BIN: "{{ audit_bin }}"
@ -18,26 +18,24 @@
    - "{{ pre_audit_outfile }}"
 - name: Post Audit | Capture audit data if json format
-  when:
+  when: audit_format == "json"
    - audit_format == "json"
  block:
    - name: Post Audit | Capture audit data if json format
      ansible.builtin.shell: grep -E '"summary-line.*Count:.*Failed' "{{ post_audit_outfile }}" | cut -d'"' -f4
      register: post_audit_summary
      changed_when: false
      register: post_audit_summary
    - name: Post Audit | Set Fact for audit summary
      ansible.builtin.set_fact:
        post_audit_results: "{{ post_audit_summary.stdout }}"
 - name: Post Audit | Capture audit data if documentation format
-  when:
+  when: audit_format == "documentation"
    - audit_format == "documentation"
  block:
    - name: Post Audit | Capture audit data if documentation format
-      ansible.builtin.shell: "tail -2 {{ post_audit_outfile }}"
+      ansible.builtin.shell: tail -2 "{{ pre_audit_outfile }}"  | tac | tr '\n' ' '
      register: post_audit_summary
      changed_when: false
      register: post_audit_summary
    - name: Post Audit | Set Fact for audit summary
      ansible.builtin.set_fact:
--- a/tasks/pre_remediation_audit.yml
+++ b/tasks/pre_remediation_audit.yml
@ -1,22 +1,19 @@
 ---
 - name: Pre Audit Setup | Setup the LE audit
-  when:
+  when: setup_audit
-    - setup_audit
+  tags: setup_audit
  tags:
    - setup_audit
  ansible.builtin.include_tasks:
    file: LE_audit_setup.yml
- name: Pre Audit Setup | Ensure {{ audit_conf_dir }} exists
+- name: Pre Audit Setup | Ensure existence of {{ audit_conf_dir }}  # noqa name[template]
  ansible.builtin.file:
    path: "{{ audit_conf_dir }}"
    mode: 'go-w'
    state: directory
    mode: '0755'
 - name: Pre Audit Setup | If using git for content set up
-  when:
+  when: audit_content == 'git'
    - audit_content == 'git'
  block:
    - name: Pre Audit Setup | Install git
      ansible.builtin.package:
@ -30,57 +27,51 @@
        version: "{{ audit_git_version }}"
 - name: Pre Audit Setup | Copy to audit content files to server
-  when:
+  when: audit_content == 'copy'
    - audit_content == 'copy'
  ansible.builtin.copy:
    src: "{{ audit_conf_source }}"
    dest: "{{ audit_conf_dest }}"
    mode: preserve
 - name: Pre Audit Setup | Unarchive audit content files on server
-  when:
+  when: audit_content == 'archive'
    - audit_content == 'archive'
  ansible.builtin.unarchive:
    src: "{{ audit_conf_source }}"
    dest: "{{ audit_conf_dest }}"
 - name: Pre Audit Setup | Get audit content from url
-  when:
+  when: audit_content == 'get_url'
    - audit_content == 'get_url'
  ansible.builtin.unarchive:
    src: "{{ audit_conf_source }}"
    dest: "{{ audit_conf_dest }}/{{ benchmark }}-Audit"
-    remote_src: "{{ ( audit_conf_source is contains ('http'))| ternary(true, false ) }}"
+    remote_src: "{{ (audit_conf_source is contains('http')) | ternary(true, false) }}"
-    extra_opts: "{{ (audit_conf_source is contains ('github')) | ternary('--strip-components=1', [] ) }}"
+    extra_opts: "{{ (audit_conf_source is contains('github')) | ternary('--strip-components=1', []) }}"
 - name: Pre Audit Setup | Check Goss is available
-  when:
+  when: run_audit
    - run_audit
  block:
    - name: Pre Audit Setup | Check for goss file
      ansible.builtin.stat:
        path: "{{ audit_bin }}"
-      register: goss_available
+      register: prelim_goss_available
    - name: Pre Audit Setup | If audit ensure goss is available
-      when:
+      when: not prelim_goss_available.stat.exists
        - not goss_available.stat.exists
      ansible.builtin.assert:
        msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}"
 - name: Pre Audit Setup | Copy ansible default vars values to test audit
  when: run_audit
  tags:
    - goss_template
    - run_audit
  when:
    - run_audit
  ansible.builtin.template:
    src: ansible_vars_goss.yml.j2
    dest: "{{ audit_vars_path }}"
-    mode: '0600'
+    mode: 'go-rwx'
- name: Pre Audit | Run pre_remediation {{ benchmark }} audit
+- name: Pre Audit | Run pre_remediation audit {{ benchmark }}  # noqa name[template]
-  ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\""
+  ansible.builtin.command: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\""  # noqa yaml[line-length]
  changed_when: true
  environment:
    AUDIT_BIN: "{{ audit_bin }}"
@ -88,33 +79,30 @@
    AUDIT_FILE: goss.yml
 - name: Pre Audit | Capture audit data if json format
-  when:
+  when: audit_format == "json"
    - audit_format == "json"
  block:
    - name: Pre Audit | Capture audit data if json format
      ansible.builtin.shell: grep -E '\"summary-line.*Count:.*Failed' "{{ pre_audit_outfile }}" | cut -d'"' -f4
      register: pre_audit_summary
      changed_when: false
      register: pre_audit_summary
    - name: Pre Audit | Set Fact for audit summary
      ansible.builtin.set_fact:
        pre_audit_results: "{{ pre_audit_summary.stdout }}"
 - name: Pre Audit | Capture audit data if documentation format
-  when:
+  when: audit_format == "documentation"
    - audit_format == "documentation"
  block:
    - name: Pre Audit | Capture audit data if documentation format
      ansible.builtin.shell: tail -2 "{{ pre_audit_outfile }}"  | tac | tr '\n' ' '
      register: pre_audit_summary
      changed_when: false
      register: pre_audit_summary
    - name: Pre Audit | Set Fact for audit summary
      ansible.builtin.set_fact:
        pre_audit_results: "{{ pre_audit_summary.stdout }}"
 - name: Audit_Only | Run Audit Only
-  when:
+  when: audit_only
    - audit_only
  ansible.builtin.import_tasks:
    file: audit_only.yml
--- a/tasks/prelim.yml
+++ b/tasks/prelim.yml
@ -7,31 +7,25 @@
  changed_when: false
 - name: "PRELIM | AUDIT | Register if snap being used"
  when: ubtu24cis_rule_1_1_1_6
  tags: always
  ansible.builtin.shell: df -h | grep -wc "/snap"
  changed_when: false
  failed_when: prelim_snap_pkg_mgr.rc not in [ 0, 1 ]
  register: prelim_snap_pkg_mgr
  tags:
    - rule_1.1.1.2
    - always
  when:
    - ubtu24cis_rule_1_1_1_6
 - name: "PRELIM | AUDIT | Register if squashfs is built into the kernel"
  when: ubtu24cis_rule_1_1_1_6
  tags: always
  ansible.builtin.shell: cat /lib/modules/$(uname -r)/modules.builtin | grep -c "squashfs"
  changed_when: false
  failed_when: prelim_squashfs_builtin.rc not in [ 0, 1 ]
  register: prelim_squashfs_builtin
  tags:
    - always
  when:
    - ubtu24cis_rule_1_1_1_6
 - name: "PRELIM | AUDIT | Section 1.1 | Create list of mount points"
  tags: always
  ansible.builtin.set_fact:
    mount_names: "{{ ansible_facts.mounts | map(attribute='mount') | list }}"
  tags:
    - always
 - name: PRELIM | AUDIT | Capture tmp mount type | discover mount tmp type
  when:
@ -40,14 +34,13 @@
      ubtu24cis_rule_1_1_2_1_2 or
      ubtu24cis_rule_1_1_2_1_3 or
      ubtu24cis_rule_1_1_2_1_4
-  tags:
+  tags: always
    - always
  block:
    - name: PRELIM | AUDIT | Capture tmp mount type | discover mount tmp type
-      ansible.builtin.shell: systemctl is-enabled tmp.mount
+      ansible.builtin.command: systemctl is-enabled tmp.mount  # noqa command-instead-of-module
      register: prelim_tmp_mnt_type
      changed_when: false
      failed_when: prelim_tmp_mnt_type.rc not in [ 0, 1 ]
      register: prelim_tmp_mnt_type
    - name: PRELIM | AUDIT | Capture tmp mount type | Set to expected_tmp_mnt variable
      when: "'generated' in prelim_tmp_mnt_type.stdout"
@ -60,8 +53,7 @@
        tmp_mnt_type: tmp_systemd
 - name: PRELIM | Initialize the mount options variable
-  tags:
+  tags: always
    - always
  block:
    - name: PRELIM | Initializing the var if there is no /tmp mount | set_fact
      when: "'/tmp' not in mount_names"
@ -99,8 +91,7 @@
  when:
    - ubtu24cis_rule_1_2_1_1 or
      ubtu24cis_rule_1_2_2_1
-  tags:
+  tags: always
    - always
  ansible.builtin.package:
    update_cache: true
@ -108,18 +99,16 @@
  when:
    - ubtu24cis_rule_3_1_2
    - not system_is_container
-  tags:
+  tags: always
    - always
  block:
    - name: "PRELIM | AUDIT | Discover is wireless adapter on system"
-      ansible.builtin.shell: find /sys/class/net/*/ -type d -name wireless
+      ansible.builtin.command: find /sys/class/net/*/ -type d -name wireless
      register: prelim_wireless_adapters
      changed_when: false
      failed_when: prelim_wireless_adapters.rc not in [ 0, 1 ]
      register: prelim_wireless_adapters
    - name: "PRELIM | AUDIT | If wireless adapter present capture module"
-      when:
+      when: prelim_wireless_adapters.rc == 0
        - prelim_wireless_adapters.rc == 0
      ansible.builtin.shell: |
        for driverdir in $(find /sys/class/net/*/ -type d -name wireless | xargs -0 dirname);
          do basename "$(readlink -f "$driverdir"/device/driver/module)";
@ -128,12 +117,11 @@
      failed_when: prelim_wireless_modules.rc not in [ 0, 1 ]
      register: prelim_wireless_modules
- name: "PRELIM | PATCH | 5.3.4.5 | Find all sudoers files."
+- name: "PRELIM | PATCH | Find all sudoers files."
  when:
    - ubtu24cis_rule_5_2_4 or
      ubtu24cis_rule_5_2_5
-  tags:
+  tags: always
    - always
  ansible.builtin.shell: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'"
  changed_when: false
  failed_when: false
@ -148,20 +136,17 @@
      ubtu24cis_rule_5_3_3_2_4 or
      ubtu24cis_rule_5_3_3_2_5 or
      ubtu24cis_rule_5_3_3_2_6
-  tags:
+  tags: always
    - always
  ansible.builtin.file:
    path: '/etc/security/pwquality.conf.d'
    state: directory
    owner: root
    group: root
-    mode: '0750'
+    mode: 'u+x,g-w,o-rwx'
 - name: "PRELIM | AUDIT | Discover Interactive UID MIN and MIN from logins.def"
-  when:
+  when: not discover_int_uid
-    - not discover_int_uid
+  tags: always
  tags:
    - always
  block:
    - name: "PRELIM | AUDIT | Capture UID_MIN information from logins.def"
      ansible.builtin.shell: grep -w "^UID_MIN" /etc/login.defs | awk '{print $NF}'
@ -185,38 +170,29 @@
        min_int_gid: "{{ prelim_gid_min_id.stdout }}"
 - name: "PRELIM | AUDIT | Interactive Users"
-  tags:
+  tags: always
    - always
  ansible.builtin.shell: >
    grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false" && $7 != "/dev/null") { print $1 }'
  changed_when: false
  register: prelim_interactive_usernames
 - name: "PRELIM | AUDIT | Interactive User accounts home directories"
-  tags:
+  tags: always
    - always
  ansible.builtin.shell: >
    grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false" && $7 != "/dev/null") { print $6 }'
  changed_when: false
  register: prelim_interactive_users_home
 - name: "PRELIM | AUDIT | Interactive UIDs"
-  tags:
+  tags: always
    - always
  ansible.builtin.shell: >
    grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false") { print $3 }'
  changed_when: false
  register: prelim_interactive_uids
 - name: "PRELIM | AUDIT | Gather UID 0 accounts other than root"
-  when:
+  when: ubtu24cis_rule_5_4_2_1
-    - ubtu24cis_rule_5_4_2_1
+  tags: always
  tags:
    - rule_5.4.2.1
    - level1-server
    - level1-workstation
    - users
    - always
  ansible.builtin.shell: "cat /etc/passwd | awk -F: '($3 == 0 && $1 != \"root\") {i++;print $1 } END {exit i}'"
  changed_when: false
  check_mode: false
@ -227,14 +203,13 @@
    - ubtu24cis_rule_6_1_2_2 or
      ubtu24cis_rule_6_1_2_3 or
      ubtu24cis_rule_6_1_2_4
-  tags:
+  tags: always
    - always
  ansible.builtin.file:
    path: /etc/systemd/journald.conf.d
    state: directory
    owner: root
    group: root
-    mode: '0755'
+    mode: 'u+x,go-w'
 - name: "PRELIM | PATCH | Ensure auditd is installed"
  when:
@ -242,17 +217,9 @@
      ubtu24cis_rule_6_2_4_1 or
      ubtu24cis_rule_6_2_4_6 or
      ubtu24cis_rule_6_2_4_8
-  tags:
+  tags: always
    - level2-server
    - level2-workstation
    - patch
    - auditd
    - always
  block:
    - name: "PRELIM | PATCH | Ensure auditd is installed"
      when:
        - "'auditd' not in ansible_facts.packages or
          'auditd-plugins' not in ansible_facts.packages"
      ansible.builtin.package:
        name: ['auditd', 'audispd-plugins']
        state: present
@ -267,8 +234,7 @@
 - name: "PRELIM | AUDIT | Check if auditd is immutable before changes"
  when: "'auditd' in ansible_facts.packages"
-  tags:
+  tags: always
    - always
  ansible.builtin.shell: auditctl -l | grep -c '-e 2'
  changed_when: false
  failed_when: prelim_auditd_immutable_check.rc not in [ 0, 1 ]
@ -280,15 +246,7 @@
      ubtu24cis_rule_6_2_4_2 or
      ubtu24cis_rule_6_2_4_3 or
      ubtu24cis_rule_6_2_4_4
-  tags:
+  tags: always
    - level2-server
    - level2-workstation
    - patch
    - auditd
    - rule_6.3.4.1
    - rule_6.3.4.2
    - rule_6.3.4.3
    - rule_6.3.4.4
  ansible.builtin.shell: "grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }'"
  changed_when: false
  failed_when: prelim_auditd_logfile.rc not in [ 0, 1 ]
@ -298,8 +256,7 @@
  when:
    - ubtu24cis_rule_7_2_9
    - "'acl' not in ansible_facts.packages"
-  tags:
+  tags: always
    - always
  ansible.builtin.package:
    name: acl
    state: present
@ -310,10 +267,9 @@
  when:
    - ubtu24cis_firewall_package == "ufw"
    - ubtu24cis_ufw_use_sysctl
-  tags:
+  tags: always
    - always
  ansible.builtin.lineinfile:
    path: /etc/default/ufw
    regexp: ^IPT_SYSCTL=.*
    line: IPT_SYSCTL=/etc/sysctl.conf
-    mode: '0644'
+    mode: 'u-x,go-wx'
--- a/tasks/section_1/cis_1.1.1.x.yml
+++ b/tasks/section_1/cis_1.1.1.x.yml
@ -18,7 +18,7 @@
        regexp: "^(#)?install cramfs(\\s|$)"
        line: "install cramfs /bin/true"
        create: true
-        mode: '0600'
+        mode: 'go-rwx'
    - name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available | blacklist"
      ansible.builtin.lineinfile:
@ -26,7 +26,7 @@
        regexp: "^(#)?blacklist cramfs(\\s|$)"
        line: "blacklist cramfs"
        create: true
-        mode: '0600'
+        mode: 'go-rwx'
    - name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available | Disable cramfs"
      when:
@ -53,7 +53,7 @@
        regexp: "^(#)?install freevxfs(\\s|$)"
        line: "install freevxfs /bin/true"
        create: true
-        mode: '0600'
+        mode: 'go-rwx'
    - name: "1.1.1.2 | PATCH | Ensure freevxfs kernel module is not available | blacklist"
      ansible.builtin.lineinfile:
@ -61,7 +61,7 @@
        regexp: "^(#)?blacklist freevxfs(\\s|$)"
        line: "blacklist freevxfs"
        create: true
-        mode: '0600'
+        mode: 'go-rwx'
    - name: "1.1.1.2 | PATCH | Ensure freevxfs kernel module is not available | Disable freevxfs"
      when:
@ -88,7 +88,7 @@
        regexp: "^(#)?install hfs(\\s|$)"
        line: "install hfs /bin/true"
        create: true
-        mode: '0600'
+        mode: 'go-rwx'
    - name: "1.1.1.3 | PATCH | Ensure hfs kernel module is not available | blacklist"
      ansible.builtin.lineinfile:
@ -96,7 +96,7 @@
        regexp: "^(#)?blacklist hfs(\\s|$)"
        line: "blacklist hfs"
        create: true
-        mode: '0600'
+        mode: 'go-rwx'
    - name: "1.1.1.3 | PATCH | Ensure hfs kernel module is not available | Disable hfs"
      when:
@ -123,7 +123,7 @@
        regexp: "^(#)?install hfsplus(\\s|$)"
        line: "install hfsplus /bin/true"
        create: true
-        mode: '0600'
+        mode: 'go-rwx'
    - name: "1.1.1.4 | PATCH | Ensure hfsplus kernel module is not available | blacklist"
      ansible.builtin.lineinfile:
@ -131,7 +131,7 @@
        regexp: "^(#)?blacklist hfsplus(\\s|$)"
        line: "blacklist hfsplus"
        create: true
-        mode: '0600'
+        mode: 'go-rwx'
    - name: "1.1.1.4 | PATCH | Ensure hfsplus kernel module is not available | Disable hfsplus"
      when:
@ -158,7 +158,7 @@
        regexp: "^(#)?install jffs2(\\s|$)"
        line: "install jffs2 /bin/true"
        create: true
-        mode: '0600'
+        mode: 'go-rwx'
    - name: "1.1.1.5 | PATCH | Ensure jffs2 kernel module is not available | blacklist"
      ansible.builtin.lineinfile:
@ -166,7 +166,7 @@
        regexp: "^(#)?blacklist jffs2(\\s|$)"
        line: "blacklist jffs2"
        create: true
-        mode: '0600'
+        mode: 'go-rwx'
    - name: "1.1.1.5 | PATCH | Ensure jffs2 kernel module is not available | Disable jffs2"
      when:
@ -193,7 +193,7 @@
        regexp: "^(#)?install overlayfs(\\s|$)"
        line: "install overlayfs /bin/true"
        create: true
-        mode: '0600'
+        mode: 'go-rwx'
    - name: "1.1.1.6 | PATCH | Ensure overlayfs kernel module is not available | blacklist"
      ansible.builtin.lineinfile:
@ -201,7 +201,7 @@
        regexp: "^(#)?blacklist overlayfs(\\s|$)"
        line: "blacklist overlayfs"
        create: true
-        mode: '0600'
+        mode: 'go-rwx'
    - name: "1.1.1.6 | PATCH | Ensure overlayfs kernel module is not available | Disable overlayfs"
      when:
@ -230,7 +230,7 @@
        regexp: "^(#)?install squashfs(\\s|$)"
        line: "install squashfs /bin/true"
        create: true
-        mode: '0600'
+        mode: 'go-rwx'
    - name: "1.1.1.7 | PATCH | Ensure squashfs kernel module is not available | blacklist"
      ansible.builtin.lineinfile:
@ -238,7 +238,7 @@
        regexp: "^(#)?blacklist squashfs(\\s|$)"
        line: "blacklist squashfs"
        create: true
-        mode: '0600'
+        mode: 'go-rwx'
    - name: "1.1.1.7 | PATCH | Ensure squashfs kernel module is not available | Disable squashfs"
      when:
@ -265,7 +265,7 @@
        regexp: "^(#)?install udf(\\s|$)"
        line: "install udf /bin/true"
        create: true
-        mode: '0600'
+        mode: 'go-rwx'
    - name: "1.1.1.8 | PATCH | Ensure udf kernel module is not available | blacklist"
      ansible.builtin.lineinfile:
@ -273,7 +273,7 @@
        regexp: "^(#)?blacklist udf(\\s|$)"
        line: "blacklist udf"
        create: true
-        mode: '0600'
+        mode: 'go-rwx'
    - name: "1.1.1.8 | PATCH | Ensure udf kernel module is not available | Disable udf"
      when:
@ -300,7 +300,7 @@
        regexp: "^(#)?install usb-storage(\\s|$)"
        line: "install usb-storage /bin/true"
        create: true
-        mode: '0600'
+        mode: 'go-rwx'
    - name: "1.1.1.9 | PATCH | Ensure usb-storage kernel module is not available | blacklist"
      ansible.builtin.lineinfile:
@ -308,7 +308,7 @@
        regexp: "^(#)?blacklist usb-storage(\\s|$)"
        line: "blacklist usb-storage"
        create: true
-        mode: '0600'
+        mode: 'go-rwx'
    - name: "1.1.1.9 | PATCH | Ensure usb-storage kernel module is not available | Disable usb"
      when:
@ -335,10 +335,10 @@
        dest: /var/fs_with_cves.sh
        owner: root
        group: root
-        mode: '0744'
+        mode: 'u+x,go-wx'
    - name: "1.1.1.10 | AUDIT | Ensure unused filesystems kernel modules are not available | Run discovery script"
-      ansible.builtin.shell: /var/fs_with_cves.sh
+      ansible.builtin.command: /var/fs_with_cves.sh
      changed_when: false
      failed_when: discovered_fs_modules_loaded.rc not in [ 0, 99 ]
      register: discovered_fs_modules_loaded
@ -348,7 +348,7 @@
      ansible.builtin.debug:
        msg: |
          "Warning!! Discovered loaded Filesystem modules that need attention. This is a manual task
-          {{ discovered_fs_modules_loaded.stdout_lines}}"
+          {{ discovered_fs_modules_loaded.stdout_lines }}"
    - name: "1.1.1.9 | AUDIT | Ensure unused filesystems kernel modules are not available | Capture Warning"
      when: discovered_fs_modules_loaded.stdout | length > 0
--- a/tasks/section_1/cis_1.1.2.1.x.yml
+++ b/tasks/section_1/cis_1.1.2.1.x.yml
@ -39,7 +39,7 @@
  vars:
    required_mount: '/tmp'
  ansible.builtin.set_fact:
-    tmp_partition_mount_options: "{{ tmp_partition_mount_options + [ 'nodev' ] }}"
+    tmp_partition_mount_options: "{{ tmp_partition_mount_options + ['nodev'] }}"
  changed_when: true
  notify: Writing and remounting tmp
@ -59,7 +59,7 @@
  vars:
    required_mount: '/tmp'
  ansible.builtin.set_fact:
-    tmp_partition_mount_options: "{{ tmp_partition_mount_options + [ 'nosuid' ] }}"
+    tmp_partition_mount_options: "{{ tmp_partition_mount_options + ['nosuid'] }}"
  changed_when: true
  notify: Writing and remounting tmp
@ -79,6 +79,6 @@
  vars:
    required_mount: '/tmp'
  ansible.builtin.set_fact:
-    tmp_partition_mount_options: "{{ tmp_partition_mount_options + [ 'noexec' ] }}"
+    tmp_partition_mount_options: "{{ tmp_partition_mount_options + ['noexec'] }}"
  changed_when: true
  notify: Writing and remounting tmp
--- a/tasks/section_1/cis_1.1.2.2.x.yml
+++ b/tasks/section_1/cis_1.1.2.2.x.yml
@ -15,7 +15,7 @@
    required_mount: '/dev/shm'
  block:
    - name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition | check for mount"
-      ansible.builtin.shell: findmnt -kn "{{ required_mount }}"
+      ansible.builtin.command: findmnt -kn "{{ required_mount }}"
      changed_when: false
      failed_when: discovered_shm_mount.rc not in [ 0, 1 ]
      register: discovered_shm_mount
--- a/tasks/section_1/cis_1.2.1.x.yml
+++ b/tasks/section_1/cis_1.2.1.x.yml
@ -15,11 +15,11 @@
    warn_control_id: '1.2.1.1'
  block:
    - name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | Get apt gpg keys"
-      ansible.builtin.shell: apt-key list
+      ansible.builtin.command: apt-key list
      changed_when: false
      failed_when: false
      check_mode: false
-      register: ubtu24cis_1_2_1_1_apt_gpgkeys
+      register: discovered_apt_gpgkeys
    - name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | Message out apt gpg keys"
      ansible.builtin.debug:
@ -27,7 +27,7 @@
          - "Warning!! Below are the apt gpg keys configured"
          - "Please review to make sure they are configured"
          - "in accordance with site policy"
-          - "{{ ubtu24cis_1_2_1_1_apt_gpgkeys.stdout_lines }}"
+          - "{{ discovered_apt_gpgkeys.stdout_lines }}"
    - name: "1.2.1.1 | WARN | Ensure GPG keys are configured | warn_count"
      ansible.builtin.import_tasks:
@ -47,18 +47,18 @@
    warn_control_id: '1.2.1.2'
  block:
    - name: "1.2.1.2 | AUDIT | Ensure package manager repositories are configured | Get repositories"
-      ansible.builtin.shell: apt-cache policy
+      ansible.builtin.command: apt-cache policy
      changed_when: false
      failed_when: false
      check_mode: false
-      register: ubtu24cis_1_2_1_2_apt_policy
+      register: discovered_apt_policy
    - name: "1.2.1.2 | AUDIT | Ensure package manager repositories are configured | Message out repository configs"
      ansible.builtin.debug:
        msg:
          - "Warning!! Below are the apt package repositories"
          - "Please review to make sure they conform to your sites policies"
-          - "{{ ubtu24cis_1_2_1_2_apt_policy.stdout_lines }}"
+          - "{{ discovered_apt_policy.stdout_lines }}"
    - name: "1.2.1.2 | WARN | Ensure package manager repositories are configured | warn_count"
      ansible.builtin.import_tasks:
--- a/tasks/section_1/cis_1.2.2.x.yml
+++ b/tasks/section_1/cis_1.2.2.x.yml
@ -1,8 +1,7 @@
 ---
 - name: "1.2.2.1 | PATCH | Ensure updates, patches, and additional security software are installed"
-  when:
+  when: ubtu24cis_rule_1_2_2_1
    - ubtu24cis_rule_1_2_2_1
  tags:
    - level1-server
    - level1-workstation
--- a/tasks/section_1/cis_1.3.1.x.yml
+++ b/tasks/section_1/cis_1.3.1.x.yml
@ -17,8 +17,7 @@
    state: present
 - name: "1.3.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration"
-  when:
+  when: ubtu24cis_rule_1_3_1_2
    - ubtu24cis_rule_1_3_1_2
  tags:
    - level1-server
    - level1-workstation
@ -32,10 +31,10 @@
      changed_when: false
      failed_when: false
      check_mode: false
-      register: ubtu24cis_1_3_1_2_cmdline_settings
+      register: discovered_grub_cmdline_settings
    - name: "1.3.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Set apparmor settings if none exist"
-      when: ubtu24cis_1_3_1_2_cmdline_settings.stdout is not search('apparmor=')
+      when: discovered_grub_cmdline_settings.stdout is not search('apparmor=')
      ansible.builtin.lineinfile:
        path: /etc/default/grub
        regexp: ^(GRUB_CMDLINE_LINUX=")(|apparmor=\d\s)(.*\w+")
@ -44,7 +43,7 @@
      notify: Grub update
    - name: "1.3.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Set security settings if none exist"
-      when: ubtu24cis_1_3_1_2_cmdline_settings.stdout is not search('security=')
+      when: discovered_grub_cmdline_settings.stdout is not search('security=')
      ansible.builtin.lineinfile:
        path: /etc/default/grub
        regexp: ^(GRUB_CMDLINE_LINUX=")(|security=\w+\s)(.*\w+")
@ -54,19 +53,19 @@
    - name: "1.3.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Set apparmor settings if none exist"
      when:
-        - "'apparmor' not in ubtu24cis_1_3_1_2_cmdline_settings.stdout"
+        - "'apparmor' not in discovered_grub_cmdline_settings.stdout"
-        - "'security' not in ubtu24cis_1_3_1_2_cmdline_settings.stdout"
+        - "'security' not in discovered_grub_cmdline_settings.stdout"
      ansible.builtin.lineinfile:
        path: /etc/default/grub
        regexp: '^GRUB_CMDLINE_LINUX='
-        line: 'GRUB_CMDLINE_LINUX="apparmor=1 security=apparmor {{ ubtu24cis_1_3_1_2_cmdline_settings.stdout }}"'
+        line: 'GRUB_CMDLINE_LINUX="apparmor=1 security=apparmor {{ discovered_grub_cmdline_settings.stdout }}"'
        insertafter: '^GRUB_'
      notify: Grub update
    - name: "1.3.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Replace apparmor settings when exists"
      when:
-        - "'apparmor' in ubtu24cis_1_3_1_2_cmdline_settings.stdout or
+        - "'apparmor' in discovered_grub_cmdline_settings.stdout or
-          'security' in ubtu24cis_1_3_1_2_cmdline_settings.stdout"
+          'security' in discovered_grub_cmdline_settings.stdout"
      ansible.builtin.replace:
        path: /etc/default/grub
        regexp: "{{ item.regexp }}"
@ -100,10 +99,10 @@
      changed_when: false
    - name: "1.3.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing | Get pre apply enforce count"
-      ansible.builtin.shell: apparmor_status |  grep "profiles are in enforce mode" | tr -d -c 0-9
+      ansible.builtin.shell: apparmor_status | grep "profiles are in enforce mode" | tr -d -c 0-9
      changed_when: false
      failed_when: false
-      register: ubtu24cis_1_3_1_4_pre_count
+      register: discovered_apparmor_profilepre_count
    - name: "1.3.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing | Apply enforcing to /etc/apparmor.d profiles"
      ansible.builtin.shell: aa-enforce /etc/apparmor.d/*
@ -111,13 +110,13 @@
      failed_when: false
    - name: "1.3.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing | Get post apply enforce count"
-      ansible.builtin.shell: apparmor_status |  grep "profiles are in enforce mode" | tr -d -c 0-9
+      ansible.builtin.shell: apparmor_status | grep "profiles are in enforce mode" | tr -d -c 0-9
      changed_when: false
      failed_when: false
-      register: ubtu24cis_1_3_1_4_post_count
+      register: discovered_apparmor_profilepost_count
    - name: "1.3.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing | This flags for idempotency"
-      when: ubtu24cis_1_3_1_4_pre_count.stdout != ubtu24cis_1_3_1_4_post_count.stdout
+      when: discovered_apparmor_profilepre_count.stdout != discovered_apparmor_profilepost_count.stdout
      ansible.builtin.debug:
        msg: Changed! The profiles in /etc/apparmor.d were set to enforcing
      changed_when: true
@ -150,24 +149,24 @@
      changed_when: false
    - name: "1.3.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode | Get pre apply enforce count"
-      ansible.builtin.shell: apparmor_status |  grep "profiles are in {{ubtu24cis_apparmor_mode}} mode" | tr -d -c 0-9
+      ansible.builtin.shell: apparmor_status | grep "profiles are in {{ ubtu24cis_apparmor_mode }} mode" | tr -d -c 0-9
      changed_when: false
      failed_when: false
-      register: ubtu24cis_1_3_1_3_pre_count
+      register: discovered_apparmor_profile_pre_count
    - name: "1.3.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode | Apply complaining/enforcing to /etc/apparmor.d profiles"
-      ansible.builtin.shell: aa-{{ubtu24cis_apparmor_mode}} /etc/apparmor.d/*
+      ansible.builtin.shell: aa-{{ ubtu24cis_apparmor_mode }} /etc/apparmor.d/*
      changed_when: false
      failed_when: false
    - name: "1.3.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode | Get post apply enforce count"
-      ansible.builtin.shell: apparmor_status |  grep "profiles are in {{ubtu24cis_apparmor_mode}} mode" | tr -d -c 0-9
+      ansible.builtin.shell: apparmor_status | grep "profiles are in {{ ubtu24cis_apparmor_mode }} mode" | tr -d -c 0-9
      changed_when: false
      failed_when: false
-      register: ubtu24cis_1_3_1_3_post_count
+      register: discovered_apparmor_profile_post_count
    - name: "1.3.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode | This flags for idempotency"
-      when: ubtu24cis_1_3_1_3_pre_count.stdout != ubtu24cis_1_3_1_3_post_count.stdout
+      when: discovered_apparmor_profile_pre_count.stdout != discovered_apparmor_profile_post_count.stdout
      ansible.builtin.debug:
-        msg: Changed! The profiles in /etc/apparmor.d were set to {{ubtu24cis_apparmor_mode}} mode
+        msg: Changed! The profiles in /etc/apparmor.d were set to {{ ubtu24cis_apparmor_mode }} mode
      changed_when: true
--- a/tasks/section_1/cis_1.4.x.yml
+++ b/tasks/section_1/cis_1.4.x.yml
@ -18,7 +18,7 @@
        dest: "{{ ubtu24cis_grub_user_file }}"
        owner: root
        group: root
-        mode: '0755'
+        mode: 'go-w'
      notify: Grub update
    - name: "1.4.1 | PATCH | Ensure bootloader password is set | allow unrestricted boot"
@ -31,8 +31,7 @@
      notify: Grub update
 - name: "1.4.2 | PATCH | Ensure access to bootloader config is configured"
-  when:
+  when: ubtu24cis_rule_1_4_2
    - ubtu24cis_rule_1_4_2
  tags:
    - level1-server
    - level1-workstation
@ -45,11 +44,10 @@
      ansible.builtin.stat:
        path: "{{ ubtu24cis_grub_file }}"
      check_mode: false
-      register: ubtu24cis_1_4_2_grub_cfg_status
+      register: discovered_grub_cfg_file
    - name: "1.4.2 | PATCH | Ensure access to bootloader config is configured | Set permissions"
-      when:
+      when: discovered_grub_cfg_file.stat.exists
        - ubtu24cis_1_4_2_grub_cfg_status.stat.exists
      ansible.builtin.file:
        path: "{{ ubtu24cis_grub_file }}"
        owner: root
--- a/tasks/section_1/cis_1.5.x.yml
+++ b/tasks/section_1/cis_1.5.x.yml
@ -1,8 +1,7 @@
 ---
 - name: "1.5.1 | PATCH | Ensure address space layout randomization (ASLR) is enabled | Set active kernel parameter"
-  when:
+  when: ubtu24cis_rule_1_5_1
    - ubtu24cis_rule_1_5_1
  tags:
    - level1-server
    - level1-workstation
@ -20,8 +19,7 @@
    ignoreerrors: true
 - name: "1.5.2 | PATCH | Ensure ptrace_scope is restricted"
-  when:
+  when: ubtu24cis_rule_1_5_2
    - ubtu24cis_rule_1_5_2
  tags:
    - level1-server
    - level1-workstation
@ -39,8 +37,7 @@
    ignoreerrors: true
 - name: "1.5.3 | PATCH | Ensure core dumps are restricted"
-  when:
+  when: ubtu24cis_rule_1_5_3
    - ubtu24cis_rule_1_5_3
  tags:
    - level1-server
    - level1-workstation
@ -67,7 +64,7 @@
        create: true
        owner: root
        group: root
-        mode: '0644'
+        mode: 'go-r'
    - name: "1.5.3 | PATCH | Ensure core dumps are restricted | sysctl.conf"
      ansible.builtin.lineinfile:
@ -76,7 +73,7 @@
        line: fs.suid_dumpable=0
        owner: root
        group: root
-        mode: '0644'
+        mode: 'go-r'
      notify: Reload systemctl
    - name: "1.5.3 | PATCH | Ensure core dumps are restricted | coredump.conf"
@ -87,7 +84,7 @@
        create: true
        owner: root
        group: root
-        mode: '0644'
+        mode: 'go-r'
      loop:
        - { regexp: '^Storage', line: 'Storage=none' }
        - { regexp: '^ProcessSizeMax', line: 'ProcessSizeMax=0' }
@ -107,7 +104,7 @@
    - prelink
  block:
    - name: "1.5.4 | PATCH | Ensure prelink is not installed | Restore binaries to normal"
-      ansible.builtin.shell: prelink -ua
+      ansible.builtin.command: prelink -ua
      changed_when: false
      failed_when: false
@ -118,8 +115,7 @@
        purge: "{{ ubtu24cis_purge_apt }}"
 - name: "1.5.5 | PATCH | Ensure Automatic Error Reporting is not enabled"
-  when:
+  when: ubtu24cis_rule_1_5_5
    - ubtu24cis_rule_1_5_5
  tags:
    - level1-server
    - level1-workstation
@ -136,7 +132,7 @@
        create: true
        owner: root
        group: root
-        mode: '0644'
+        mode: 'go-r'
    - name: "1.5.5 | PATCH | Ensure Automatic Error Reporting is not enabled | remove package"
      when:
--- a/tasks/section_1/cis_1.6.x.yml
+++ b/tasks/section_1/cis_1.6.x.yml
@ -1,8 +1,7 @@
 ---
 - name: "1.6.1 | PATCH | Ensure message of the day is configured properly"
-  when:
+  when: ubtu24cis_rule_1_6_1
    - ubtu24cis_rule_1_6_1
  tags:
    - level1-server
    - level1-workstation
@ -17,6 +16,7 @@
      ansible.builtin.template:
        src: etc/motd.j2
        dest: /etc/motd
        mode: 'u-x,go-wx'
    - name: "1.6.1 | PATCH | Ensure message of the day is configured properly | disable dynamic_motd"
      when: ubtu24cis_disable_dynamic_motd
@ -31,8 +31,7 @@
        - { regexp: '# Pam_motd.so disabled for CIS benchmark', line: '# Pam_motd.so disabled for CIS benchmark' }
 - name: "1.6.2 | PATCH | Ensure local login warning banner is configured properly"
-  when:
+  when: ubtu24cis_rule_1_6_2
    - ubtu24cis_rule_1_6_2
  tags:
    - level1-server
    - level1-workstation
@ -47,14 +46,14 @@
      ansible.builtin.template:
        src: etc/issue.j2
        dest: /etc/issue
        mode: 'u-x,go-wx'
    - name: "1.6.2 | PATCH | Ensure local login warning banner is kept on package upgrade | issue"
      community.general.dpkg_divert:
        path: /etc/issue
 - name: "1.6.3 | PATCH | Ensure remote login warning banner is configured properly"
-  when:
+  when: ubtu24cis_rule_1_6_3
    - ubtu24cis_rule_1_6_3
  tags:
    - level1-server
    - level1-workstation
@ -69,14 +68,14 @@
      ansible.builtin.template:
        src: etc/issue.net.j2
        dest: /etc/issue.net
        mode: 'u-x,go-wx'
    - name: "1.6.3 | PATCH | Ensure remote login warning banner is kept on package upgrade | issue.net"
      community.general.dpkg_divert:
        path: /etc/issue.net
 - name: "1.6.4 | PATCH | Ensure permissions on /etc/motd are configured"
-  when:
+  when: ubtu24cis_rule_1_6_4
    - ubtu24cis_rule_1_6_4
  tags:
    - level1-server
    - level1-workstation
@ -93,8 +92,7 @@
    mode: 'u-x,go-wx'
 - name: "1.6.5 | PATCH | Ensure permissions on /etc/issue are configured"
-  when:
+  when: ubtu24cis_rule_1_6_5
    - ubtu24cis_rule_1_6_5
  tags:
    - level1-server
    - level1-workstation
@ -111,8 +109,7 @@
    mode: 'u-x,go-wx'
 - name: "1.6.6 | PATCH | Ensure permissions on /etc/issue.net are configured"
-  when:
+  when: ubtu24cis_rule_1_6_6
    - ubtu24cis_rule_1_6_6
  tags:
    - level1-server
    - level1-workstation
--- a/tasks/section_1/cis_1.7.x.yml
+++ b/tasks/section_1/cis_1.7.x.yml
@ -1,9 +1,6 @@
 ---
 - name: "1.7.1 | PATCH | Ensure GNOME Display Manager is removed"
  ansible.builtin.package:
    name: gdm3
    state: absent
  when:
    - ubtu24cis_rule_1_7_1
    - not ubtu24cis_desktop_required
@ -15,6 +12,9 @@
    - rule_1.7.1
    - NIST800-53R5_CM-11
    - gnome
  ansible.builtin.package:
    name: gdm3
    state: absent
 - name: "1.7.2 | PATCH | Ensure GDM login banner is configured"
  when:
@ -31,13 +31,14 @@
    - NIST800-53R5_CM-7
    - NIST800-53R5_IA-5
    - gnome
  notify: Update dconf
  block:
    - name: "1.7.2 | PATCH | Ensure GDM login banner is configured | make directory"
      ansible.builtin.file:
        path: "/etc/dconf/db/{{ ubtu24cis_dconf_db_name }}.d"
        owner: root
        group: root
-        mode: '0755'
+        mode: 'u+x,go-w'
        state: directory
    - name: "1.7.2 | PATCH | Ensure GDM login banner is configured | banner settings"
@ -49,12 +50,11 @@
        create: true
        owner: root
        group: root
-        mode: '0644'
+        mode: 'u-x,go-wx'
-        loop:
+      loop:
-          - { regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]', insertafter: EOF }
+        - { regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]', insertafter: EOF }
-          - { regexp: 'banner-message-enable', line: 'banner-message-enable=true', insertafter: '\[org\/gnome\/login-screen\]'}
+        - { regexp: 'banner-message-enable', line: 'banner-message-enable=true', insertafter: '\[org\/gnome\/login-screen\]'}
-          - { regexp: 'banner-message-text', line: "banner-message-text='{{ ubtu24cis_warning_banner | regex_replace('\n', ' ') | trim }}'", insertafter: 'banner-message-enable' }
+        - { regexp: 'banner-message-text', line: "banner-message-text='{{ ubtu24cis_warning_banner | regex_replace('\n', ' ') | trim }}'", insertafter: 'banner-message-enable' }
  notify: Update dconf
 - name: "1.7.3 | PATCH | Ensure disable-user-list option is enabled"
  when:
@ -71,13 +71,14 @@
    - NIST800-53R5_CM-7
    - NIST800-53R5_IA-5
    - gnome
  notify: Update dconf
  block:
    - name: "1.7.3 | PATCH | Ensure disable-user-list option is enabled | make directories"
      ansible.builtin.file:
        path: "{{ item }}"
        owner: root
        group: root
-        mode: '0755'
+        mode: 'u+x,go-w'
        state: directory
      loop:
        - /etc/dconf/db/{{ ubtu24cis_dconf_db_name }}.d
@ -92,7 +93,7 @@
        create: true
        owner: root
        group: root
-        mode: '0644'
+        mode: 'u-x,go-wx'
      loop:
        - { regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]', insertafter: EOF }
        - { regexp: 'disable-user-list', line: 'disable-user-list=true', insertafter: '\[org\/gnome\/login-screen\]'}
@ -106,12 +107,11 @@
        create: true
        owner: root
        group: root
-        mode: '0644'
+        mode: 'u-x,go-wx'
      loop:
        - { regexp: '^user-db:user', line: 'user-db:user', insertafter: EOF }
        - { regexp: '^system-db:{{ ubtu24cis_dconf_db_name }}', line: 'system-db:{{ ubtu24cis_dconf_db_name }}', insertafter: 'user-db:user'}
        - { regexp: '^file-db:/usr/share/gdm/greeter-dconf-defaults', line: 'file-db:/usr/share/gdm/greeter-dconf-defaults', insertafter: 'system-db:{{ ubtu24cis_dconf_db_name }}'}
  notify: Update dconf
 - name: "1.7.4 | PATCH | Ensure GDM screen locks when the user is idle"
  when:
@ -132,6 +132,7 @@
        line: "{{ item.line }}"
        insertafter: "{{ item.after | default(omit) }}"
        create: true
        mode: 'u-x,go-wx'
      loop:
        - { regexp: 'user-db:user', line: 'user-db:user' }
        - { regexp: 'system-db:{{ ubtu24cis_dconf_db_name }}', line: 'system-db:{{ ubtu24cis_dconf_db_name }}', after: '^user-db.*' }
@ -141,7 +142,7 @@
        path: "/etc/dconf/db/{{ ubtu24cis_dconf_db_name }}.d"
        owner: root
        group: root
-        mode: '0755'
+        mode: 'u+x,go-w'
        state: directory
      notify: Update dconf
@ -151,7 +152,7 @@
        dest: "/etc/dconf/db/{{ ubtu24cis_dconf_db_name }}.d/00-screensaver"
        owner: root
        group: root
-        mode: '0644'
+        mode: 'u-x,go-wx'
      notify: Update dconf
 - name: "1.7.5 | PATCH | Ensure GDM screen locks cannot be overridden"
@ -171,7 +172,7 @@
        path: "/etc/dconf/db/{{ ubtu24cis_dconf_db_name }}.d/locks"
        owner: root
        group: root
-        mode: '0755'
+        mode: 'u+x,go-w'
        state: directory
      notify: Update dconf
@ -181,7 +182,7 @@
        dest: "/etc/dconf/db/{{ ubtu24cis_dconf_db_name }}.d/locks/00-screensaver"
        owner: root
        group: root
-        mode: '0644'
+        mode: 'u-x,go-wx'
      notify: Update dconf
 - name: "1.7.6 | PATCH | Ensure GDM automatic mounting of removable media is disabled"
@ -205,7 +206,7 @@
        path: "/etc/dconf/db/{{ ubtu24cis_dconf_db_name }}.d"
        owner: root
        group: root
-        mode: '0755'
+        mode: 'u+x,go-w'
        state: directory
      notify: Update dconf
@ -215,7 +216,7 @@
        dest: "/etc/dconf/db/{{ ubtu24cis_dconf_db_name }}.d/00-media-automount"
        owner: root
        group: root
-        mode: '0644'
+        mode: 'u-x,go-wx'
      notify: Update dconf
 - name: "1.7.7 | PATCH | Ensure GDM disabling automatic mounting of removable media is not overridden"
@ -239,7 +240,7 @@
        path: "/etc/dconf/db/{{ ubtu24cis_dconf_db_name }}.d/locks"
        owner: root
        group: root
-        mode: '0755'
+        mode: 'u+x,go-w'
        state: directory
      notify: Update dconf
@ -249,7 +250,7 @@
        dest: "/etc/dconf/db/{{ ubtu24cis_dconf_db_name }}.d/locks/00-automount_lock"
        owner: root
        group: root
-        mode: '0644'
+        mode: 'u-x,go-wx'
      notify: Update dconf
 - name: "1.7.8 | PATCH | Ensure GDM autorun-never is enabled"
@ -273,7 +274,7 @@
        path: "/etc/dconf/db/{{ ubtu24cis_dconf_db_name }}.d"
        owner: root
        group: root
-        mode: '0755'
+        mode: 'u+x,go-w'
        state: directory
      notify: Update dconf
@ -283,7 +284,7 @@
        dest: "/etc/dconf/db/{{ ubtu24cis_dconf_db_name }}.d/00-media-autorun"
        owner: root
        group: root
-        mode: '0644'
+        mode: 'u-x,go-wx'
      notify: Update dconf
 - name: "1.7.9 | PATCH | Ensure GDM autorun-never is not overridden"
@ -307,7 +308,7 @@
        path: "/etc/dconf/db/{{ ubtu24cis_dconf_db_name }}.d/locks"
        owner: root
        group: root
-        mode: '0755'
+        mode: 'u+x,go-w'
        state: directory
      notify: Update dconf
@ -317,7 +318,7 @@
        dest: "/etc/dconf/db/{{ ubtu24cis_dconf_db_name }}.d/locks/00-autorun_lock"
        owner: root
        group: root
-        mode: '0644'
+        mode: 'u-x,go-wx'
      notify: Update dconf
 - name: "1.7.10 | PATCH | Ensure XDCMP is not enabled"
--- a/tasks/section_2/cis_2.1.x.yml
+++ b/tasks/section_2/cis_2.1.x.yml
@ -33,8 +33,7 @@
        masked: true
 - name: "2.1.2 | PATCH | Ensure avahi daemon services are not in use"
-  when:
+  when: ubtu24cis_rule_2_1_2
    - ubtu24cis_rule_2_1_2
  tags:
    - level1-server
    - level2-workstation
@ -70,8 +69,7 @@
        - avahi-daemon.service
 - name: "2.1.3 | PATCH | Ensure dhcp server services are not in use"
-  when:
+  when: ubtu24cis_rule_2_1_3
    - ubtu24cis_rule_2_1_3
  tags:
    - level1-server
    - level1-workstation
@ -105,8 +103,7 @@
        - isc-dhcp-server6.service
 - name: "2.1.4 | PATCH | Ensure dns server services are not in use"
-  when:
+  when: ubtu24cis_rule_2_1_4
    - ubtu24cis_rule_2_1_4
  tags:
    - level1-server
    - level1-workstation
@ -137,8 +134,7 @@
        masked: true
 - name: "2.1.5 | PATCH | Ensure dnsmasq server services are not in use"
-  when:
+  when: ubtu24cis_rule_2_1_5
    - ubtu24cis_rule_2_1_5
  tags:
    - level1-server
    - level1-workstation
@ -169,8 +165,7 @@
        masked: true
 - name: "2.1.6 | PATCH | Ensure ftp server services are not in use"
-  when:
+  when: ubtu24cis_rule_2_1_6
    - ubtu24cis_rule_2_1_6
  tags:
    - level1-server
    - level1-workstation
@ -202,8 +197,7 @@
        masked: true
 - name: "2.1.7 | PATCH | Ensure ldap server services are not in use"
-  when:
+  when: ubtu24cis_rule_2_1_7
    - ubtu24cis_rule_2_1_7
  tags:
    - level1-server
    - level1-workstation
@ -234,8 +228,7 @@
        masked: true
 - name: "2.1.8 | PATCH | Ensure message access server services are not in use"
-  when:
+  when: ubtu24cis_rule_2_1_8
    - ubtu24cis_rule_2_1_8
  tags:
    - level1-server
    - level1-workstation
@ -273,8 +266,7 @@
        - "dovecot.service"
 - name: "2.1.9 | PATCH | Ensure network file system services are not in use"
-  when:
+  when: ubtu24cis_rule_2_1_9
    - ubtu24cis_rule_2_1_9
  tags:
    - level1-server
    - level1-workstation
@ -307,8 +299,7 @@
        masked: true
 - name: "2.1.10 | PATCH | Ensure nis server services are not in use"
-  when:
+  when: ubtu24cis_rule_2_1_10
    - ubtu24cis_rule_2_1_10
  tags:
    - level1-server
    - level1-workstation
@ -339,8 +330,7 @@
        masked: true
 - name: "2.1.11 | PATCH | Ensure print server services are not in use"
-  when:
+  when: ubtu24cis_rule_2_1_11
    - ubtu24cis_rule_2_1_11
  tags:
    - level1-server
    - patch
@ -373,8 +363,7 @@
        - "cups.service"
 - name: "2.1.12 | PATCH | Ensure rpcbind services are not in use"
-  when:
+  when: ubtu24cis_rule_2_1_12
    - ubtu24cis_rule_2_1_12
  tags:
    - level1-server
    - level1-workstation
@ -409,8 +398,7 @@
        - rpcbind.socket
 - name: "2.1.13 | PATCH | Ensure rsync services are not in use"
-  when:
+  when: ubtu24cis_rule_2_1_13
    - ubtu24cis_rule_2_1_13
  tags:
    - level1-server
    - level1-workstation
@ -441,8 +429,7 @@
        masked: true
 - name: "2.1.14 | PATCH | Ensure samba file server services are not in use"
-  when:
+  when: ubtu24cis_rule_2_1_14
    - ubtu24cis_rule_2_1_14
  tags:
    - level1-server
    - level1-workstation
@ -474,8 +461,7 @@
        masked: true
 - name: "2.1.15 | PATCH | Ensure snmp services are not in use"
-  when:
+  when: ubtu24cis_rule_2_1_15
    - ubtu24cis_rule_2_1_15
  tags:
    - level1-server
    - level1-workstation
@ -507,8 +493,7 @@
        masked: true
 - name: "2.1.16 | PATCH | Ensure tftp server services are not in use"
-  when:
+  when: ubtu24cis_rule_2_1_16
    - ubtu24cis_rule_2_1_16
  tags:
    - level1-server
    - level1-workstation
@ -539,8 +524,7 @@
        masked: true
 - name: "2.1.17 | PATCH | Ensure web proxy server services are not in use"
-  when:
+  when: ubtu24cis_rule_2_1_17
    - ubtu24cis_rule_2_1_17
  tags:
    - level1-server
    - level1-workstation
@ -571,8 +555,7 @@
        masked: true
 - name: "2.1.18 | PATCH | Ensure web server services are not in use"
-  when:
+  when: ubtu24cis_rule_2_1_18
    - ubtu24cis_rule_2_1_18
  tags:
    - level1-server
    - level1-workstation
@ -610,7 +593,7 @@
        - "'apache2' in ansible_facts.packages"
      notify: Systemd_daemon_reload
      ansible.builtin.systemd:
-        name:
+        name: "{{ item }}"
        enabled: false
        state: stopped
        masked: true
@ -631,8 +614,7 @@
        masked: true
 - name: "2.1.19 | PATCH | Ensure xinetd services are not in use"
-  when:
+  when: ubtu24cis_rule_2_1_19
    - ubtu24cis_rule_2_1_19
  tags:
    - level1-server
    - level1-workstation
@ -694,23 +676,23 @@
  block:
    - name: "2.1.21 | PATCH | Ensure mail transfer agents are configured for local-only mode | Make changes if exim4 installed"
      when: "'exim4' in ansible_facts.packages"
      notify: Restart exim4
      ansible.builtin.lineinfile:
        path: /etc/exim4/update-exim4.conf.conf
        regexp: "{{ item.regexp }}"
        line: "{{ item.line }}"
-        with_items:
+      loop:
-          - { regexp: '^dc_eximconfig_configtype', line: "dc_eximconfig_configtype='local'" }
+        - { regexp: '^dc_eximconfig_configtype', line: "dc_eximconfig_configtype='local'" }
-          - { regexp: '^dc_local_interfaces', line: "dc_local_interfaces='127.0.0.1 ; ::1'" }
+        - { regexp: '^dc_local_interfaces', line: "dc_local_interfaces='127.0.0.1 ; ::1'" }
-          - { regexp: '^dc_readhost', line: "dc_readhost=''" }
+        - { regexp: '^dc_readhost', line: "dc_readhost=''" }
-          - { regexp: '^dc_relay_domains', line: "dc_relay_domains=''" }
+        - { regexp: '^dc_relay_domains', line: "dc_relay_domains=''" }
-          - { regexp: '^dc_minimaldns', line: "dc_minimaldns='false'" }
+        - { regexp: '^dc_minimaldns', line: "dc_minimaldns='false'" }
-          - { regexp: '^dc_relay_nets', line: "dc_relay_nets=''" }
+        - { regexp: '^dc_relay_nets', line: "dc_relay_nets=''" }
-          - { regexp: '^dc_smarthost', line: "dc_smarthost=''" }
+        - { regexp: '^dc_smarthost', line: "dc_smarthost=''" }
-          - { regexp: '^dc_use_split_config', line: "dc_use_split_config='false'" }
+        - { regexp: '^dc_use_split_config', line: "dc_use_split_config='false'" }
-          - { regexp: '^dc_hide_mailname', line: "dc_hide_mailname=''" }
+        - { regexp: '^dc_hide_mailname', line: "dc_hide_mailname=''" }
-          - { regexp: '^dc_mailname_in_oh', line: "dc_mailname_in_oh='true'" }
+        - { regexp: '^dc_mailname_in_oh', line: "dc_mailname_in_oh='true'" }
-          - { regexp: '^dc_localdelivery', line: "dc_localdelivery='mail_spool'" }
+        - { regexp: '^dc_localdelivery', line: "dc_localdelivery='mail_spool'" }
      notify: Restart exim4
    - name: "2.1.21 | PATCH | Ensure mail transfer agents are configured for local-only mode | Make changes if postfix is installed"
      when: "'postfix' in ansible_facts.packages"
@ -737,8 +719,7 @@
        file: warning_facts.yml
 - name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface"
-  when:
+  when: ubtu24cis_rule_2_1_22
    - ubtu24cis_rule_2_1_22
  tags:
    - level1-server
    - level1-workstation
@ -750,18 +731,18 @@
    warn_control_id: '2.1.22'
  block:
    - name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface | Get list of services"
-      ansible.builtin.shell: systemctl list-units --type=service
+      ansible.builtin.command: systemctl list-units --type=service  # noqa command-instead-of-module
      changed_when: false
-      failed_when: ubtu24cis_2_1_22_services.rc not in [ 0, 1 ]
+      failed_when: discovered_listening_services.rc not in [ 0, 1 ]
      check_mode: false
-      register: ubtu24cis_2_1_22_services
+      register: discovered_listening_services
    - name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface | Display list of services"
      ansible.builtin.debug:
        msg:
          - "Warning!! Below are the list of services, both active and inactive"
          - "Please review to make sure all are essential"
-          - "{{ ubtu24cis_2_1_22_services.stdout_lines }}"
+          - "{{ discovered_listening_services.stdout_lines }}"
    - name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface | Warn Count"
      ansible.builtin.import_tasks:
--- a/tasks/section_2/cis_2.3.1.x.yml
+++ b/tasks/section_2/cis_2.3.1.x.yml
@ -1,8 +1,7 @@
 ---
 - name: "2.3.1.1 | PATCH | Ensure a single time synchronization daemon is in use"
-  when:
+  when: ubtu24cis_rule_2_3_1_1
    - ubtu24cis_rule_2_3_1_1
  tags:
    - level1-server
    - level1-workstation
--- a/tasks/section_2/cis_2.3.2.x.yml
+++ b/tasks/section_2/cis_2.3.2.x.yml
@ -1,8 +1,7 @@
 ---
 - name: "2.3.2.1 | PATCH | Ensure systemd-timesyncd configured with authorized timeserver"
-  when:
+  when: ubtu24cis_rule_2_3_2_1
    - ubtu24cis_rule_2_3_2_1
  tags:
    - level1-server
    - level1-workstation
@ -17,14 +16,14 @@
        path: /etc/systemd/timesyncd.conf.d
        owner: root
        group: root
-        mode: '0755'
+        mode: 'go-w'
        state: directory
    - name: "2.3.2.1 | PATCH | Ensure systemd-timesyncd configured with authorized timeserver | sources"
      ansible.builtin.template:
        src: "{{ item }}.j2"
        dest: "/{{ item }}"
-        mode: '0644'
+        mode: 'go-r'
        owner: root
        group: root
      loop:
@ -32,8 +31,7 @@
      notify: Restart timeservice
 - name: "2.3.2.2 | PATCH | Ensure systemd-timesyncd is enabled and running"
-  when:
+  when: ubtu24cis_rule_2_3_2_2
    - ubtu24cis_rule_2_3_2_2
  tags:
    - level1-server
    - level1-workstation
--- a/tasks/section_2/cis_2.3.3.x.yml
+++ b/tasks/section_2/cis_2.3.3.x.yml
@ -1,8 +1,7 @@
 ---
 - name: "2.3.3.1 | PATCH | Ensure chrony is configured with authorized timeserver"
-  when:
+  when: ubtu24cis_rule_2_3_3_1
    - ubtu24cis_rule_2_3_3_1
  tags:
    - level1-server
    - level1-workstation
@ -16,7 +15,7 @@
      ansible.builtin.template:
        src: "{{ item }}.j2"
        dest: "/{{ item }}"
-        mode: '0644'
+        mode: 'go-r'
        owner: root
        group: root
      loop:
@ -32,8 +31,7 @@
      notify: Restart timeservice
 - name: "2.3.3.2 | PATCH | Ensure chrony is running as user _chrony"
-  when:
+  when: ubtu24cis_rule_2_3_3_2
    - ubtu24cis_rule_2_3_3_2
  tags:
    - level1-server
    - level1-workstation
@ -47,8 +45,7 @@
    line: 'user _chrony'
 - name: "2.3.3.3 | PATCH | Ensure chrony is enabled and running"
-  when:
+  when: ubtu24cis_rule_2_3_3_3
    - ubtu24cis_rule_2_3_3_3
  tags:
    - level1-server
    - level1-workstation
--- a/tasks/section_2/cis_2.4.1.x.yml
+++ b/tasks/section_2/cis_2.4.1.x.yml
@ -1,8 +1,7 @@
 ---
 - name: "2.4.1.1 | PATCH | Ensure cron daemon is enabled and running"
-  when:
+  when: ubtu24cis_rule_2_4_1_1
    - ubtu24cis_rule_2_4_1_1
  tags:
    - level1-server
    - level1-workstation
@ -20,8 +19,7 @@
    enabled: true
 - name: "2.4.1.2 | PATCH | Ensure permissions on /etc/crontab are configured"
-  when:
+  when: ubtu24cis_rule_2_4_1_2
    - ubtu24cis_rule_2_4_1_2
  tags:
    - level1-server
    - level1-workstation
@ -34,11 +32,10 @@
    path: /etc/crontab
    owner: root
    group: root
-    mode: '0600'
+    mode: 'go-rwx'
 - name: "2.4.1.3 | PATCH | Ensure permissions on /etc/cron.hourly are configured"
-  when:
+  when: ubtu24cis_rule_2_4_1_3
    - ubtu24cis_rule_2_4_1_3
  tags:
    - level1-server
    - level1-workstation
@ -51,12 +48,11 @@
    path: /etc/cron.hourly
    owner: root
    group: root
-    mode: '0700'
+    mode: 'u+x,go-rwx'
    state: directory
 - name: "2.4.1.4 | PATCH | Ensure permissions on /etc/cron.daily are configured"
-  when:
+  when: ubtu24cis_rule_2_4_1_4
    - ubtu24cis_rule_2_4_1_4
  tags:
    - level1-server
    - level1-workstation
@ -69,12 +65,11 @@
    path: /etc/cron.daily
    owner: root
    group: root
-    mode: '0700'
+    mode: 'u+x,go-rwx'
    state: directory
 - name: "2.4.1.5 | PATCH | Ensure permissions on /etc/cron.weekly are configured"
-  when:
+  when: ubtu24cis_rule_2_4_1_5
    - ubtu24cis_rule_2_4_1_5
  tags:
    - level1-server
    - level1-workstation
@ -87,12 +82,11 @@
    path: /etc/cron.weekly
    owner: root
    group: root
-    mode: '0700'
+    mode: 'u+x,go-rwx'
    state: directory
 - name: "2.4.1.6 | PATCH | Ensure permissions on /etc/cron.monthly are configured"
-  when:
+  when: ubtu24cis_rule_2_4_1_6
    - ubtu24cis_rule_2_4_1_6
  tags:
    - level1-server
    - level1-workstation
@ -105,12 +99,11 @@
    path: /etc/cron.monthly
    owner: root
    group: root
-    mode: '0700'
+    mode: 'u+x,go-rwx'
    state: directory
 - name: "2.4.1.7 | PATCH | Ensure permissions on /etc/cron.d are configured"
-  when:
+  when: ubtu24cis_rule_2_4_1_7
    - ubtu24cis_rule_2_4_1_7
  tags:
    - level1-server
    - level1-workstation
@ -123,12 +116,11 @@
    path: /etc/cron.d
    owner: root
    group: root
-    mode: '0700'
+    mode: 'u+x,go-rwx'
    state: directory
 - name: "2.4.1.8 | PATCH | Ensure cron is restricted to authorized users"
-  when:
+  when: ubtu24cis_rule_2_4_1_8
    - ubtu24cis_rule_2_4_1_8
  tags:
    - level1-server
    - level1-workstation
@ -146,10 +138,10 @@
    - name: "2.4.1.8 | PATCH | Ensure cron is restricted to authorized users | Check for cron.allow"
      ansible.builtin.stat:
        path: /etc/cron.allow
-      register: ubtu24cis_2_4_1_8_status
+      register: discovered_cron_allow_status
    - name: "2.4.1.8 | PATCH | Ensure cron is restricted to authorized users | Create cron.allow if doesn't exist"
-      when: not ubtu24cis_2_4_1_8_status.stat.exists
+      when: not discovered_cron_allow_status.stat.exists
      ansible.builtin.file:
        path: /etc/cron.allow
        owner: root
@ -158,7 +150,7 @@
        state: touch
    - name: "2.4.1.8 | PATCH | Ensure cron is restricted to authorized users |  Update cron.allow if exists"
-      when: ubtu24cis_2_4_1_8_status.stat.exists
+      when: discovered_cron_allow_status.stat.exists
      ansible.builtin.file:
        path: /etc/cron.allow
        owner: root
--- a/tasks/section_2/cis_2.4.2.x.yml
+++ b/tasks/section_2/cis_2.4.2.x.yml
@ -1,8 +1,7 @@
 ---
 - name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users"
-  when:
+  when: ubtu24cis_rule_2_4_2_1
    - - ubtu24cis_rule_2_4_2_1
  tags:
    - level1-server
    - level1-workstation
@ -20,10 +19,10 @@
    - name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users | Check for at.allow"
      ansible.builtin.stat:
        path: /etc/at.allow
-      register: ubtu24cis_2_4_2_1_status
+      register: discovered_at_allow_status
    - name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users | Create at.allow if doesn't exist"
-      when: not ubtu24cis_2_4_2_1_status.stat.exists
+      when: not discovered_at_allow_status.stat.exists
      ansible.builtin.file:
        path: /etc/at.allow
        owner: root
@ -32,7 +31,7 @@
        state: touch
    - name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users | update at.allow if exists"
-      when: ubtu24cis_2_4_2_1_status.stat.exists
+      when: discovered_at_allow_status.stat.exists
      ansible.builtin.file:
        path: /etc/at.allow
        owner: root
--- a/tasks/section_3/cis_3.1.x.yml
+++ b/tasks/section_3/cis_3.1.x.yml
@ -18,7 +18,7 @@
        path: /etc/default/grub
        regexp: '^(GRUB_CMDLINE_LINUX=.*)\bipv6\.disable=\d\b(.*$)'
        replace: '\1ipv6.disable=1\2'
-      register: ipv6disable_replaced
+      register: discovered_ipv6disable_replaced
      notify: Grub update
    - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | Check grub cmdline linux"
@ -26,13 +26,13 @@
      changed_when: false
      failed_when: false
      check_mode: false
-      register: ubtu24cis_3_1_1_cmdline_settings
+      register: discovered_ipv6_grub_cmdline_settings
    - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | Insert ipv6.disable if it doesn't exist"
      when:
        - ubtu24cis_ipv6_disable == 'grub'
-        - ipv6disable_replaced is not changed
+        - discovered_ipv6disable_replaced is not changed
-        - "'ipv6.disable' not in ubtu24cis_3_1_1_cmdline_settings.stdout"
+        - "'ipv6.disable' not in discovered_ipv6_grub_cmdline_settings.stdout"
      ansible.builtin.lineinfile:
        path: /etc/default/grub
        regexp: '^(GRUB_CMDLINE_LINUX=".*)"$'
@ -47,13 +47,14 @@
        dest: "/{{ item }}"
        owner: root
        group: root
-        mode: '0640'
+        mode: 'g-wx,o-rwx'
      notify: Flush ipv6 route table
      loop:
        - etc/sysctl.d/60-disable_ipv6.conf
 - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled"
  when:
    - prelim_wireless_modules.stdout is defined
    - ubtu24cis_rule_3_1_2
  tags:
    - level1-server
@ -70,15 +71,16 @@
        regexp: '^(#)?install true(\\s|$)'
        line: install {{ item }} true
        create: true
        mode: 'go-wx'
      loop: "{{ prelim_wireless_modules.stdout_lines }}"
-    - name: "3.1.2 | PATCH | Ensure dccp kernel module is not available | blacklist"
+    - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | blacklist"
      ansible.builtin.lineinfile:
        path: /etc/modprobe.d/blacklist.conf
        regexp: "^(#)?blacklist {{ item }}(\\s|$)"
        line: "blacklist {{ item }}"
        create: true
-        mode: '0600'
+        mode: 'go-rwx'
      loop: "{{ prelim_wireless_modules.stdout_lines }}"
 - name: "3.1.3 | PATCH | Ensure bluetooth services are not in use"
--- a/tasks/section_3/cis_3.2.x.yml
+++ b/tasks/section_3/cis_3.2.x.yml
@ -18,6 +18,7 @@
        regexp: '^(#)?install dccp(\\s|$)'
        line: "{{ item }}"
        create: true
        mode: 'u-x,go-wx'
      loop:
        - install dccp /bin/true
        - blacklist dccp
@ -28,7 +29,7 @@
        regexp: "^(#)?blacklist cramfs(\\s|$)"
        line: "blacklist cramfs"
        create: true
-        mode: '0600'
+        mode: 'go-rwx'
 - name: "3.2.2 | PATCH | Ensure tipc kernel module is not available"
  when:
@ -48,6 +49,7 @@
        regexp: '^(#)?install tipc(\\s|$)'
        line: "{{ item }}"
        create: true
        mode: 'u-x,go-wx'
      loop:
        - install tipc /bin/true
        - blacklist tipc
@ -58,7 +60,7 @@
        regexp: "^(#)?blacklist tipc(\\s|$)"
        line: "blacklist tipc"
        create: true
-        mode: '0600'
+        mode: 'go-rwx'
 - name: "3.2.3 | PATCH | Ensure rds kernel module is not available"
  when:
@ -78,6 +80,7 @@
        regexp: '^(#)?install rds(\\s|$)'
        line: "{{ item }}"
        create: true
        mode: 'u-x,go-wx'
      loop:
        - install rds /bin/true
        - blacklist rds
@ -88,7 +91,7 @@
        regexp: "^(#)?blacklist rds(\\s|$)"
        line: "blacklist rds"
        create: true
-        mode: '0600'
+        mode: 'go-rwx'
 - name: "3.2.4 | PATCH | Ensure sctp kernel module is not available"
  when:
@ -108,6 +111,7 @@
        regexp: '^(#)?install sctp(\\s|$)'
        line: "{{ item }}"
        create: true
        mode: 'u-x,go-wx'
      loop:
        - install sctp /bin/true
        - blacklist sctp
@ -118,4 +122,4 @@
        regexp: "^(#)?blacklist sctp(\\s|$)"
        line: "blacklist sctp"
        create: true
-        mode: '0600'
+        mode: 'go-rwx'
--- a/tasks/section_3/cis_3.3.x.yml
+++ b/tasks/section_3/cis_3.3.x.yml
@ -72,8 +72,7 @@
  notify: Flush ipv4 route table
 - name: "3.3.3 | PATCH | Ensure bogus ICMP responses are ignored"
-  when:
+  when: ubtu24cis_rule_3_3_3
    - ubtu24cis_rule_3_3_3
  tags:
    - level1-server
    - level1-workstation
@ -97,8 +96,7 @@
  notify: Flush ipv4 route table
 - name: "3.3.4 | PATCH | Ensure broadcast ICMP requests are ignored"
-  when:
+  when: ubtu24cis_rule_3_3_4
    - ubtu24cis_rule_3_3_4
  tags:
    - level1-server
    - level1-workstation
@ -122,8 +120,7 @@
  notify: Flush ipv4 route table
 - name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted"
-  when:
+  when: ubtu24cis_rule_3_3_5
    - ubtu24cis_rule_3_3_5
  tags:
    - level1-server
    - level1-workstation
@ -167,8 +164,7 @@
      notify: Flush ipv6 route table
 - name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted"
-  when:
+  when: ubtu24cis_rule_3_3_6
    - ubtu24cis_rule_3_3_6
  tags:
    - level1-server
    - level1-workstation
@ -195,8 +191,7 @@
  notify: Flush ipv4 route table
 - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled"
-  when:
+  when: ubtu24cis_rule_3_3_7
    - ubtu24cis_rule_3_3_7
  tags:
    - level1-server
    - level1-workstation
--- a/tasks/section_4/cis_4.1.1.yml
+++ b/tasks/section_4/cis_4.1.1.yml
@ -1,8 +1,7 @@
 ---
 - name: "4.1.1 | PATCH | Ensure a single firewall configuration utility is in use"
-  when:
+  when: ubtu24cis_rule_4_1_1
    - ubtu24cis_rule_4_1_1
  tags:
    - level1-server
    - level1-workstation
@ -12,31 +11,31 @@
  vars:
    warn_control_id: '4.1.1'
  block:
-
+    - name: "4.1.1 | AUDIT | Ensure a single firewall configuration utility is in use | Check packages"
    - name: "4.1.1 | PATCH | Ensure a single firewall configuration utility is in use | Check packages"
      ansible.builtin.shell: dpkg-query -l | grep -Ec "^ii\s*ufw|^ii\s*iptables|^ii\s*nftables"
      changed_when: false
      failed_when: discovered_firewall_pkgs.rc not in [ 0, 1 ]
      register: discovered_firewall_pkgs
-    - name: "4.1.1 | PATCH | Ensure a single firewall configuration utility is in use | Check enabled"
+    - name: "4.1.1 | AUDIT | Ensure a single firewall configuration utility is in use | Check enabled"
      when: discovered_firewall_pkgs.stdout not in [ 0, 1 ]
-      ansible.builtin.shell: for svc in ufw nftables iptables; do if [ "$(systemctl is-enabled $svc | grep enabled &> /dev/null)" ]; then fw_enabled=$(( fw_enabled +1 )); fi; done; echo $fw_enabled
+      ansible.builtin.shell: |
        for svc in ufw nftables iptables; do if [ "$(systemctl is-enabled $svc | grep enabled &> /dev/null)" ]; then fw_enabled=$(( fw_enabled +1 )); fi; done; echo $fw_enabled
      changed_when: false
      register: discovered_enabled_firewalls
      environment:
-        fw_enabled: 0
+        fw_enabled: '0'
    - name: "4.1.1 | AUDIT | Ensure a single firewall configuration utility is in use | Message out warning"
      when:
        - discovered_enabled_firewalls.stdout is defined
-        - discovered_enabled_firewalls.stdout|int >= 2
+        - (discovered_enabled_firewalls.stdout|int) >= 2
      ansible.builtin.debug:
        msg: "Warning!! You have more than one firewalls installed and running or enabled. Please use UFW, iptables, or manually manage nftables"
    - name: "4.1.1 | AUDIT | Ensure a single firewall configuration utility is in use | Set warning count"
      when:
        - discovered_enabled_firewalls.stdout is defined
-        - discovered_enabled_firewalls.stdout|int >= 2
+        - (discovered_enabled_firewalls.stdout|int) >= 2
      ansible.builtin.import_tasks:
        file: warning_facts.yml
--- a/tasks/section_4/cis_4.2.x.yml
+++ b/tasks/section_4/cis_4.2.x.yml
@ -33,8 +33,7 @@
 # Adding the allow OpenSSH rule while enabling ufw to allow ansible to run after enabling
 - name: "4.2.3 | PATCH | Ensure ufw service is enabled"
-  when:
+  when: ubtu24cis_rule_4_2_3
    - ubtu24cis_rule_4_2_3
  tags:
    - level1-server
    - level1-workstation
@ -58,8 +57,7 @@
        state: started
 - name: "4.2.4 | PATCH | Ensure ufw loopback traffic is configured"
-  when:
+  when: ubtu24cis_rule_4_2_4
    - ubtu24cis_rule_4_2_4
  tags:
    - level1-server
    - level1-workstation
@ -98,8 +96,7 @@
      notify: Reload ufw
 - name: "4.2.5 | PATCH | Ensure ufw outbound connections are configured"
-  when:
+  when: ubtu24cis_rule_4_2_5
    - ubtu24cis_rule_4_2_5
  tags:
    - level1-server
    - level1-workstation
@ -126,8 +123,7 @@
      notify: Reload ufw
 - name: "4.2.6 | AUDIT | Ensure ufw firewall rules exist for all open ports"
-  when:
+  when: ubtu24cis_rule_4_2_6
    - ubtu24cis_rule_4_2_6
  tags:
    - level1-server
    - level1-workstation
@ -139,18 +135,18 @@
    warn_control_id: '4.2.6'
  block:
    - name: "4.2.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Get list of open ports"
-      ansible.builtin.shell: ss -4tuln
+      ansible.builtin.command: ss -4tuln
      changed_when: false
      failed_when: false
      check_mode: false
-      register: ubtu24cis_4_2_6_open_listen_ports
+      register: discovered_ufw_open_listen_ports
    - name: "4.2.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Get list of firewall rules"
-      ansible.builtin.shell: ufw status
+      ansible.builtin.command: ufw status
      changed_when: false
      failed_when: false
      check_mode: false
-      register: ubtu24cis_4_2_6_firewall_rules
+      register: discovered_ufw_firewall_rules
    - name: "4.2.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Message out settings"
      ansible.builtin.debug:
@ -158,17 +154,16 @@
          - "Warning!! Below are the listening ports and firewall rules"
          - "Please create firewall rule for any open ports if not already done"
          - "*****---Open Listen Ports---*****"
-          - "{{ ubtu24cis_4_2_6_open_listen_ports.stdout_lines }}"
+          - "{{ discovered_ufw_open_listen_ports.stdout_lines }}"
          - "*****---Firewall Rules---*****"
-          - "{{ ubtu24cis_4_2_6_firewall_rules.stdout_lines }}"
+          - "{{ discovered_ufw_firewall_rules.stdout_lines }}"
    - name: "4.2.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Set warning count"
      ansible.builtin.import_tasks:
        file: warning_facts.yml
 - name: "4.2.7 | PATCH | Ensure ufw default deny firewall policy"
-  when:
+  when: ubtu24cis_rule_4_2_7
    - ubtu24cis_rule_4_2_7
  tags:
    - level1-server
    - level1-workstation
--- a/tasks/section_4/cis_4.3.x.yml
+++ b/tasks/section_4/cis_4.3.x.yml
@ -96,10 +96,10 @@
      ansible.builtin.debug:
        msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables | Message out warning"
        # ansible.builtin.shell: "nft create table {{ ubtu24cis_nftables_table_name }}"
-        # changed_when: ubtu24cis_4_3_4_new_table.rc == 0
+        # changed_when: discovered_new_nftable.rc == 0
        # failed_when: false
        # check_mode: false
-        # register: ubtu24cis_4_3_4_new_table
+        # register: discovered_new_nftable
    - name: "4.3.4 | AUDIT | Ensure a nftables table exists | Set warning count"
      ansible.builtin.import_tasks:
--- a/tasks/section_4/cis_4.4.1.x.yml
+++ b/tasks/section_4/cis_4.4.1.x.yml
@ -170,20 +170,22 @@
    - audit
    - rule_4.4.1.4
    - iptables
  vars:
    warn_control_id: '4.4.1.4'
  block:
    - name: "4.4.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of open ports"
-      ansible.builtin.shell: ss -4tuln
+      ansible.builtin.command: ss -4tuln
      changed_when: false
      failed_when: false
      check_mode: false
-      register: ubtu24cis_4_4_1_4_open_ports
+      register: discovered_open_ports
    - name: "4.4.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of rules"
-      ansible.builtin.shell: iptables -L INPUT -v -n
+      ansible.builtin.command: iptables -L INPUT -v -n
      changed_when: false
      failed_when: false
      check_mode: false
-      register: ubtu24cis_4_4_1_4_current_rules
+      register: discovered_current_rules
    - name: "4.4.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Warn about settings"
      ansible.builtin.debug:
@ -191,15 +193,13 @@
          - "Warning!! Below is the list the open ports and current rules"
          - "Please create a rule for any open port that does not have a current rule"
          - "Open Ports:"
-          - "{{ ubtu24cis_4_4_1_4_open_ports.stdout_lines }}"
+          - "{{ discovered_open_ports.stdout_lines }}"
          - "Current Rules:"
-          - "{{ ubtu24cis_4_4_1_4_current_rules.stdout_lines }}"
+          - "{{ discovered_current_rules.stdout_lines }}"
    - name: "4.4.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Set warning count"
      ansible.builtin.import_tasks:
        file: warning_facts.yml
  vars:
    warn_control_id: '4.4.1.4'
 # ---------------
 # ---------------
@ -217,9 +217,9 @@
 #       - name: "Make IPTables persistent | Save to persistent files"
 #         ansible.builtin.shell: bash -c "iptables-save > /etc/iptables/rules.v4"
-#         changed_when: ubtu24cis_iptables_save.rc == 0
+#         changed_when: discovered_iptables_save.rc == 0
-#         failed_when: ubtu24cis_iptables_save.rc > 0
+#         failed_when: discovered_iptables_save.rc > 0
-#         register: ubtu24cis_iptables_save
+#         register: discovered_iptables_save
 #   when:
 #       - ubtu24cis_firewall_package == "iptables"
 #       - ubtu24cis_save_iptables_cis_rules
@ -353,18 +353,18 @@
    warn_control_id: '4.4.1.4'
  block:
    - name: "4.4.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of open ports"
-      ansible.builtin.shell: ss -6tuln
+      ansible.builtin.command: ss -6tuln
      changed_when: false
      failed_when: false
      check_mode: false
-      register: ubtu24cis_4_4_1_4_open_ports
+      register: discovered_open_ports
    - name: "4.4.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of rules"
-      ansible.builtin.shell: ip6tables -L INPUT -v -n
+      ansible.builtin.command: ip6tables -L INPUT -v -n
      changed_when: false
      failed_when: false
      check_mode: false
-      register: ubtu24cis_4_4_1_4_current_rules
+      register: discovered_current_rules
    - name: "4.4.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Warn about settings"
      ansible.builtin.debug:
@ -372,9 +372,9 @@
          - "Warning!! Below is the list the open ports and current rules"
          - "Please create a rule for any open port that does not have a current rule"
          - "Open Ports:"
-          - "{{ ubtu24cis_4_4_1_4_open_ports.stdout_lines }}"
+          - "{{ discovered_open_ports.stdout_lines }}"
          - "Current Rules:"
-          - "{{ ubtu24cis_4_4_1_4_current_rules.stdout_lines }}"
+          - "{{ discovered_current_rules.stdout_lines }}"
    - name: "4.4.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Set warning count"
      ansible.builtin.import_tasks:
@ -398,9 +398,9 @@
 #       - name: "Make IP6Tables persistent | Save to persistent files"
 #         ansible.builtin.shell: bash -c "ip6tables-save > /etc/iptables/rules.v6"
-#         changed_when: ubtu24cis_ip6tables_save.rc == 0
+#         changed_when: discovered_ip6tables_save.rc == 0
-#         failed_when: ubtu24cis_ip6tables_save.rc > 0
+#         failed_when: discovered_ip6tables_save.rc > 0
-#         register: ubtu24cis_ip6tables_save
+#         register: discovered_ip6tables_save
 #   when:
 #       - ubtu24cis_firewall_package == "iptables"
 #       - ubtu24cis_ipv6_required
--- a/tasks/section_4/cis_4.4.2.x.yml
+++ b/tasks/section_4/cis_4.4.2.x.yml
@ -133,18 +133,18 @@
    warn_control_id: '4.4.2.4'
  block:
    - name: "4.4.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of open ports"
-      ansible.builtin.shell: ss -4tuln
+      ansible.builtin.command: ss -4tuln
      changed_when: false
      failed_when: false
      check_mode: false
-      register: ubtu24cis_4_4_1_4_open_ports
+      register: discovered_open_ports
    - name: "4.4.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of rules"
-      ansible.builtin.shell: iptables -L INPUT -v -n
+      ansible.builtin.command: iptables -L INPUT -v -n
      changed_when: false
      failed_when: false
      check_mode: false
-      register: ubtu24cis_4_4_2_4_current_rules
+      register: discovered_current_rules
    - name: "4.4.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Warn about settings"
      ansible.builtin.debug:
@ -152,9 +152,9 @@
          - "Warning!! Below is the list the open ports and current rules"
          - "Please create a rule for any open port that does not have a current rule"
          - "Open Ports:"
-          - "{{ ubtu24cis_4_4_2_4_open_ports.stdout_lines }}"
+          - "{{ discovered_open_ports.stdout_lines }}"
          - "Current Rules:"
-          - "{{ ubtu24cis_4_4_2_4_current_rules.stdout_lines }}"
+          - "{{ discovered_current_rules.stdout_lines }}"
    - name: "4.4.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Set warning count"
      ansible.builtin.import_tasks:
@ -176,9 +176,9 @@
 #       - name: "Make IPTables persistent | Save to persistent files"
 #         ansible.builtin.shell: bash -c "iptables-save > /etc/iptables/rules.v4"
-#         changed_when: ubtu24cis_iptables_save.rc == 0
+#         changed_when: discovered_iptables_save.rc == 0
-#         failed_when: ubtu24cis_iptables_save.rc > 0
+#         failed_when: discovered_iptables_save.rc > 0
-#         register: ubtu24cis_iptables_save
+#         register: discovered_iptables_save
 #   when:
 #       - ubtu24cis_firewall_package == "iptables"
 #       - ubtu24cis_save_iptables_cis_rules
--- a/tasks/section_4/cis_4.4.3.x.yml
+++ b/tasks/section_4/cis_4.4.3.x.yml
@ -1,8 +1,7 @@
 ---
 - name: "4.4.3.1 | PATCH | Ensure ip6tables default deny firewall policy"
-  when:
+  when: ubtu24cis_rule_4_4_3_1
    - ubtu24cis_rule_4_4_3_1
  tags:
    - level1-server
    - level1-workstationå
@ -126,18 +125,18 @@
    warn_control_id: '4.4.3.4'
  block:
    - name: "4.4.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of open ports"
-      ansible.builtin.shell: ss -6tuln
+      ansible.builtin.command: ss -6tuln
      changed_when: false
      failed_when: false
      check_mode: false
-      register: ubtu24cis_4_4_3_4_open_ports
+      register: discovered_open_ports
    - name: "4.4.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of rules"
-      ansible.builtin.shell: ip6tables -L INPUT -v -n
+      ansible.builtin.command: ip6tables -L INPUT -v -n
      changed_when: false
      failed_when: false
      check_mode: false
-      register: ubtu24cis_4_4_3_4_current_rules
+      register: discovered_current_rules
    - name: "4.4.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Warn about settings"
      ansible.builtin.debug:
@ -145,9 +144,9 @@
          - "Warning!! Below is the list the open ports and current rules"
          - "Please create a rule for any open port that does not have a current rule"
          - "Open Ports:"
-          - "{{ ubtu24cis_4_4_3_4_open_ports.stdout_lines }}"
+          - "{{ discovered_open_ports.stdout_lines }}"
          - "Current Rules:"
-          - "{{ ubtu24cis_4_4_3_4_current_rules.stdout_lines }}"
+          - "{{ discovered_current_rules.stdout_lines }}"
    - name: "4.4.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Set warning count"
      ansible.builtin.import_tasks:
@ -171,9 +170,9 @@
 #       - name: "Make IP6Tables persistent | Save to persistent files"
 #         ansible.builtin.shell: bash -c "ip6tables-save > /etc/iptables/rules.v6"
-#         changed_when: ubtu24cis_ip6tables_save.rc == 0
+#         changed_when: discovered_ip6tables_save.rc == 0
-#         failed_when: ubtu24cis_ip6tables_save.rc > 0
+#         failed_when: discovered_ip6tables_save.rc > 0
-#         register: ubtu24cis_ip6tables_save
+#         register: discovered_ip6tables_save
 #   when:
 #       - ubtu24cis_firewall_package == "iptables"
 #       - ubtu24cis_ipv6_required
--- a/tasks/section_5/cis_5.1.x.yml
+++ b/tasks/section_5/cis_5.1.x.yml
@ -1,8 +1,7 @@
 ---
 - name: "5.1.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured"
-  when:
+  when: ubtu24cis_rule_5_1_1
    - ubtu24cis_rule_5_1_1
  tags:
    - level1-server
    - level1-workstation
@ -36,8 +35,7 @@
      loop: "{{ discovered_sshd_confs.files }}"
 - name: "5.1.2 | PATCH | Ensure permissions on SSH private host key files are configured"
-  when:
+  when: ubtu24cis_rule_5_1_2
    - ubtu24cis_rule_5_1_2
  tags:
    - level1-server
    - level1-workstation
@ -51,7 +49,7 @@
      ansible.builtin.find:
        paths: /etc/ssh
        patterns: 'ssh_host_*_key'
-      register: ubtu24cis_5_1_2_ssh_host_priv_keys
+      register: discovered_ssh_host_priv_keys
    - name: "5.1.2 | PATCH | Ensure permissions on SSH private host key files are configured | Set permissions"
      ansible.builtin.file:
@ -60,13 +58,12 @@
        group: root
        mode: 'o-x,go-rwx'
      with_items:
-        - "{{ ubtu24cis_5_1_2_ssh_host_priv_keys.files }}"
+        - "{{ discovered_ssh_host_priv_keys.files }}"
      loop_control:
        label: "{{ item.path }}"
 - name: "5.1.3 | PATCH | Ensure permissions on SSH public host key files are configured"
-  when:
+  when: ubtu24cis_rule_5_1_3
    - ubtu24cis_rule_5_1_3
  tags:
    - level1-server
    - level1-workstation
@ -80,22 +77,21 @@
      ansible.builtin.find:
        paths: /etc/ssh
        patterns: 'ssh_host_*_key.pub'
-      register: ubtu24cis_5_1_3_ssh_host_pub_keys
+      register: discovered_ssh_host_pub_keys
    - name: "5.1.3 | PATCH | Ensure permissions on SSH public host key files are configured | Set permissions"
      ansible.builtin.file:
        path: "{{ item.path }}"
        owner: root
        group: root
-        mode: '0644'
+        mode: 'go-wx'
      with_items:
-        - "{{ ubtu24cis_5_1_3_ssh_host_pub_keys.files }}"
+        - "{{ discovered_ssh_host_pub_keys.files }}"
      loop_control:
        label: "{{ item.path }}"
 - name: "5.1.4 | PATCH | Ensure sshd access is configured"
-  when:
+  when: ubtu24cis_rule_5_1_4
    - ubtu24cis_rule_5_1_4
  tags:
    - level1-server
    - level1-workstation
@ -106,44 +102,43 @@
    - sshd
  block:
    - name: "5.1.4 | PATCH | Ensure sshd access is configured | Add allowed users"
-      when: "ubtu24cis_sshd['allow_users']| default('') | length > 0 "
+      when: "ubtu24cis_sshd_allow_users| default('') | length > 0 "
      ansible.builtin.lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '(?i)^(#|)\s*AllowUsers'
-        line: 'AllowUsers {{ ubtu24cis_sshd.allow_users }}'
+        line: 'AllowUsers {{ ubtu24cis_sshd_allow_users }}'
        validate: 'sshd -t -f %s'
      notify: Restart sshd
    - name: "5.1.4 | PATCH | Ensure sshd access is configured | Add allowed groups"
-      when: "ubtu24cis_sshd['allow_groups']| default('') | length > 0"
+      when: "ubtu24cis_sshd_allow_groups| default('') | length > 0"
      ansible.builtin.lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '(?i)^(#|)\s*AllowGroups'
-        line: 'AllowGroups {{ ubtu24cis_sshd.allow_groups }}'
+        line: 'AllowGroups {{ ubtu24cis_sshd_allow_groups }}'
        validate: 'sshd -t -f %s'
      notify: Restart sshd
    - name: "5.1.4 | PATCH | Ensure sshd access is configured | Add deny users"
-      when: "ubtu24cis_sshd['deny_users']| default('') | length > 0"
+      when: "ubtu24cis_sshd_deny_users| default('') | length > 0"
      ansible.builtin.lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '(?i)^(#|)\s*DenyUsers'
-        line: 'DenyUsers {{ ubtu24cis_sshd.deny_users }}'
+        line: 'DenyUsers {{ ubtu24cis_sshd_deny_users }}'
        validate: 'sshd -t -f %s'
      notify: Restart sshd
    - name: "5.1.4 | PATCH | Ensure sshd access is configured | Add deny groups"
-      when: "ubtu24cis_sshd['deny_groups']| default('') | length > 0"
+      when: "ubtu24cis_sshd_deny_groups| default('') | length > 0"
      ansible.builtin.lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '^DenyGroups|^#DenyGroups'
-        line: 'DenyGroups {{ ubtu24cis_sshd.deny_groups }}'
+        line: 'DenyGroups {{ ubtu24cis_sshd_deny_groups }}'
        validate: 'sshd -t -f %s'
      notify: Restart sshd
 - name: "5.1.5| PATCH | Ensure sshd Banner is configured"
-  when:
+  when: ubtu24cis_rule_5_1_5
    - ubtu24cis_rule_5_1_5
  tags:
    - level1-server
    - level1-workstation
@ -164,8 +159,7 @@
  notify: Restart sshd
 - name: "5.1.6 | PATCH | Ensure sshd Ciphers are configured"
-  when:
+  when: ubtu24cis_rule_5_1_6
    - ubtu24cis_rule_5_1_6
  tags:
    - level1-server
    - level1-workstation
@ -176,14 +170,13 @@
  ansible.builtin.lineinfile:
    path: /etc/ssh/sshd_config
    regexp: ^Ciphers
-    line: "Ciphers {{ ubtu24cis_sshd.ciphers | join(',') }}"
+    line: "Ciphers {{ ubtu24cis_sshd_ciphers | join(',') }}"
    insertafter: '^# Ciphers and keying'
    validate: 'sshd -t -f %s'
  notify: Restart sshd
 - name: "5.1.7 | PATCH | Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured"
-  when:
+  when: ubtu24cis_rule_5_1_7
    - ubtu24cis_rule_5_1_7
  tags:
    - level1-server
    - level1-workstation
@ -201,13 +194,12 @@
    line: "{{ item.line }}"
    validate: 'sshd -t -f %s'
  with_items:
-    - { regexp: '^ClientAliveInterval', line: 'ClientAliveInterval {{ ubtu24cis_sshd.client_alive_interval | default(ubtu24cis_sshd_default_client_alive_interval) }}' }
+    - { regexp: '^ClientAliveInterval', line: 'ClientAliveInterval {{ ubtu24cis_sshd_client_alive_interval | default(ubtu24cis_sshd_default_client_alive_interval) }}' }
-    - { regexp: '^ClientAliveCountMax', line: 'ClientAliveCountMax {{ ubtu24cis_sshd.client_alive_count_max | default(ubtu24cis_sshd_default_client_alive_count_max) }}' }
+    - { regexp: '^ClientAliveCountMax', line: 'ClientAliveCountMax {{ ubtu24cis_sshd_client_alive_count_max | default(ubtu24cis_sshd_default_client_alive_count_max) }}' }
  notify: Restart sshd
 - name: "5.1.8 | PATCH | Ensure sshd DisableForwarding is enabled"
-  when:
+  when: ubtu24cis_rule_5_1_8
    - ubtu24cis_rule_5_1_8
  tags:
    - level2-server
    - level1-workstation
@ -223,8 +215,7 @@
  notify: Restart sshd
 - name: "5.1.9 | PATCH | Ensure sshd GSSAPIAuthentication is  is disabled"
-  when:
+  when: ubtu24cis_rule_5_1_9
    - ubtu24cis_rule_5_1_9
  tags:
    - level2-server
    - level1-workstation
@ -244,8 +235,7 @@
  notify: Restart sshd
 - name: "5.1.10 | PATCH | Ensure SSH HostbasedAuthentication is disabled"
-  when:
+  when: ubtu24cis_rule_5_1_10
    - ubtu24cis_rule_5_1_10
  tags:
    - level1-server
    - level1-workstation
@ -265,8 +255,7 @@
  notify: Restart sshd
 - name: "5.1.11 | PATCH | Ensure SSH IgnoreRhosts is enabled"
-  when:
+  when: ubtu24cis_rule_5_1_11
    - ubtu24cis_rule_5_1_11
  tags:
    - level1-server
    - level1-workstation
@ -286,8 +275,7 @@
  notify: Restart sshd
 - name: "5.1.12 | PATCH | Ensure only strong Key Exchange algorithms are used"
-  when:
+  when: ubtu24cis_rule_5_1_12
    - ubtu24cis_rule_5_1_12
  tags:
    - level1-server
    - level1-workstation
@ -298,14 +286,13 @@
  ansible.builtin.lineinfile:
    path: /etc/ssh/sshd_config
    regexp: (?i)^(#|)\s*KexAlgorithms
-    line: "KexAlgorithms {{ ubtu24cis_sshd.kex_algorithms | default(ubtu24cis_sshd_default_kex_algorithms) | join(',') }}"
+    line: "KexAlgorithms {{ ubtu24cis_sshd_kex_algorithms | default(ubtu24cis_sshd_default_kex_algorithms) | join(',') }}"
    insertafter: '^# Ciphers and keying'
    validate: 'sshd -t -f %s'
  notify: Restart sshd
 - name: "5.1.13 | PATCH | Ensure SSH LoginGraceTime is configured"
-  when:
+  when: ubtu24cis_rule_5_1_13
    - ubtu24cis_rule_5_1_13
  tags:
    - level1-server
    - level1-workstation
@ -316,14 +303,13 @@
  ansible.builtin.lineinfile:
    path: /etc/ssh/sshd_config
    regexp: (?i)^(#|)\s*LoginGraceTime
-    line: 'LoginGraceTime {{ ubtu24cis_sshd.login_grace_time | default(ubtu24cis_sshd_default_login_grace_time) }}'
+    line: 'LoginGraceTime {{ ubtu24cis_sshd_login_grace_time | default(ubtu24cis_sshd_default_login_grace_time) }}'
    insertafter: '^# Authentication'
    validate: 'sshd -t -f %s'
  notify: Restart sshd
 - name: "5.1.14 | PATCH | Ensure SSH LogLevel is configured"
-  when:
+  when: ubtu24cis_rule_5_1_14
    - ubtu24cis_rule_5_1_14
  tags:
    - level1-server
    - level1-workstation
@ -336,14 +322,13 @@
  ansible.builtin.lineinfile:
    path: /etc/ssh/sshd_config
    regexp: (?i)^(#|)\s*LogLevel
-    line: 'LogLevel {{ ubtu24cis_sshd.log_level | default(ubtu24cis_sshd_default_log_level) }}'
+    line: 'LogLevel {{ ubtu24cis_sshd_log_level | default(ubtu24cis_sshd_default_log_level) }}'
    insertafter: '^# Logging'
    validate: 'sshd -t -f %s'
  notify: Restart sshd
 - name: "5.1.15 | PATCH | Ensure only strong MAC algorithms are used"
-  when:
+  when: ubtu24cis_rule_5_1_15
    - ubtu24cis_rule_5_1_15
  tags:
    - level1-server
    - level1-workstation
@ -358,14 +343,13 @@
  ansible.builtin.lineinfile:
    path: /etc/ssh/sshd_config
    regexp: (?i)^(#|)\s*MACs
-    line: "MACs {{ ubtu24cis_sshd.macs | default(ubtu24cis_sshd_default_macs) | join(',') }}"
+    line: "MACs {{ ubtu24cis_sshd_macs | default(ubtu24cis_sshd_default_macs) | join(',') }}"
    insertafter: '^# Ciphers and keying'
    validate: 'sshd -t -f %s'
  notify: Restart sshd
 - name: "5.1.16 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less"
-  when:
+  when: ubtu24cis_rule_5_1_16
    - ubtu24cis_rule_5_1_16
  tags:
    - level1-server
    - level1-workstation
@ -376,14 +360,13 @@
  ansible.builtin.lineinfile:
    path: /etc/ssh/sshd_config
    regexp: (?i)^(#|)\s*MaxAuthTries
-    line: 'MaxAuthTries {{ ubtu24cis_sshd.max_auth_tries | default(ubtu24cis_sshd_default_max_auth_tries) }}'
+    line: 'MaxAuthTries {{ ubtu24cis_sshd_max_auth_tries | default(ubtu24cis_sshd_default_max_auth_tries) }}'
    insertafter: '^# Authentication'
    validate: 'sshd -t -f %s'
  notify: Restart sshd
 - name: "5.1.17 | PATCH | Ensure sshd MaxSessions is configured"
-  when:
+  when: ubtu24cis_rule_5_1_17
    - ubtu24cis_rule_5_1_17
  tags:
    - level1-server
    - level1-workstation
@ -398,14 +381,13 @@
  ansible.builtin.lineinfile:
    path: /etc/ssh/sshd_config
    regexp: (?i)^(#|)\s*MaxSessions
-    line: 'MaxSessions {{ ubtu24cis_sshd.max_sessions | default(ubtu24cis_sshd_default_max_sessions) }}'
+    line: 'MaxSessions {{ ubtu24cis_sshd_max_sessions | default(ubtu24cis_sshd_default_max_sessions) }}'
    insertafter: '^# Authentication'
    validate: 'sshd -t -f %s'
  notify: Restart sshd
 - name: "5.1.18 | PATCH | Ensure SSH MaxStartups is configured"
-  when:
+  when: ubtu24cis_rule_5_1_18
    - ubtu24cis_rule_5_1_18
  tags:
    - level1-server
    - level1-workstation
@ -425,8 +407,7 @@
  notify: Restart sshd
 - name: "5.1.19 | PATCH | Ensure SSH PermitEmptyPasswords is disabled"
-  when:
+  when: ubtu24cis_rule_5_1_19
    - ubtu24cis_rule_5_1_19
  tags:
    - level1-server
    - level1-workstation
@ -447,8 +428,7 @@
  notify: Restart sshd
 - name: "5.1.20 | PATCH | Ensure sshd PermitRootLogin is disabled"
-  when:
+  when: ubtu24cis_rule_5_1_20
    - ubtu24cis_rule_5_1_20
  tags:
    - level1-server
    - level1-workstation
@ -464,8 +444,7 @@
  notify: Restart sshd
 - name: "5.1.21 | PATCH | Ensure SSH PermitUserEnvironment is disabled"
-  when:
+  when: ubtu24cis_rule_5_1_21
    - ubtu24cis_rule_5_1_21
  tags:
    - level1-server
    - level1-workstation
@ -485,8 +464,7 @@
  notify: Restart sshd
 - name: "5.1.22 | PATCH | Ensure sshd UsePAM is enabled"
-  when:
+  when: ubtu24cis_rule_5_1_22
    - ubtu24cis_rule_5_1_22
  tags:
    - level1-server
    - level1-workstation
--- a/tasks/section_5/cis_5.2.x.yml
+++ b/tasks/section_5/cis_5.2.x.yml
@ -1,8 +1,7 @@
 ---
 - name: "5.2.1 | PATCH | Ensure sudo is installed"
-  when:
+  when: ubtu24cis_rule_5_2_1
    - ubtu24cis_rule_5_2_1
  tags:
    - level1-server
    - level1-workstation
@ -15,8 +14,7 @@
    state: present
 - name: "5.2.2 | PATCH | Ensure sudo commands use pty"
-  when:
+  when: ubtu24cis_rule_5_2_2
    - ubtu24cis_rule_5_2_2
  tags:
    - level1-server
    - level1-workstation
@ -31,8 +29,7 @@
    insertafter: '^\s*Defaults'
 - name: "5.2.3 | PATCH | Ensure sudo log file exists"
-  when:
+  when: ubtu24cis_rule_5_2_3
    - ubtu24cis_rule_5_2_3
  tags:
    - level1-server
    - level1-workstation
@ -48,8 +45,7 @@
    insertafter: '^\s*Defaults'
 - name: "5.2.4 | PATCH | Ensure users must provide password for escalation"
-  when:
+  when: ubtu24cis_rule_5_2_4
    - ubtu24cis_rule_5_2_4
  tags:
    - level2-server
    - level2-workstation
@ -75,8 +71,7 @@
      loop: "{{ discovered_sudoers_nopasswd.stdout_lines }}"
 - name: "5.2.5 | PATCH | Ensure re-authentication for privilege escalation is not disabled globally"
-  when:
+  when: ubtu24cis_rule_5_2_5
    - ubtu24cis_rule_5_2_5
  tags:
    - level1-server
    - level1-workstation
@ -92,8 +87,7 @@
  loop: "{{ prelim_sudoers_files.stdout_lines }}"
 - name: "5.2.6 | PATCH | Ensure sudo authentication timeout is configured correctly"
-  when:
+  when: ubtu24cis_rule_5_2_6
    - ubtu24cis_rule_5_2_6
  tags:
    - level1-server
    - level1-workstation
@ -106,10 +100,10 @@
      ansible.builtin.shell: grep -is 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort
      changed_when: false
      failed_when: false
-      register: ubtu24cis_5_2_6_timeout_files
+      register: discovered_ubtu24cis_ssh_timeout_files
    - name: "5.2.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if no results"
-      when: ubtu24cis_5_2_6_timeout_files.stdout | length == 0
+      when: discovered_ubtu24cis_ssh_timeout_files.stdout | length == 0
      ansible.builtin.lineinfile:
        path: /etc/sudoers
        regexp: '^\s*Defaults/s+timestamp_timeout='
@ -118,17 +112,16 @@
        validate: '/usr/sbin/visudo -cf %s'
    - name: "5.2.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if has results"
-      when: ubtu24cis_5_2_6_timeout_files.stdout | length > 0
+      when: discovered_ubtu24cis_ssh_timeout_files.stdout | length > 0
      ansible.builtin.replace:
        path: "{{ item }}"
        regexp: 'timestamp_timeout=(\d+)'
        replace: "timestamp_timeout={{ ubtu24cis_sudo_timestamp_timeout }}"
        validate: '/usr/sbin/visudo -cf %s'
-      loop: "{{ ubtu24cis_5_2_6_timeout_files.stdout_lines }}"
+      loop: "{{ discovered_ubtu24cis_ssh_timeout_files.stdout_lines }}"
 - name: "5.2.7 | PATCH | Ensure access to the su command is restricted"
-  when:
+  when: ubtu24cis_rule_5_2_7
    - ubtu24cis_rule_5_2_7
  tags:
    - level1-server
    - level1-workstation
@ -142,7 +135,6 @@
      ansible.builtin.group:
        name: "{{ ubtu24cis_sugroup }}"
        state: present
      register: ubtu24cis_5_2_7_sugroup
    - name: "5.2.7 | PATCH | Ensure access to the su command is restricted | remove users from group"
      ansible.builtin.lineinfile:
--- a/tasks/section_5/cis_5.3.2.x.yml
+++ b/tasks/section_5/cis_5.3.2.x.yml
@ -19,7 +19,7 @@
    dest: "/{{ ubtu24cis_pam_confd_dir }}{{ ubtu24cis_pam_pwunix_file }}"
    owner: root
    group: root
-    mode: '0600'
+    mode: 'go-rwx'
  notify: Pam_auth_update_pwunix
 - name: "5.3.2.2 | PATCH | Ensure pam_faillock module is enabled"
@ -41,7 +41,7 @@
    dest: "/{{ ubtu24cis_pam_confd_dir }}{{ item }}"
    owner: root
    group: root
-    mode: '0600'
+    mode: 'go-rwx'
  loop:
    - "{{ ubtu24cis_pam_faillock_file }}"
    - "{{ ubtu24cis_pam_faillock_notify_file }}"
@ -67,7 +67,7 @@
    dest: "/{{ ubtu24cis_pam_confd_dir }}{{ ubtu24cis_pam_pwquality_file }}"
    owner: root
    group: root
-    mode: '0600'
+    mode: 'go-rwx'
  notify: Pam_auth_update_pwquality
 - name: "5.3.2.4 | PATCH | Ensure pam_pwhistory module is enabled"
@ -88,5 +88,5 @@
    dest: "/{{ ubtu24cis_pam_confd_dir }}{{ ubtu24cis_pam_pwhistory_file }}"
    owner: root
    group: root
-    mode: '0600'
+    mode: 'go-rwx'
  notify: Pam_auth_update_pwhistory
--- a/tasks/section_5/cis_5.3.3.1.x.yml
+++ b/tasks/section_5/cis_5.3.3.1.x.yml
@ -1,8 +1,7 @@
 ---
 - name: "5.3.3.1.1 | PATCH | Ensure password failed attempts lockout is configured"
-  when:
+  when: ubtu24cis_rule_5_3_3_1_1
    - ubtu24cis_rule_5_3_3_1_1
  tags:
    - level1-server
    - level1-workstation
@ -18,15 +17,16 @@
        line: "deny = {{ ubtu24cis_faillock_deny }}"
        insertafter: '^# end of pam-auth-update config'
        create: true
        mode: 'go-wx'
    - name: "5.3.3.1.1 | AUDIT | Ensure password failed attempts lockout is configured | discover pam config with deny"
      ansible.builtin.shell: grep -Pl -- '\bpam_faillock\.so\h+([^#\n\r]+\h+)?deny\b' /usr/share/pam-configs/*
-      register: ubtu24cis_faillock_deny_files
+      register: discovered_faillock_deny_files
      changed_when: false
-      failed_when: ubtu24cis_faillock_deny_files.rc not in [ 0, 1 ]
+      failed_when: discovered_faillock_deny_files.rc not in [ 0, 1 ]
    - name: "5.3.3.1.1 | PATCH | Ensure password failed attempts lockout is configured | if exists remove deny from faillock line in pam-auth conf files"
-      when: ubtu24cis_faillock_deny_files.stdout | length > 0
+      when: discovered_faillock_deny_files.stdout | length > 0
      ansible.builtin.replace:
        path: "{{ item }}"
        regexp: '(*.pam_faillock.so\s*)deny\s*=\s*\d+\b(.*)'
@ -36,8 +36,7 @@
        - '/etc/pam.d/*'
 - name: "5.3.3.1.2 | PATCH | Ensure password unlock time is configured"
-  when:
+  when: ubtu24cis_rule_5_3_3_1_2
    - ubtu24cis_rule_5_3_3_1_2
  tags:
    - level1-server
    - level1-workstation
@ -53,15 +52,16 @@
        line: "unlock_time = {{ ubtu24cis_faillock_unlock_time }}"
        insertafter: '^# end of pam-auth-update config'
        create: true
        mode: 'go-wx'
    - name: "5.3.3.1.2 | AUDIT | Ensure password unlock time is configured | discover pam config with unlock_time"
      ansible.builtin.shell: grep -Pl -- '\bpam_faillock\.so\h+([^#\n\r]+\h+)?unlock_time\b' /usr/share/pam-configs/*
-      register: ubtu24cis_faillock_unlock_files
+      register: discovered_faillock_unlock_files
      changed_when: false
-      failed_when: ubtu24cis_faillock_unlock_files.rc not in [ 0, 1 ]
+      failed_when: discovered_faillock_unlock_files.rc not in [ 0, 1 ]
    - name: "5.3.3.1.2 | PATCH | Ensure password unlock time is configured | if exists remove unlock_time from faillock line in pam-auth conf files"
-      when: ubtu24cis_faillock_unlock_files.stdout | length > 0
+      when: discovered_faillock_unlock_files.stdout | length > 0
      ansible.builtin.replace:
        path: "{{ item }}"
        regexp: '(*.pam_faillock.so\s*)unlock_time\s*=\s*\b(.*)'
@ -71,8 +71,7 @@
        - '/etc/pam.d/*'
 - name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account"
-  when:
+  when: ubtu24cis_rule_5_3_3_1_3
    - ubtu24cis_rule_5_3_3_1_3
  tags:
    - level2-server
    - level2-workstation
@ -88,15 +87,16 @@
        line: "{{ ubtu24cis_pamroot_lock_string }}"
        insertafter: '^# end of pam-auth-update config'
        create: true
        mode: 'go-wx'
    - name: "5.3.3.1.3 | AUDIT | Ensure password failed attempts lockout includes root account | discover pam config with unlock_time"
      ansible.builtin.shell: grep -Pl -- '\bpam_faillock\.so\h+([^#\n\r]+\h+)?(even_deny_root\b|root_unlock_time\s*=\s*\d+\b)' /usr/share/pam-configs/*
-      register: ubtu24cis_faillock_rootlock_files
+      register: discovered_faillock_rootlock_files
      changed_when: false
-      failed_when: ubtu24cis_faillock_rootlock_files.rc not in [ 0, 1 ]
+      failed_when: discovered_faillock_rootlock_files.rc not in [ 0, 1 ]
    - name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account | if exists remove unlock_time from faillock line in pam-auth conf files"
-      when: ubtu24cis_faillock_rootlock_files.stdout | length > 0
+      when: discovered_faillock_rootlock_files.stdout | length > 0
      ansible.builtin.replace:
        path: "{{ item }}"
        regexp: '(*.pam_faillock.so\s*)(even_deny_root\b|root_unlock_time\s*=\s*\d+\b)(.*)'
--- a/tasks/section_5/cis_5.3.3.2.x.yml
+++ b/tasks/section_5/cis_5.3.3.2.x.yml
@ -1,8 +1,7 @@
 ---
 - name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured"
-  when:
+  when: ubtu24cis_rule_5_3_3_2_1
    - ubtu24cis_rule_5_3_3_2_1
  tags:
    - level1-server
    - level1-workstation
@ -12,8 +11,7 @@
    - pam
  block:
    - name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured | Remove difok from conf files except expected file"
-      when:
+      when: item != ubtu24cis_passwd_difok_file
        - item != ubtu24cis_passwd_difok_file
      ansible.builtin.replace:
        path: "{{ item }}"
        regexp: 'difok\s*=\s*\d+\b'
@ -29,11 +27,10 @@
        dest: "/{{ ubtu24cis_passwd_difok_file }}"
        owner: root
        group: root
-        mode: '0600'
+        mode: 'go-rwx'
 - name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured"
-  when:
+  when: ubtu24cis_rule_5_3_3_2_2
    - ubtu24cis_rule_5_3_3_2_2
  tags:
    - level1-server
    - level1-workstation
@ -43,8 +40,7 @@
    - pam
  block:
    - name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Remove minlen from conf files except expected file"
-      when:
+      when: item != ubtu24cis_passwd_minlen_file
        - item != ubtu24cis_passwd_minlen_file
      ansible.builtin.replace:
        path: "{{ item }}"
        regexp: 'minlen\s*=\s*\d+\b'
@ -60,11 +56,10 @@
        dest: "/{{ ubtu24cis_passwd_minlen_file }}"
        owner: root
        group: root
-        mode: '0600'
+        mode: 'go-rwx'
 - name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured"
-  when:
+  when: ubtu24cis_rule_5_3_3_2_3
    - ubtu24cis_rule_5_3_3_2_3
  tags:
    - level1-server
    - level1-workstation
@ -74,8 +69,7 @@
    - pam
  block:
    - name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured | Remove pwd complex settings from conf files except expected file"
-      when:
+      when: item != ubtu24cis_passwd_complex_file
        - item != ubtu24cis_passwd_complex_file
      ansible.builtin.replace:
        path: "{{ item }}"
        regexp: '(minclass|[dulo]credit)\s*=\s*(-\d|\d+)\b'
@ -91,11 +85,10 @@
        dest: "/{{ ubtu24cis_passwd_complex_file }}"
        owner: root
        group: root
-        mode: '0600'
+        mode: 'go-rwx'
 - name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured"
-  when:
+  when: ubtu24cis_rule_5_3_3_2_4
    - ubtu24cis_rule_5_3_3_2_4
  tags:
    - level1-server
    - level1-workstation
@ -105,8 +98,7 @@
    - pam
  block:
    - name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured | Remove maxrepeat settings from conf files except expected file"
-      when:
+      when: item != ubtu24cis_passwd_maxrepeat_file
        - item != ubtu24cis_passwd_maxrepeat_file
      ansible.builtin.replace:
        path: "{{ item }}"
        regexp: 'maxrepeat\s*=\s*\d+\b'
@ -122,11 +114,10 @@
        dest: "/{{ ubtu24cis_passwd_maxrepeat_file }}"
        owner: root
        group: root
-        mode: '0600'
+        mode: 'go-rwx'
 - name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is is configured"
-  when:
+  when: ubtu24cis_rule_5_3_3_2_5
    - ubtu24cis_rule_5_3_3_2_5
  tags:
    - level1-server
    - level1-workstation
@ -136,8 +127,7 @@
    - pam
  block:
    - name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured | Remove maxsequence settings from conf files except expected file"
-      when:
+      when: item != ubtu24cis_passwd_maxsequence_file
        - item != ubtu24cis_passwd_maxsequence_file
      ansible.builtin.replace:
        path: "{{ item }}"
        regexp: 'maxsequence\s*=\s*\d+\b'
@ -153,11 +143,10 @@
        dest: "/{{ ubtu24cis_passwd_maxsequence_file }}"
        owner: root
        group: root
-        mode: '0600'
+        mode: 'go-rwx'
 - name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled"
-  when:
+  when: ubtu24cis_rule_5_3_3_2_6
    - ubtu24cis_rule_5_3_3_2_6
  tags:
    - level1-server
    - level1-workstation
@ -167,8 +156,7 @@
    - pam
  block:
    - name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled | Remove dictcheck settings from conf files except expected file"
-      when:
+      when: item != ubtu24cis_passwd_dictcheck_file
        - item != ubtu24cis_passwd_dictcheck_file
      ansible.builtin.replace:
        path: "{{ item }}"
        regexp: 'dictcheck\s*=\s*\d+\b'
@ -184,11 +172,10 @@
        dest: "/{{ ubtu24cis_passwd_dictcheck_file }}"
        owner: root
        group: root
-        mode: '0600'
+        mode: 'go-rwx'
 - name: "5.3.3.2.7 | PATCH | Ensure password quality checking is enforced"
-  when:
+  when: ubtu24cis_rule_5_3_3_2_7
    - ubtu24cis_rule_5_3_3_2_7
  tags:
    - level1-server
    - level1-workstation
@ -198,8 +185,7 @@
    - pam
  block:
    - name: "5.3.3.2.7 | PATCH | Ensure password quality checking is enforced | Remove quality enforcement settings from conf files except expected file"
-      when:
+      when: item != ubtu24cis_passwd_quality_enforce_file
        - item != ubtu24cis_passwd_quality_enforce_file
      ansible.builtin.replace:
        path: "{{ item }}"
        regexp: 'enforcing\s*=\s*\d+\b'
@ -215,11 +201,10 @@
        dest: "/{{ ubtu24cis_passwd_quality_enforce_file }}"
        owner: root
        group: root
-        mode: '0600'
+        mode: 'go-rwx'
 - name: "5.3.3.2.8 | PATCH | Ensure password quality is enforced for the root user"
-  when:
+  when: ubtu24cis_rule_5_3_3_2_8
    - ubtu24cis_rule_5_3_3_2_8
  tags:
    - level1-server
    - level1-workstation
@ -232,4 +217,4 @@
    dest: "/{{ ubtu24cis_passwd_quality_enforce_root_file }}"
    owner: root
    group: root
-    mode: '0600'
+    mode: 'go-rwx'
--- a/tasks/section_5/cis_5.3.3.3.x.yml
+++ b/tasks/section_5/cis_5.3.3.3.x.yml
@ -14,12 +14,12 @@
  block:
    - name: "5.3.3.3.1 | AUDIT | Ensure password history remember is configured | Check existing files"
      ansible.builtin.shell: grep -Psi -- '^\s*password\s+[^#\n\r]+\s+pam_pwhistory\.so\s+([^#\n\r]+\s+)?remember=\d+\b' /etc/pam.d/common-password
-      register: ubtu24_pwhistory_remember
+      register: discovered_pwhistory_remember
      changed_when: false
-      failed_when: ubtu24_pwhistory_remember.rc not in [0, 1]
+      failed_when: discovered_pwhistory_remember.rc not in [0, 1]
    - name: "5.3.3.3.1 | PATCH | Ensure password number of changed characters is configured | Ensure remember is set"
-      when: ubtu24_pwhistory_remember.stdout | length > 0
+      when: discovered_pwhistory_remember.stdout | length > 0
      ansible.builtin.lineinfile:
        path: "/{{ ubtu24cis_pam_confd_dir }}{{ ubtu24cis_pam_pwhistory_file }}"
        regexp: ^(password\s+[^#\n\r]+\s+pam_pwhistory\.so\s+)(.*)(remember=\d+)
@ -41,12 +41,12 @@
  block:
    - name: "5.3.3.3.2 | AUDIT | Ensure password history is enforced for the root user | Check existing files"
      ansible.builtin.shell: grep -Psi -- '^\s*password\s+[^#\n\r]+\s+pam_pwhistory\.so\s+([^#\n\r]+\s+)?enforce_for_root\b' /etc/pam.d/common-password
-      register: ubtu24_pwhistory_enforce_for_root
+      register: discovered_pwhistory_enforce_for_root
      changed_when: false
-      failed_when: ubtu24_pwhistory_enforce_for_root.rc not in [0, 1]
+      failed_when: discovered_pwhistory_enforce_for_root.rc not in [0, 1]
    - name: "5.3.3.3.2 | PATCH | Ensure password history is enforced for the root user | Ensure remember is set"
-      when: ubtu24_pwhistory_enforce_for_root.stdout | length > 0
+      when: discovered_pwhistory_enforce_for_root.stdout | length > 0
      ansible.builtin.lineinfile:
        path: "/{{ ubtu24cis_pam_confd_dir }}{{ ubtu24cis_pam_pwhistory_file }}"
        regexp: ^(password\s+[^#\n\r]+\s+pam_pwhistory\.so\s+)(.*)(enforce_for_root)
@ -68,12 +68,12 @@
  block:
    - name: "5.3.3.3.3 | AUDIT | Ensure pam_pwhistory includes use_authtok | Check existing files"
      ansible.builtin.shell: grep -Psi -- '^\s*password\s+[^#\n\r]+\s+pam_pwhistory\.so\s+([^#\n\r]+\s+)?use_authtok\b' /etc/pam.d/common-password
-      register: ubtu24_pwhistory_use_authtok
+      register: discovered_pwhistory_use_authtok
      changed_when: false
-      failed_when: ubtu24_pwhistory_use_authtok.rc not in [0, 1]
+      failed_when: discovered_pwhistory_use_authtok.rc not in [0, 1]
    - name: "5.3.3.3.3 | PATCH | Ensure pam_pwhistory includes use_authtok | Ensure remember is set"
-      when: ubtu24_pwhistory_use_authtok.stdout | length > 0
+      when: discovered_pwhistory_use_authtok.stdout | length > 0
      ansible.builtin.lineinfile:
        path: "/{{ ubtu24cis_pam_confd_dir }}{{ ubtu24cis_pam_pwhistory_file }}"
        regexp: ^(password\s+[^#\n\r]+\s+pam_pwhistory\.so\s+)(.*)(use_authtok)
--- a/tasks/section_5/cis_5.3.3.4.x.yml
+++ b/tasks/section_5/cis_5.3.3.4.x.yml
@ -15,21 +15,20 @@
    - name: "5.3.3.4.1 | PATCH | Ensure pam_unix does not include nullok | capture state"
      ansible.builtin.shell: grep -E "pam_unix.so.*nullok" /etc/pam.d/common-* /usr/share/pam-configs/* | cut -d ':' -f1 | uniq
      changed_when: false
-      failed_when: ubtu24cis_pam_nullok.rc not in [ 0, 1 ]
+      failed_when: discovered_pam_nullok.rc not in [ 0, 1 ]
-      register: ubtu24cis_pam_nullok
+      register: discovered_pam_nullok
    - name: "5.3.3.4.1 | PATCH | Ensure pam_unix does not include nullok | Ensure nullok removed"
-      when: ubtu24cis_pam_nullok.stdout | length > 0
+      when: discovered_pam_nullok.stdout | length > 0
      ansible.builtin.replace:
        path: "{{ item }}"
        regexp: nullok
        replace: ''
-      loop: "{{ ubtu24cis_pam_nullok.stdout_lines }}"
+      loop: "{{ discovered_pam_nullok.stdout_lines }}"
      notify: Pam_auth_update_pwunix
 - name: "5.3.3.4.2 | PATCH | Ensure pam_unix does not include remember"
-  when:
+  when: ubtu24cis_rule_5_3_3_4_2
    - ubtu24cis_rule_5_3_3_4_2
  tags:
    - level1-server
    - level1-workstation
@ -41,11 +40,11 @@
    - name: "5.3.3.4.2 | AUDIT | Ensure pam_unix does not include remember | capture state"
      ansible.builtin.shell: grep -PH -- '^\h*^\h*[^#\n\r]+\h+pam_unix\.so\b' /etc/pam.d/common-{password,auth,account,session,session-noninteractive} | grep -Pv -- '\bremember=\d\b'
      changed_when: false
-      failed_when: ubtu24cis_pam_remember.rc not in [ 0, 1 ]
+      failed_when: discovered_pam_remember.rc not in [ 0, 1 ]
-      register: ubtu24cis_pam_remember
+      register: discovered_pam_remember
    - name: "5.3.3.4.2 | PATCH | Ensure pam_unix does not include remember | Ensure remember removed"
-      when: ubtu24cis_pam_remember.stdout | length > 0
+      when: discovered_pam_remember.stdout | length > 0
      ansible.builtin.replace:
        path: "/{{ ubtu24cis_pam_confd_dir }}{{ ubtu24cis_pam_pwunix_file }}"
        regexp: remember=\d+
@ -53,8 +52,7 @@
      notify: Pam_auth_update_pwunix
 - name: "5.3.3.4.3 | PATCH | Ensure pam_unix includes a strong password hashing algorithm"
-  when:
+  when: ubtu24cis_rule_5_3_3_4_3
    - ubtu24cis_rule_5_3_3_4_3
  tags:
    - level1-server
    - level1-workstation
@ -66,11 +64,11 @@
    - name: "5.3.3.4.3 | AUDIT | Ensure pam_unix includes a strong password hashing algorithm | capture state"
      ansible.builtin.shell: grep -PH -- '^\h*password\h+([^#\n\r]+)\h+pam_unix\.so\h+([^#\n\r]+\h+)?("{{ ubtu24cis_passwd_hash_algo }}")\b' /etc/pam.d/common-password
      changed_when: false
-      failed_when: ubtu24cis_pam_pwhash.rc not in [ 0, 1 ]
+      failed_when: discovered_pam_pwhash.rc not in [ 0, 1 ]
-      register: ubtu24cis_pam_pwhash
+      register: discovered_pam_pwhash
    - name: "5.3.3.4.3 | PATCH | Ensure pam_unix includes a strong password hashing algorithm | Ensure hash algorithm set"
-      when: ubtu24cis_pam_remember.stdout | length > 0
+      when: discovered_pam_remember.stdout | length > 0
      ansible.builtin.replace:
        path: "/{{ ubtu24cis_pam_confd_dir }}{{ ubtu24cis_pam_pwunix_file }}"
        regexp: "(md5|bigcrypt|sha256|blowfish|gost_yescrypt|sha512|yescrypt)"
@ -78,8 +76,7 @@
      notify: Pam_auth_update_pwunix
 - name: "5.3.3.4.4 | PATCH | Ensure pam_unix includes use_authtok"
-  when:
+  when: ubtu24cis_rule_5_3_3_4_4
    - ubtu24cis_rule_5_3_3_4_4
  tags:
    - level1-server
    - level1-workstation
@ -91,13 +88,13 @@
    - name: "5.3.3.4.4 | PATCH | Ensure pam_unix includes use_authtok | capture state"
      ansible.builtin.shell: grep -PH -- '^\h*password\h+([^#\n\r]+)\h+pam_unix\.so\h+([^#\n\r]+\h+)?use_authtok\b' /etc/pam.d/common-password
      changed_when: false
-      failed_when: ubtu24cis_pam_authtok.rc not in [ 0, 1 ]
+      failed_when: discovered_pam_authtok.rc not in [ 0, 1 ]
-      register: ubtu24cis_pam_authtok
+      register: discovered_pam_authtok
    - name: "5.3.3.4.4 | PATCH | Ensure pam_unix includes use_authtok | pam_files"
      when:
-        - ubtu24cis_pam_authtok is defined
+        - discovered_pam_authtok is defined
-        - ubtu24cis_pam_authtok | length > 0
+        - discovered_pam_authtok | length > 0
      ansible.builtin.lineinfile:
        path: "/etc/pam.d/common-password"
        regexp: ^(\s*password\s+[success=end.*]\s+pam_unix\.so)(.*)\s+use_authtok\s*=\s*\S+(.*$)
--- a/tasks/section_5/cis_5.4.1.x.yml
+++ b/tasks/section_5/cis_5.4.1.x.yml
@ -1,8 +1,7 @@
 ---
 - name: "5.4.1.1 | PATCH | Ensure password expiration is configured"
-  when:
+  when: ubtu24cis_rule_5_4_1_1
    - ubtu24cis_rule_5_4_1_1
  tags:
    - level1-server
    - level1-workstation
@ -20,27 +19,26 @@
      ansible.builtin.lineinfile:
        path: /etc/login.defs
        regexp: '^PASS_MAX_DAYS|^#PASS_MAX_DAYS'
-        line: 'PASS_MAX_DAYS {{ ubtu24cis_pass.max_days }}'
+        line: 'PASS_MAX_DAYS {{ ubtu24cis_pass_max_days }}'
        insertafter: '# Password aging controls'
    - name: "5.4.1.1 | PATCH | Ensure password expiration is configured | Get existing users PASS_MAX_DAYS"
-      ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($5>{{ ubtu24cis_pass.max_days }} || $5<{{ ubtu24cis_pass.min_days }} || $5 == -1)){print $1}' /etc/shadow"
+      ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($5>{{ ubtu24cis_pass_max_days }} || $5<{{ ubtu24cis_pass_min_days }} || $5 == -1)){print $1}' /etc/shadow"
      changed_when: false
      failed_when: false
-      register: ubtu24cis_max_days
+      register: discovered_passwd_max_days
    - name: "5.4.1.1 | PATCH | Ensure password expiration is configured | Set existing users PASS_MAX_DAYS"
      when:
        - ubtu24cis_disruption_high
        - (item != 'root') or (not ubtu24cis_uses_root)
-      ansible.builtin.shell: chage --maxdays {{ ubtu24cis_pass.max_days }} {{ item }}
+      ansible.builtin.command: chage --maxdays {{ ubtu24cis_pass_max_days }} {{ item }}
      failed_when: false
-      changed_when: ubtu24cis_max_days.stdout | length > 0
+      changed_when: discovered_passwd_max_days.stdout | length > 0
-      loop: "{{ ubtu24cis_max_days.stdout_lines }}"
+      loop: "{{ discovered_passwd_max_days.stdout_lines }}"
 - name: "5.4.1.2 | PATCH | Ensure minimum password age is configured"
-  when:
+  when: ubtu24cis_rule_5_4_1_2
    - ubtu24cis_rule_5_4_1_2
  tags:
    - level2-server
    - level2-workstation
@ -54,22 +52,22 @@
      ansible.builtin.lineinfile:
        path: /etc/login.defs
        regexp: '^PASS_MIN_DAYS|^#PASS_MIN_DAYS'
-        line: 'PASS_MIN_DAYS {{ ubtu24cis_pass.min_days }}'
+        line: 'PASS_MIN_DAYS {{ ubtu24cis_pass_min_days }}'
    - name: "5.4.1.2 | PATCH | Ensure minimum password age is configured | Get existing users PASS_MIN_DAYS"
-      ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($4<{{ ubtu24cis_pass.min_days }})) {print $1}' /etc/shadow"
+      ansible.builtin.command: "awk -F: '(/^[^:]+:[^!*]/ && ($4<{{ ubtu24cis_pass_min_days }})) {print $1}' /etc/shadow"
      changed_when: false
      failed_when: false
-      register: ubtu24cis_passwd_min_days
+      register: discovered_passwd_min_days
    - name: "5.4.1.2 | PATCH | Ensure minimum password age is configured | Set existing users PASS_MIN_DAYS"
      when:
        - ubtu24cis_disruption_high
        - (item != 'root') or (not ubtu24cis_uses_root)
-      ansible.builtin.shell: chage --mindays {{ ubtu24cis_pass.min_days }} {{ item }}
+      ansible.builtin.command: chage --mindays {{ ubtu24cis_pass_min_days }} {{ item }}
      failed_when: false
-      changed_when: ubtu24cis_passwd_min_days.stdout |length > 0
+      changed_when: discovered_passwd_min_days.stdout |length > 0
-      loop: "{{ ubtu24cis_passwd_min_days.stdout_lines }}"
+      loop: "{{ discovered_passwd_min_days.stdout_lines }}"
 - name: "5.4.1.3 | PATCH | Ensure password expiration warning days is configured"
  when:
@ -87,22 +85,22 @@
      ansible.builtin.lineinfile:
        path: /etc/login.defs
        regexp: '^PASS_WARN_AGE|^#PASS_WARN_AGE'
-        line: 'PASS_WARN_AGE {{ ubtu24cis_pass.warn_age }}'
+        line: 'PASS_WARN_AGE {{ ubtu24cis_pass_warn_age }}'
-    - name: "5.4.1.3 | PATCH | Ensure password expiration warning days is configured | Get existing users PASS_WARN_AGE"
+    - name: "5.4.1.3 | AUDIT | Ensure password expiration warning days is configured | Get existing users PASS_WARN_AGE"
-      ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && $6<{{ ubtu24cis_pass.warn_age }}){print $1}' /etc/shadow"
+      ansible.builtin.command: "awk -F: '(/^[^:]+:[^!*]/ && $6<{{ ubtu24cis_pass_warn_age }}){print $1}' /etc/shadow"
      changed_when: false
      failed_when: false
-      register: ubtu24cis_passwd_warn_days
+      register: discovered_passwd_warn_days
    - name: "5.4.1.3 | PATCH | Ensure password expiration warning days is configured | Set existing users PASS_WARN_AGE"
      when:
        - ubtu24cis_disruption_high
        - (item != 'root') or (not ubtu24cis_uses_root)
-      ansible.builtin.shell: chage --maxdays {{ ubtu24cis_pass.warn_age }} {{ item }}
+      ansible.builtin.command: chage --maxdays {{ ubtu24cis_pass_warn_age }} {{ item }}
      failed_when: false
-      changed_when: ubtu24cis_passwd_warn_days.stdout | length > 0
+      changed_when: discovered_passwd_warn_days.stdout | length > 0
-      loop: "{{ ubtu24cis_passwd_warn_days.stdout_lines }}"
+      loop: "{{ discovered_passwd_warn_days.stdout_lines }}"
 - name: "5.4.1.4 | PATCH | Ensure strong password hashing algorithm is configured"
  when:
@ -132,31 +130,33 @@
    - login
  block:
    - name: "5.4.1.5 | AUDIT | Ensure inactive password lock is configured | General setting"
-      ansible.builtin.shell: useradd -D | grep INACTIVE | cut -d= -f2
+      ansible.builtin.command: useradd -D | grep INACTIVE | cut -d= -f2
      changed_when: false
      failed_when: false
-      register: ubtu24cis_passwd_inactive_setting
+      register: discovered_passwd_inactive_setting
    - name: "5.4.1.5 | PATCH | Ensure inactive password lock is configured| Set inactive period for new users"
-      when: ubtu24cis_passwd_inactive_setting.stdout != ubtu24cis_pass.inactive | string
+      when: discovered_passwd_inactive_setting.stdout != ubtu24cis_pass_inactive | string
-      ansible.builtin.shell: useradd -D -f {{ ubtu24cis_pass.inactive }}
+      ansible.builtin.command: useradd -D -f {{ ubtu24cis_pass_inactive }}
      failed_when: false
      changed_when: true
    - name: "5.4.1.5 | AUDIT | Ensure inactive password lock is configured | Get Individual users"
-      ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($7~/(\\s*|-1)/ || ( $7>1 && $7<{{ ubtu24cis_pass.inactive }}))) {print $1}' /etc/shadow"
+      ansible.builtin.command: "awk -F: '(/^[^:]+:[^!*]/ && ($7~/(\\s*|-1)/ || ( $7>1 && $7<{{ ubtu24cis_pass_inactive }}))) {print $1}' /etc/shadow"
      changed_when: false
      failed_when: false
-      register: ubtu24cis_passwd_inactive_users
+      register: discovered_passwd_inactive_users
    - name: "5.4.1.5 | PATCH | Ensure inactive password lock is configured | Set inactive period for existing users"
      when:
        - ubtu24cis_disruption_high
-        - ubtu24cis_passwd_inactive_users.stdout | length > 0
+        - discovered_passwd_inactive_users.stdout | length > 0
        - (item != 'root') and (not ubtu24cis_uses_root)
-      ansible.builtin.shell: chage --inactive {{ ubtu24cis_pass.inactive }} {{ item }}
+      ansible.builtin.command: chage --inactive {{ ubtu24cis_pass_inactive }} {{ item }}
      changed_when: true
      failed_when: false
      with_items:
-        - "{{ ubtu24cis_passwd | map(attribute='id') | list | intersect(ubtu24cis_passwd_inactive_users.stdout_lines) | list }}"
+        - "{{ ubtu24cis_passwd | map(attribute='id') | list | intersect(discovered_passwd_inactive_users.stdout_lines) | list }}"
 - name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past"
  when:
@ -177,32 +177,33 @@
      changed_when: false
      failed_when: false
      check_mode: false
-      register: ubtu24cis_current_time
+      register: discovered_current_time
    - name: "5.4.1.6 | AUDIT | Ensure all users last password change date is in the past | Get list of users with last changed PW date in future"
-      ansible.builtin.shell: "cat /etc/shadow | awk -F: '{if($3>{{ ubtu24cis_current_time.stdout }})print$1}'"
+      ansible.builtin.shell: "cat /etc/shadow | awk -F: '{if($3>{{ discovered_current_time.stdout }})print$1}'"
      changed_when: false
      failed_when: false
      check_mode: false
-      register: ubtu24cis_passwd_future_user_list
+      register: discovered_passwd_future_user_list
    - name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past | Warn about users"
-      when: ubtu24cis_passwd_future_user_list.stdout | length > 0
+      when: discovered_passwd_future_user_list.stdout | length > 0
      ansible.builtin.debug:
        msg:
          - "WARNING!! The following accounts have the last PW change date in the future"
-          - "{{ ubtu24cis_passwd_future_user_list.stdout_lines }}"
+          - "{{ discovered_passwd_future_user_list.stdout_lines }}"
    - name: "5.4.1.6 | WARN | Ensure all users last password change date is in the past | warn_count"
-      when: ubtu24cis_passwd_future_user_list.stdout | length > 0
+      when: discovered_passwd_future_user_list.stdout | length > 0
      ansible.builtin.import_tasks:
        file: warning_facts.yml
    - name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past | Lock accounts with future PW changed dates"
      when:
        - ubtu24cis_disruption_high
-        - ubtu24cis_passwd_future_user_list.stdout | length > 0
+        - discovered_passwd_future_user_list.stdout | length > 0
-      ansible.builtin.shell: passwd --expire {{ item }}
+      ansible.builtin.command: passwd --expire {{ item }}
      changed_when: true
      failed_when: false
      with_items:
-        - "{{ ubtu24cis_passwd_future_user_list.stdout_lines }}"
+        - "{{ discovered_passwd_future_user_list.stdout_lines }}"
--- a/tasks/section_5/cis_5.4.2.x.yml
+++ b/tasks/section_5/cis_5.4.2.x.yml
@ -17,7 +17,7 @@
    - NIST800-53R5_CM-6
    - NIST800-53R5_CM-7
    - NIST800-53R5_IA-5
-  ansible.builtin.shell: passwd -l {{ item }}
+  ansible.builtin.command: passwd -l {{ item }}
  changed_when: false
  failed_when: false
  loop: "{{ prelim_uid_zero_accounts_except_root.stdout_lines }}"
@ -41,9 +41,9 @@
  block:
    - name: "5.4.2.2 | AUDIT | Ensure root is the only GID 0 account | Get members of gid 0"
      ansible.builtin.shell: "awk -F: '($1 !~ /^(sync|shutdown|halt|operator)/ && $4==\"0\") {print $1}' /etc/passwd | grep -wv 'root'"
      register: discovered_gid0_members
      changed_when: false
      failed_when: discovered_gid0_members.rc not in [ 0, 1 ]
      register: discovered_gid0_members
    - name: "5.4.2.2 | PATCH | Ensure root is the only GID 0 account | Remove users not root from gid 0"
      when:
@ -51,7 +51,7 @@
        - discovered_gid0_members.stdout | length > 0
      ansible.builtin.user:
        name: "{{ item }}"
-        gid: 0
+        group: 0
        state: absent
      loop:
        - discovered_gid0_members.stdout_lines
@ -174,7 +174,7 @@
            state: directory
            owner: root
            group: root
-            mode: '0755'
+            mode: 'go-w'
            follow: false
          loop: "{{ discovered_root_path_perms.results }}"
          loop_control:
@ -196,6 +196,7 @@
    regexp: \s*umask
    line: "umask {{ ubtu24cis_root_umask }}"
    create: true
    mode: 'u+x,go-rwx'
 - name: "5.4.2.7 | PATCH | Ensure system accounts do not have a valid login shell"
  when:
--- a/tasks/section_5/cis_5.4.3.x.yml
+++ b/tasks/section_5/cis_5.4.3.x.yml
@ -34,7 +34,7 @@
    state: "{{ item.state }}"
    marker: "# {mark} - CIS benchmark - Ansible-lockdown"
    create: true
-    mode: '0644'
+    mode: 'go-r'
    block: |
      TMOUT={{ ubtu24cis_shell_session_timeout }}
      readonly TMOUT
--- a/tasks/section_6/cis_6.1.1.x.yml
+++ b/tasks/section_6/cis_6.1.1.x.yml
@ -35,31 +35,31 @@
    - name: "6.1.1.2 | PATCH | Ensure journald log file access is configured | Default file permissions"
      ansible.builtin.file:
        path: /usr/lib/tmpfiles.d/systemd.conf
-        mode: '0640'
+        mode: 'g-wx,o-rwx'
    - name: "6.1.1.2 | AUDIT | Ensure journald log file access is configured | Check for override file"
      ansible.builtin.stat:
        path: /etc/tmpfiles.d/systemd.conf
-      register: tmpfile_override
+      register: discovered_journald_tmpfile_override
    - name: "6.1.1.2 | AUDIT | Ensure journald log file access is configured | If override file check for journal"
-      when: tmpfile_override.stat.exists
+      when: discovered_journald_tmpfile_override.stat.exists
      ansible.builtin.shell: grep -E 'z /var/log/journal/%m/system.journal \d*' /usr/lib/tmpfiles.d/systemd.conf
      register: journald_fileperms_override
      changed_when: false
-      failed_when: journald_fileperms_override.rc not in [ 0, 1 ]
+      failed_when: discovered_journald_fileperms_override.rc not in [ 0, 1 ]
      register: discovered_journald_fileperms_override
    - name: "6.1.1.2 | AUDIT | Ensure journald log file access is configured | Warning if override found"
      when:
-        - tmpfile_override.stat.exists
+        - discovered_journald_tmpfile_override.stat.exists
-        - journald_fileperms_override.stdout | length > 0
+        - discovered_journald_fileperms_override.stdout | length > 0
      ansible.builtin.debug:
        msg: "Warning!! - tmpfiles override found /usr/lib/tmpfiles.d/systemd.conf affecting journald files please confirm matches site policy"
    - name: "6.1.1.2 | AUDIT | Ensure journald log file access is configured | Warning if override found"
      when:
-        - tmpfile_override.stat.exists
+        - discovered_journald_tmpfile_override.stat.exists
-        - journald_fileperms_override.stdout | length > 0
+        - discovered_journald_fileperms_override.stdout | length > 0
      ansible.builtin.import_tasks:
        file: warning_facts.yml
      vars:
@ -85,7 +85,7 @@
        dest: /etc/systemd/journald.conf.d/rotation.conf
        owner: root
        group: root
-        mode: '0640'
+        mode: 'g-wx,o-rwx'
    - name: "6.1.1.3 | PATCH | Ensure journald log file rotation is configured | comment out current entries"
      ansible.builtin.replace:
--- a/tasks/section_6/cis_6.1.2.x.yml
+++ b/tasks/section_6/cis_6.1.2.x.yml
@ -96,7 +96,7 @@
        dest: /etc/systemd/journald.conf.d/forwardtosyslog.conf
        owner: root
        group: root
-        mode: '0640'
+        mode: 'g-wx,o-rwx'
    - name: "6.1.2.2 | PATCH | Ensure journald ForwardToSyslog is disabled | comment out current entries"
      ansible.builtin.replace:
@ -121,7 +121,7 @@
        dest: /etc/systemd/journald.conf.d/storage.conf
        owner: root
        group: root
-        mode: '0640'
+        mode: 'g-wx,o-rwx'
    - name: "6.1.2.3 | PATCH | Ensure journald Compress is configured | comment out current entries"
      ansible.builtin.replace:
@ -146,7 +146,7 @@
        dest: /etc/systemd/journald.conf.d/storage.conf
        owner: root
        group: root
-        mode: '0640'
+        mode: 'g-wx,o-rwx'
    - name: "6.1.2.4 | PATCH | Ensure journald Storage is configured | comment out current entries"
      ansible.builtin.replace:
--- a/tasks/section_6/cis_6.1.3.8.yml
+++ b/tasks/section_6/cis_6.1.3.8.yml
@ -1,8 +1,7 @@
 ---
 - name: "6.1.3.8 | PATCH | Ensure logrotate is configured"
-  when:
+  when: ubtu24cis_rule_6_1_3_8
    - ubtu24cis_rule_6_1_3_8
  tags:
    - level1-server
    - level1-workstation
@ -15,14 +14,14 @@
    - name: "6.1.3.8 | AUDIT | Ensure logrotate is configured | Get logrotate settings"
      ansible.builtin.find:
        paths: /etc/logrotate.d/
-      register: ubtu24cis_log_rotate_conf
+      register: discovered_log_rotate_conf
    - name: "6.1.3.8 | PATCH | Ensure logrotate is configured | conf files"
      ansible.builtin.replace:
        path: "{{ item.path }}"
        regexp: '^(\s*)(daily|weekly|monthly|yearly)$'
        replace: "\\1{{ ubtu24cis_logrotate }}"
-      loop: "{{ ubtu24cis_log_rotate_conf.files }}"
+      loop: "{{ discovered_log_rotate_conf.files }}"
    - name: "6.1.3.8 | PATCH | Ensure logrotate is configured | logrotate.conf"
      ansible.builtin.replace:
--- a/tasks/section_6/cis_6.1.3.x.yml
+++ b/tasks/section_6/cis_6.1.3.x.yml
@ -20,8 +20,7 @@
    state: present
 - name: "6.1.3.2 | PATCH | Ensure rsyslog service is enabled"
-  when:
+  when: ubtu24cis_rule_6_1_3_2
    - ubtu24cis_rule_6_1_3_2
  tags:
    - level1-server
    - level1-workstation
@ -37,8 +36,7 @@
    enabled: true
 - name: "6.1.3.3 | PATCH | Ensure journald is configured to send logs to rsyslog"
-  when:
+  when: ubtu24cis_rule_6_1_3_3
    - ubtu24cis_rule_6_1_3_3
  tags:
    - level1-server
    - level1-workstation
@ -58,8 +56,7 @@
  notify: Restart syslog service
 - name: "6.1.3.4 | PATCH | Ensure rsyslog log file creation mode is configured"
-  when:
+  when: ubtu24cis_rule_6_1_3_4
    - ubtu24cis_rule_6_1_3_4
  tags:
    - level1-server
    - level1-workstation
@ -77,8 +74,7 @@
  notify: Restart syslog service
 - name: "6.1.3.5 | PATCH | Ensure logging is configured"
-  when:
+  when: ubtu24cis_rule_6_1_3_5
    - ubtu24cis_rule_6_1_3_5
  tags:
    - level1-server
    - level1-workstation
@ -97,21 +93,21 @@
      changed_when: false
      failed_when: false
      check_mode: false
-      register: ubtu24cis_6_1_3_5_rsyslog_config_path
+      register: discovered_rsyslog_config_path
    - name: "6.1.3.5 | AUDIT | Ensure logging is configured | Gather rsyslog current config"
-      ansible.builtin.shell: "cat {{ ubtu24cis_6_1_3_5_rsyslog_config_path.stdout }}"
+      ansible.builtin.command: "cat {{ discovered_rsyslog_config_path.stdout }}"
      changed_when: false
      failed_when: false
      check_mode: false
-      register: ubtu24cis_6_1_3_5_rsyslog_config
+      register: discovered_rsyslog_config
    - name: "6.1.3.5 | AUDIT | Ensure logging is configured | Message out config"
      when: not ubtu24cis_rsyslog_ansible_managed
      ansible.builtin.debug:
        msg:
          - "Warning!! Below is the current logging configurations for rsyslog, please review"
-          - "{{ ubtu24cis_6_1_3_5_rsyslog_config.stdout_lines }}"
+          - "{{ discovered_rsyslog_config.stdout_lines }}"
    - name: "6.1.3.5 | PATCH | Ensure logging is configured | Set warning count"
      when: not ubtu24cis_rsyslog_ansible_managed
@ -121,7 +117,7 @@
    - name: "6.1.3.5 | PATCH | Ensure logging is configured | Automated rsyslog configuration"
      when: ubtu24cis_rsyslog_ansible_managed
      ansible.builtin.lineinfile:
-        path: "{{ ubtu24cis_6_1_3_5_rsyslog_config_path.stdout }}"
+        path: "{{ discovered_rsyslog_config_path.stdout }}"
        regexp: "{{ item.regexp }}"
        line: "{{ item.line }}"
        insertafter: "{{ item.insertafter }}"
@ -164,8 +160,7 @@
    insertafter: EOF
 - name: "6.1.3.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote client"
-  when:
+  when: ubtu24cis_rule_6_1_3_7
    - ubtu24cis_rule_6_1_3_7
  tags:
    - level1-server
    - level1-workstation
--- a/tasks/section_6/cis_6.1.4.1.yml
+++ b/tasks/section_6/cis_6.1.4.1.yml
@ -26,7 +26,7 @@
        - item != "/var/log/lastlog"
      ansible.builtin.file:
        path: "{{ item }}"
-        mode: u-x,g-wx,o-rwx
+        mode: 'u-x,g-wx,o-rwx'
      loop: "{{ discovered_logfiles.stdout_lines }}"
    - name: "6.1.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions"
--- a/tasks/section_6/cis_6.2.1.x.yml
+++ b/tasks/section_6/cis_6.2.1.x.yml
@ -20,8 +20,7 @@
    state: present
 - name: "6.2.1.2 | PATCH | Ensure auditd service is enabled and active"
-  when:
+  when: ubtu24cis_rule_6_2_1_2
    - ubtu24cis_rule_6_2_1_2
  tags:
    - level2-server
    - level2-workstation
@ -38,8 +37,7 @@
    masked: false
 - name: "6.2.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled"
-  when:
+  when: ubtu24cis_rule_6_2_1_3
    - ubtu24cis_rule_6_2_1_3
  tags:
    - level2-server
    - level2-workstation
@ -55,18 +53,18 @@
      changed_when: false
      failed_when: false
      check_mode: false
-      register: ubtu24cis_6_2_1_3_cmdline_settings
+      register: discovered_grub_cmdline_settings
    - name: "6.2.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Add setting if doesn't exist"
-      when: "'audit=' not in ubtu24cis_6_2_1_3_cmdline_settings.stdout"
+      when: "'audit=' not in discovered_grub_cmdline_settings.stdout"
      ansible.builtin.lineinfile:
        path: /etc/default/grub
        regexp: '^GRUB_CMDLINE_LINUX='
-        line: 'GRUB_CMDLINE_LINUX="{{ ubtu24cis_6_2_1_3_cmdline_settings.stdout }} audit=1"'
+        line: 'GRUB_CMDLINE_LINUX="{{ discovered_grub_cmdline_settings.stdout }} audit=1"'
      notify: Grub update
    - name: "6.2.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Update setting if exists"
-      when: "'audit=' in ubtu24cis_6_2_1_3_cmdline_settings.stdout"
+      when: "'audit=' in discovered_grub_cmdline_settings.stdout"
      ansible.builtin.replace:
        dest: /etc/default/grub
        regexp: 'audit=([0-9]+)'
@ -76,8 +74,7 @@
      notify: Grub update
 - name: "6.2.1.4 | PATCH | Ensure audit_backlog_limit is sufficient"
-  when:
+  when: ubtu24cis_rule_6_2_1_4
    - ubtu24cis_rule_6_2_1_4
  tags:
    - level2-server
    - level2-workstation
@ -93,14 +90,14 @@
      changed_when: false
      failed_when: false
      check_mode: false
-      register: ubtu24cis_6_2_1_4_cmdline_settings
+      register: discovered_audit_backlog_grub_cmdline_settings
    - name: "6.2.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Add setting if doesn't exist"
-      when: "'audit_backlog_limit=' not in ubtu24cis_6_2_1_4_cmdline_settings.stdout"
+      when: "'audit_backlog_limit=' not in discovered_audit_backlog_grub_cmdline_settings.stdout"
      ansible.builtin.lineinfile:
        path: /etc/default/grub
        regexp: '^GRUB_CMDLINE_LINUX='
-        line: 'GRUB_CMDLINE_LINUX="{{ ubtu24cis_6_2_1_4_cmdline_settings.stdout }} audit_backlog_limit={{ ubtu24cis_audit_back_log_limit }}"'
+        line: 'GRUB_CMDLINE_LINUX="{{ discovered_audit_backlog_grub_cmdline_settings.stdout }} audit_backlog_limit={{ ubtu24cis_audit_back_log_limit }}"'
      notify: Grub update
    - name: "6.2.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Update setting if exists"
--- a/tasks/section_6/cis_6.2.2.x.yml
+++ b/tasks/section_6/cis_6.2.2.x.yml
@ -1,8 +1,7 @@
 ---
 - name: "6.2.2.1 | PATCH | Ensure audit log storage size is configured"
-  when:
+  when: ubtu24cis_rule_6_2_2_1
    - ubtu24cis_rule_6_2_2_1
  tags:
    - level2-server
    - level2-workstation
@ -18,8 +17,7 @@
  notify: Restart auditd
 - name: "6.2.2.2 | PATCH | Ensure audit logs are not automatically deleted"
-  when:
+  when: ubtu24cis_rule_6_2_2_2
    - ubtu24cis_rule_6_2_2_2
  tags:
    - level2-server
    - level2-workstation
@ -34,8 +32,7 @@
  notify: Restart auditd
 - name: "6.2.2.3 | PATCH | Ensure system is disabled when audit logs are full"
-  when:
+  when: ubtu24cis_rule_6_2_2_3
    - ubtu24cis_rule_6_2_2_3
  tags:
    - level2-server
    - level2-workstation
@ -53,8 +50,7 @@
  notify: Restart auditd
 - name: "6.2.2.4 | PATCH | Ensure system warns when audit logs are low on space"
-  when:
+  when: ubtu24cis_rule_6_2_2_4
    - ubtu24cis_rule_6_2_2_4
  tags:
    - level2-server
    - level2-workstation
--- a/tasks/section_6/cis_6.2.3.x.yml
+++ b/tasks/section_6/cis_6.2.3.x.yml
@ -1,8 +1,7 @@
 ---
 - name: "6.2.3.1 | PATCH | Ensure changes to system administration scope (sudoers) is collected"
-  when:
+  when: ubtu24cis_rule_6_2_3_1
    - ubtu24cis_rule_6_2_3_1
  tags:
    - level2-server
    - level2-workstation
@ -14,8 +13,7 @@
    update_audit_template: true
 - name: "6.2.3.2 | PATCH | Ensure actions as another user are always logged"
-  when:
+  when: ubtu24cis_rule_6_2_3_2
    - ubtu24cis_rule_6_2_3_2
  tags:
    - level2-server
    - level2-workstation
@ -27,8 +25,7 @@
    update_audit_template: true
 - name: "6.2.3.3 | PATCH | Ensure events that modify the sudo log file are collected"
-  when:
+  when: ubtu24cis_rule_6_2_3_3
    - ubtu24cis_rule_6_2_3_3
  tags:
    - level2-server
    - level2-workstation
@ -40,8 +37,7 @@
    update_audit_template: true
 - name: "6.2.3.4 | PATCH | Ensure events that modify date and time information are collected"
-  when:
+  when: ubtu24cis_rule_6_2_3_4
    - ubtu24cis_rule_6_2_3_4
  tags:
    - level2-server
    - level2-workstation
@ -54,8 +50,7 @@
    update_audit_template: true
 - name: "6.2.3.5 | PATCH | Ensure events that modify the system's network environment are collected"
-  when:
+  when: ubtu24cis_rule_6_2_3_5
    - ubtu24cis_rule_6_2_3_5
  tags:
    - level2-server
    - level2-workstation
@ -68,8 +63,7 @@
    update_audit_template: true
 - name: "6.2.3.6 | PATCH | Ensure use of privileged commands is collected"
-  when:
+  when: ubtu24cis_rule_6_2_3_6
    - ubtu24cis_rule_6_2_3_6
  tags:
    - level2-server
    - level2-workstation
@ -80,17 +74,16 @@
  block:
    - name: "6.2.3.6 | AUDIT | Ensure use of privileged commands is collected | Get list of privileged programs"
      ansible.builtin.shell: for i in  $(findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) | grep -Pv "noexec|nosuid" | awk '{print $1}'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done
      register: priv_procs
      changed_when: false
      check_mode: false
      register: discovered_privilege_processes
    - name: "6.2.3.6 | PATCH | Ensure use of privileged commands is collected | Set privileged rules"
      ansible.builtin.set_fact:
        update_audit_template: true
 - name: "6.2.3.7 | PATCH | Ensure unsuccessful file access attempts are collected"
-  when:
+  when: ubtu24cis_rule_6_2_3_7
    - ubtu24cis_rule_6_2_3_7
  tags:
    - level2-server
    - level2-workstation
@ -102,8 +95,7 @@
    update_audit_template: true
 - name: "6.2.3.8 | PATCH | Ensure events that modify user/group information are collected"
-  when:
+  when: ubtu24cis_rule_6_2_3_8
    - ubtu24cis_rule_6_2_3_8
  tags:
    - level2-server
    - level2-workstation
@ -115,8 +107,7 @@
    update_audit_template: true
 - name: "6.2.3.9 | PATCH | Ensure discretionary access control permission modification events are collected"
-  when:
+  when: ubtu24cis_rule_6_2_3_9
    - ubtu24cis_rule_6_2_3_9
  tags:
    - level2-server
    - level2-workstation
@ -129,8 +120,7 @@
    update_audit_template: true
 - name: "6.2.3.10 | PATCH | Ensure successful file system mounts are collected"
-  when:
+  when: ubtu24cis_rule_6_2_3_10
    - ubtu24cis_rule_6_2_3_10
  tags:
    - level2-server
    - level2-workstation
@ -142,8 +132,7 @@
    update_audit_template: true
 - name: "6.2.3.11 | PATCH | Ensure session initiation information is collected"
-  when:
+  when: ubtu24cis_rule_6_2_3_11
    - ubtu24cis_rule_6_2_3_11
  tags:
    - level2-server
    - level2-workstation
@ -155,8 +144,7 @@
    update_audit_template: true
 - name: "6.2.3.12 | PATCH | Ensure login and logout events are collected"
-  when:
+  when: ubtu24cis_rule_6_2_3_12
    - ubtu24cis_rule_6_2_3_12
  tags:
    - level2-server
    - level2-workstation
@ -168,8 +156,7 @@
    update_audit_template: true
 - name: "6.2.3.13 | PATCH | Ensure file deletion events by users are collected"
-  when:
+  when: ubtu24cis_rule_6_2_3_13
    - ubtu24cis_rule_6_2_3_13
  tags:
    - level2-server
    - level2-workstation
@ -182,8 +169,7 @@
    update_audit_template: true
 - name: "6.2.3.14 | PATCH | Ensure events that modify the system's Mandatory Access Controls are collected"
-  when:
+  when: ubtu24cis_rule_6_2_3_14
    - ubtu24cis_rule_6_2_3_14
  tags:
    - level2-server
    - level2-workstation
@ -196,8 +182,7 @@
    update_audit_template: true
 - name: "6.2.3.15 | PATCH | Ensure successful and unsuccessful attempts to use the chcon command are recorded"
-  when:
+  when: ubtu24cis_rule_6_2_3_15
    - ubtu24cis_rule_6_2_3_15
  tags:
    - level2-server
    - level2-workstation
@ -211,8 +196,7 @@
    update_audit_template: true
 - name: "6.2.3.16 | PATCH | Ensure successful and unsuccessful attempts to use the setfacl command are recorded"
-  when:
+  when: ubtu24cis_rule_6_2_3_16
    - ubtu24cis_rule_6_2_3_16
  tags:
    - level2-server
    - level2-workstation
@ -226,8 +210,7 @@
    update_audit_template: true
 - name: "6.2.3.17 | PATCH | Ensure successful and unsuccessful attempts to use the chacl command are recorded"
-  when:
+  when: ubtu24cis_rule_6_2_3_17
    - ubtu24cis_rule_6_2_3_17
  tags:
    - level2-server
    - level2-workstation
@ -241,8 +224,7 @@
    update_audit_template: true
 - name: "6.2.3.18 | PATCH | Ensure successful and unsuccessful attempts to use the usermod command are recorded"
-  when:
+  when: ubtu24cis_rule_6_2_3_18
    - ubtu24cis_rule_6_2_3_18
  tags:
    - level2-server
    - level2-workstation
@ -256,8 +238,7 @@
    update_audit_template: true
 - name: "6.2.3.19 | PATCH | Ensure kernel module loading and unloading is collected"
-  when:
+  when: ubtu24cis_rule_6_2_3_19
    - ubtu24cis_rule_6_2_3_19
  tags:
    - level2-server
    - level2-workstation
@ -270,8 +251,7 @@
    update_audit_template: true
 - name: "6.2.3.20 | PATCH | Ensure the audit configuration is immutable"
-  when:
+  when: ubtu24cis_rule_6_2_3_20
    - ubtu24cis_rule_6_2_3_20
  tags:
    - level2-server
    - level2-workstation
@ -286,8 +266,7 @@
    update_audit_template: true
 - name: "6.2.3.21 | PATCH | Ensure the running and on disk configuration is the same"
-  when:
+  when: ubtu24cis_rule_6_2_3_21
    - ubtu24cis_rule_6_2_3_21
  tags:
    - level2-server
    - level2-workstation
@ -296,6 +275,5 @@
    - rule_6.2.3.21
    - NIST800-53R5_AU-3
    - auditd
-  ansible.builtin.shell: augenrules --check
+  ansible.builtin.command: augenrules --check
  changed_when: false
  register: ubtu24cis_rule_6_2_3_21_augen_check
--- a/tasks/section_6/cis_6.2.4.x.yml
+++ b/tasks/section_6/cis_6.2.4.x.yml
@ -24,8 +24,7 @@
    mode: 'u-x,g-wx,o-rwx'
 - name: "6.2.4.4 | PATCH | Ensure the audit log file directory mode is configured"
-  when:
+  when: ubtu24cis_rule_6_2_4_4
    - ubtu24cis_rule_6_2_4_4
  tags:
    - level1-server
    - level1-workstation
@ -37,17 +36,16 @@
    - name: "6.2.4.4 | AUDIT | Ensure the audit log file directory mode is configured | get current permissions"
      ansible.builtin.stat:
        path: "{{ prelim_auditd_logfile.stdout | dirname }}"
-      register: auditlog_dir
+      register: discovered_auditlog_dir
    - name: "6.2.4.4 | PATCH | Ensure the audit log file directory mode is configured | set permissions"
      ansible.builtin.file:
-        path: "{{ auditlog_dir.stat.path }}"
+        path: "{{ discovered_auditlog_dir.stat.path }}"
        state: directory
        mode: 'g-w,o-rwx'
 - name: "6.2.4.5 | PATCH | Ensure audit configuration files mode is configured"
-  when:
+  when: ubtu24cis_rule_6_2_4_5
    - ubtu24cis_rule_6_2_4_5
  tags:
    - level1-server
    - level1-workstation
@ -63,8 +61,7 @@
    label: "{{ item.path }}"
 - name: "6.2.4.6 | PATCH | Ensure audit configuration files owner is configured"
-  when:
+  when: ubtu24cis_rule_6_2_4_6
    - ubtu24cis_rule_6_2_4_6
  tags:
    - level1-server
    - level1-workstation
@ -97,8 +94,7 @@
    label: "{{ item.path }}"
 - name: "6.2.4.8 | PATCH | Ensure audit tools mode is configured"
-  when:
+  when: ubtu24cis_rule_6_2_4_8
    - ubtu24cis_rule_6_2_4_8
  tags:
    - level1-server
    - level1-workstation
@ -106,31 +102,13 @@
    - auditd
    - rule_6.2.4.8
    - NIST800-53R5_AU-3
-  block:
+  ansible.builtin.file:
-    - name: "6.2.4.8 | AUDIT | Ensure audit tools mode is configured | get current mode"
+    path: "{{ item }}"
-      ansible.builtin.stat:
+    mode: 'u+x,g-w,o-rwx'
-        path: "{{ item }}"
+  loop: "{{ audit_bins }}"
      register: "audit_bins"
      loop:
        - /sbin/auditctl
        - /sbin/aureport
        - /sbin/ausearch
        - /sbin/autrace
        - /sbin/auditd
        - /sbin/augenrules
    - name: "6.2.4.8 | PATCH | Ensure audit tools mode is configured | set if required"
      when: not item.stat.mode is match('07(0|5)0')
      ansible.builtin.file:
        path: "{{ item.item }}"
        mode: '0750'
      loop: "{{ audit_bins.results }}"
      loop_control:
        label: "{{ item.item }}"
 - name: "6.2.4.9 | PATCH | Ensure audit tools owner is configured"
-  when:
+  when: ubtu24cis_rule_6_2_4_9
    - ubtu24cis_rule_6_2_4_9
  tags:
    - level1-server
    - level1-workstation
@ -142,17 +120,10 @@
    path: "{{ item }}"
    owner: root
    group: root
-  loop:
+  loop: "{{ audit_bins }}"
    - /sbin/auditctl
    - /sbin/aureport
    - /sbin/ausearch
    - /sbin/autrace
    - /sbin/auditd
    - /sbin/augenrules
 - name: "6.2.4.10 | PATCH | Ensure audit tools group owner is configured"
-  when:
+  when: ubtu24cis_rule_6_2_4_10
    - ubtu24cis_rule_6_2_4_10
  tags:
    - level1-server
    - level1-workstation
@ -163,10 +134,4 @@
  ansible.builtin.file:
    path: "{{ item }}"
    group: root
-  loop:
+  loop: "{{ audit_bins }}"
    - /sbin/auditctl
    - /sbin/aureport
    - /sbin/ausearch
    - /sbin/autrace
    - /sbin/auditd
    - /sbin/augenrules
--- a/tasks/section_6/cis_6.3.x.yml
+++ b/tasks/section_6/cis_6.3.x.yml
@ -9,7 +9,6 @@
    - level1-workstation
    - patch
    - rule_6.3.1
    - NIST800-53R5_AU-2
    - aide
  block:
    - name: "6.3.1 | PATCH | Ensure AIDE is installed"
@ -20,22 +19,46 @@
        name: ['aide', 'aide-common']
        state: present
        update_cache: true
-      register: ubtu24cis_rule_6_3_1_aide_added
+      register: discovered_aide_pkgs_added
    - name: "6.3.1 | PATCH | Ensure AIDE is installed | Recapture packages"
-      when: ubtu24cis_rule_6_3_1_aide_added.skipped is not defined
+      when: discovered_aide_pkgs_added.skipped is not defined
      ansible.builtin.package_facts:
        manager: auto
    - name: "6.3.1 | AUDIT | Ensure AIDE is installed | Check file exists"
      ansible.builtin.stat:
        path: "{{ ubtu24cis_aide_db_file }}"
      register: discovered_aide_db_file
    - name: "6.3.1 | AUDIT | Ensure AIDE is installed | Check current db file age"
      when: discovered_aide_db_file.stat.exists
      ansible.builtin.find:
        path: "{{ ubtu24cis_aide_db_file | dirname }}"
        pattern: "{{ ubtu24cis_aide_db_file | basename }}"
        age: "{{ ubtu24cis_aide_db_file_age }}"
      register: discovered_aide_db_age
    - name: "6.3.1 | PATCH | Ensure AIDE is installed | Configure AIDE"
-      ansible.builtin.shell: aideinit && mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
+      when:
-      args:
+        - not ansible_check_mode
-        creates: /var/lib/aide/aide.db
+        - not discovered_aide_db_file.stat.exists or
-      changed_when: false
+          (discovered_aide_db_age.files | length > 0) or
-      failed_when: false
+          ubtu24cis_aide_db_recreate
-      async: "{{ ubtu24cis_aide_init.async }}"
+      block:
-      poll: "{{ ubtu24cis_aide_init.poll }}"
+        - name: "6.3.1 | PATCH | Ensure AIDE is installed | Remove current db file"
-      when: not ansible_check_mode
+          ansible.builtin.file:
            path: "{{ ubtu24cis_aide_db_file }}"
            state: absent
        - name: "6.3.1 | PATCH | Ensure AIDE is installed | Configure AIDE"
          when:
            - not ansible_check_mode
          ansible.builtin.shell: "{{ aide_initiate_command }}"
          args:
            creates: "{{ ubtu24cis_aide_db_file }}"
          async: "{{ ubtu24cis_aide_init_async }}"
          poll: "{{ ubtu24cis_aide_init_poll }}"
 - name: "6.3.2 | PATCH | Ensure filesystem integrity is regularly checked"
  when:
@ -54,14 +77,14 @@
      when: ubtu24cis_aide_scan == 'cron'
      ansible.builtin.cron:
        name: Run AIDE integrity check
-        cron_file: "{{ ubtu24cis_aide_cron['cron_file'] }}"
+        cron_file: "{{ ubtu24cis_aide_cron_file }}"
-        user: "{{ ubtu24cis_aide_cron['cron_user'] }}"
+        user: "{{ ubtu24cis_aide_cron_user }}"
-        minute: "{{ ubtu24cis_aide_cron['aide_minute'] | default('0') }}"
+        minute: "{{ ubtu24cis_aide_cron_minute | default('0') }}"
-        hour: "{{ ubtu24cis_aide_cron['aide_hour'] | default('5') }}"
+        hour: "{{ ubtu24cis_aide_cron_hour | default('5') }}"
-        day: "{{ ubtu24cis_aide_cron['aide_day'] | default('*') }}"
+        day: "{{ ubtu24cis_aide_cron_day | default('*') }}"
-        month: "{{ ubtu24cis_aide_cron['aide_month'] | default('*') }}"
+        month: "{{ ubtu24cis_aide_cron_month | default('*') }}"
-        weekday: "{{ ubtu24cis_aide_cron['aide_weekday'] | default('*') }}"
+        weekday: "{{ ubtu24cis_aide_cron_weekday | default('*') }}"
-        job: "{{ ubtu24cis_aide_cron['aide_job'] }}"
+        job: "{{ ubtu24cis_aide_cron_job }}"
    - name: "6.3.2 | PATCH | Ensure filesystem integrity is regularly checked | timer template"
      when: ubtu24cis_aide_scan == 'timer'
@ -70,7 +93,7 @@
        dest: "/{{ item }}"
        owner: root
        group: root
-        mode: '0644'
+        mode: 'go-r'
      loop:
        - etc/systemd/system/aidecheck.service
        - etc/systemd/system/aidecheck.timer
--- a/tasks/section_7/cis_7.1.x.yml
+++ b/tasks/section_7/cis_7.1.x.yml
@ -1,8 +1,7 @@
 ---
 - name: "7.1.1 | PATCH | Ensure permissions on /etc/passwd are configured"
-  when:
+  when: ubtu24cis_rule_7_1_1
    - ubtu24cis_rule_7_1_1
  tags:
    - level1-server
    - level1-workstation
@ -18,8 +17,7 @@
    mode: 'u-x,go-wx'
 - name: "7.1.2 | PATCH | Ensure permissions on /etc/passwd- are configured"
-  when:
+  when: ubtu24cis_rule_7_1_2
    - ubtu24cis_rule_7_1_2
  tags:
    - level1-server
    - level1-workstation
@ -35,8 +33,7 @@
    mode: 'u-x,go-wx'
 - name: "7.1.3 | PATCH | Ensure permissions on /etc/group are configured"
-  when:
+  when: ubtu24cis_rule_7_1_3
    - ubtu24cis_rule_7_1_3
  tags:
    - level1-server
    - level1-workstation
@ -52,8 +49,7 @@
    mode: 'u-x,go-wx'
 - name: "7.1.4 | PATCH | Ensure permissions on /etc/group- are configured"
-  when:
+  when: ubtu24cis_rule_7_1_4
    - ubtu24cis_rule_7_1_4
  tags:
    - level1-server
    - level1-workstation
@ -86,8 +82,7 @@
    mode: 'u-x,g-wx,o-rwx'
 - name: "7.1.6 | PATCH | Ensure permissions on /etc/shadow- are configured"
-  when:
+  when: ubtu24cis_rule_7_1_6
    - ubtu24cis_rule_7_1_6
  tags:
    - level1-server
    - level1-workstation
@ -103,8 +98,7 @@
    mode: 'u-x,g-wx,o-rwx'
 - name: "7.1.7 | PATCH | Ensure permissions on /etc/gshadow are configured"
-  when:
+  when: ubtu24cis_rule_7_1_7
    - ubtu24cis_rule_7_1_7
  tags:
    - level1-server
    - level1-workstation
@ -120,8 +114,7 @@
    mode: 'u-x,g-wx,o-rwx'
 - name: "7.1.8 | PATCH | Ensure permissions on /etc/gshadow- are configured"
-  when:
+  when: ubtu24cis_rule_7_1_8
    - ubtu24cis_rule_7_1_8
  tags:
    - level1-server
    - level1-workstation
@ -137,8 +130,7 @@
    mode: 'u-x,g-wx,o-rwx'
 - name: "7.1.9 | PATCH | Ensure permissions on /etc/shells are configured"
-  when:
+  when: ubtu24cis_rule_7_1_9
    - ubtu24cis_rule_7_1_9
  tags:
    - level1-server
    - level1-workstation
@ -154,11 +146,7 @@
    mode: 'u-x,go-wx'
 - name: "7.1.10 | PATCH | Ensure permissions on /etc/security/opasswd are configured"
-  loop:
+  when: ubtu24cis_rule_7_1_10
    - /etc/security/opasswd
    - /etc/security/opasswd.old
  when:
    - ubtu24cis_rule_7_1_10
  tags:
    - level1-server
    - level1-workstation
@ -168,14 +156,18 @@
    - NIST800-53R5_AC-3
    - NIST800-53R5_MP-2
  ansible.builtin.file:
-    path: /etc/security/opasswd
+    path: "{{ item }}"
    owner: root
    group: root
    mode: 'u-x,go-rwx'
  failed_when: discovered_file_exists.state not in '[ file, absent ]'
  register: discovered_file_exists
  loop:
    - /etc/security/opasswd
    - /etc/security/opasswd.old
 - name: "7.1.11 | PATCH | Ensure world writable files and directories are secured"
-  when:
+  when: ubtu24cis_rule_7_1_11
    - ubtu24cis_rule_7_1_11
  tags:
    - level1-server
    - level1-workstation
@ -190,17 +182,17 @@
      ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002
      failed_when: false
      changed_when: false
-      register: ubtu24cis_worldwriteable
+      register: discovered_worldwriteable_files
    - name: "7.1.11 | PATCH | Ensure world writable files and directories are secured | Adjust world-writable files if they exist (Configurable)"
      when:
        - discovered_worldwriteable_files.stdout_lines is defined
        - ubtu24cis_no_world_write_adjust
      ansible.builtin.file:
        path: '{{ item }}'
-        mode: o-w
+        mode: 'o-w'
        state: touch
-      loop: "{{ ubtu24cis_worldwriteable.stdout_lines }}"
+      loop: "{{ discovered_worldwriteable_files.stdout_lines }}"
      when:
        - ubtu24cis_worldwriteable.stdout_lines is defined
        - ubtu24cis_no_world_write_adjust
    - name: "7.1.11 | PATCH | Ensure world writable files and directories are secured | sticky bit set on world-writable directories"
      ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
@ -208,8 +200,7 @@
      failed_when: false
 - name: "7.1.12 | PATCH | Ensure no files or directories without an owner and a group exist"
-  when:
+  when: ubtu24cis_rule_7_1_12
    - ubtu24cis_rule_7_1_12
  tags:
    - level1-server
    - level1-workstation
@ -222,7 +213,7 @@
    warn_control_id: '7.1.12'
  block:
    - name: "7.1.12 | AUDIT | Ensure no files or directories without an owner and a group exist | Get list files or directories"
-      ansible.builtin.shell: find {{ ubtu24cis_exclude_unowned_search_path }} {{ item.mount }} -xdev \( -nouser -o -nogroup \) -not -fstype nfs
+      ansible.builtin.command: find {{ ubtu24cis_exclude_unowned_search_path }} {{ item.mount }} -xdev \( -nouser -o -nogroup \) -not -fstype nfs
      changed_when: false
      failed_when: false
      check_mode: false
@ -265,8 +256,7 @@
        file: warning_facts.yml
 - name: "7.1.13 | AUDIT | Ensure SUID and SGID files are reviewed"
-  when:
+  when: ubtu24cis_rule_7_1_13
    - ubtu24cis_rule_7_1_13
  tags:
    - level1-server
    - level1-workstation
@ -284,7 +274,7 @@
    warn_control_id: '7.1.13'
  block:
    - name: "7.1.13 | AUDIT | Ensure SUID and SGID files are reviewed | Find SUID and SGID"
-      ansible.builtin.shell: find {{ item.mount }} -xdev -type f -perm \( -02000 or -04000 \) -not -fstype nfs
+      ansible.builtin.command: find {{ item.mount }} -xdev -type f -perm \( -02000 or -04000 \) -not -fstype nfs
      changed_when: false
      failed_when: false
      check_mode: false
--- a/tasks/section_7/cis_7.2.x.yml
+++ b/tasks/section_7/cis_7.2.x.yml
@ -1,8 +1,7 @@
 ---
 - name: "7.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords"
-  when:
+  when: ubtu24cis_rule_7_2_1
    - ubtu24cis_rule_7_2_1
  tags:
    - level1-server
    - level1-workstation
@ -32,8 +31,7 @@
        file: warning_facts.yml
 - name: "7.2.2 | PATCH | Ensure /etc/shadow password fields are not empty"
-  when:
+  when: ubtu24cis_rule_7_2_2
    - ubtu24cis_rule_7_2_2
  tags:
    - level1-server
    - level1-workstation
@ -58,8 +56,7 @@
        - "{{ discovered_empty_password_acct.stdout_lines }}"
 - name: "7.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group"
-  when:
+  when: ubtu24cis_rule_7_2_3
    - ubtu24cis_rule_7_2_3
  tags:
    - level1-server
    - level1-workstation
@ -84,7 +81,7 @@
    - name: "7.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group"
      when: discovered_passwd_gid_check.stdout | length > 0
      ansible.builtin.debug:
-        msg: "Warning!! The following users have non-existent GIDs (Groups): {{ discovered_passwd_gid_check.stdout_lines | join (', ') }}"
+        msg: "Warning!! The following users have non-existent GIDs (Groups): {{ discovered_passwd_gid_check.stdout_lines | join(', ') }}"
    - name: "7.2.3 | WARNING | Ensure all groups in /etc/passwd exist in /etc/group | warn_count"
      when: discovered_passwd_gid_check.stdout | length > 0
@ -92,8 +89,7 @@
        file: warning_facts.yml
 - name: "7.2.4 | PATCH | Ensure shadow group is empty"
-  when:
+  when: ubtu24cis_rule_7_2_4
    - ubtu24cis_rule_7_2_4
  tags:
    - level1-server
    - level1-workstation
@ -111,18 +107,17 @@
        key: shadow
    - name: "7.2.4 | AUDIT | Ensure shadow group is empty | check users in group"
      when: ansible_facts.getent_group.shadow[2] | length > 0
      ansible.builtin.debug:
        msg: "Warning!! - You have users in the shadow group"
      when: ansible_facts.getent_group.shadow[2] | length > 0
    - name: "7.2.4 | AUDIT | Ensure shadow group is empty | check users in group"
      when: ansible_facts.getent_group.shadow[2] | length > 0
      ansible.builtin.import_tasks:
        file: warning_facts.yml
      when: ansible_facts.getent_group.shadow[2] | length > 0
 - name: "7.2.5 | AUDIT | Ensure no duplicate UIDs exist"
-  when:
+  when: ubtu24cis_rule_7_2_5
    - ubtu24cis_rule_7_2_5
  tags:
    - level1-server
    - level1-workstation
@ -155,8 +150,7 @@
        file: warning_facts.yml
 - name: "7.2.6 | AUDIT | Ensure no duplicate GIDs exist"
-  when:
+  when: ubtu24cis_rule_7_2_6
    - ubtu24cis_rule_7_2_6
  tags:
    - level1-server
    - level1-workstation
@ -189,10 +183,7 @@
        file: warning_facts.yml
 - name: "7.2.7 | AUDIT | Ensure no duplicate user names exist"
-  vars:
+  when: ubtu24cis_rule_7_2_7
    warn_control_id: '7.2.67'
  when:
    - ubtu24cis_rule_7_2_7
  tags:
    - level1-server
    - level1-workstation
@ -204,6 +195,8 @@
    - NIST800-53R5_CM-7
    - NIST800-53R5_IA-5
    - user
  vars:
    warn_control_id: '7.2.67'
  block:
    - name: "7.2.7 | AUDIT | Ensure no duplicate user names exist | Check for duplicate User Names"
      ansible.builtin.shell: "pwck -r | awk -F: '{if ($1 in users) print $1 ; else users[$1]}' /etc/passwd"
@ -223,8 +216,7 @@
        file: warning_facts.yml
 - name: "7.2.8 | AUDIT | Ensure no duplicate group names exist"
-  when:
+  when: ubtu24cis_rule_7_2_8
    - ubtu24cis_rule_7_2_8
  tags:
    - level1-server
    - level1-workstation
@ -257,8 +249,7 @@
        file: warning_facts.yml
 - name: "7.2.9 | PATCH | Ensure local interactive user home directories are configured"
-  when:
+  when: ubtu24cis_rule_7_2_9
    - ubtu24cis_rule_7_2_9
  tags:
    - level1-server
    - level1-workstation
@ -273,7 +264,8 @@
        state: directory
        owner: "{{ item.id }}"
        group: "{{ item.gid }}"
-      loop: "{{ ubtu24cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '<=', max_int_uid | int ) | list }}"
+        mode: 'g-w,o-rwx'
      loop: "{{ ubtu24cis_passwd | selectattr('uid', '>=', min_int_uid | int) | selectattr('uid', '<=', max_int_uid | int) | list }}"
      loop_control:
        label: "{{ item.id }}"
@ -344,5 +336,5 @@
        - ubtu24cis_dotperm_ansiblemanaged
      ansible.builtin.file:
        path: '{{ item }}'
-        mode: go-w
+        mode: 'go-w'
      with_items: "{{ discovered_homedir_dot_files.stdout_lines }}"
--- a/tasks/warning_facts.yml
+++ b/tasks/warning_facts.yml
@ -1,5 +1,4 @@
 ---
 # This task is used to create variables used in giving a warning summary for manual tasks
 # that need attention
 #
@ -14,7 +13,7 @@
 #
 # warn_count is the main variable for the number of warnings and each time a warn_control_id is added
 # the count increases by a value of 1
- name: "{{ warn_control_id }} | AUDIT | Set fact for manual task warning."
+- name: "{{ warn_control_id }} | AUDIT | Set fact for manual task warning." # noqa name[template]
  ansible.builtin.set_fact:
    warn_control_list: "{{ warn_control_list }} [{{ warn_control_id }}]"
    warn_count: "{{ warn_count | int + 1 }}"
--- a/templates/ansible_vars_goss.yml.j2
+++ b/templates/ansible_vars_goss.yml.j2
@ -653,10 +653,10 @@ ubtu24cis_is_syslog_server: {{ ubtu24cis_system_is_log_server }}
 # Note the following to understand precedence and layout
 ubtu24cis_sshd_access:
-  - AllowUser {{ ubtu24cis_sshd.allow_users }}
+  - AllowUser {{ ubtu24cis_sshd_allow_users }}
-  - AllowGroup {{ ubtu24cis_sshd.allow_groups }}
+  - AllowGroup {{ ubtu24cis_sshd_allow_groups }}
-  - DenyUser {{ ubtu24cis_sshd.deny_users }}
+  - DenyUser {{ ubtu24cis_sshd_deny_users }}
-  - DenyGroup {{ ubtu24cis_sshd.deny_groups }}
+  - DenyGroup {{ ubtu24cis_sshd_deny_groups }}
 ubtu24cis_ssh_strong_ciphers:
  - aes256-gcm@openssh.com
@ -721,14 +721,13 @@ ubtu24cis_pam_passwd_retry: "3"
 # logins.def password settings
 ubtu24cis_pass:
-  max_days: {{ ubtu24cis_pass.max_days }}
+  max_days: {{ ubtu24cis_pass_max_days }}
-  min_days: {{ ubtu24cis_pass.min_days }}
+  min_days: {{ ubtu24cis_pass_min_days }}
-  warn_age: {{ ubtu24cis_pass.warn_age }}
+  warn_age: {{ ubtu24cis_pass_warn_age }}
 # set sugroup if differs from wheel
 ubtu24cis_sugroup: nosugroup
 # var log location variable
 ubtu24_varlog_location: {{ ubtu24cis_sudo_logfile }}
--- a/templates/audit/99_auditd.rules.j2
+++ b/templates/audit/99_auditd.rules.j2
@ -34,8 +34,8 @@
 -w /etc/netplan -p wa -k system-locale
 {% endif %}
 {% if ubtu24cis_rule_6_2_3_6 %}
-{% if priv_procs is defined %}
+{% if discovered_privilege_processes is defined %}
-{% for proc in priv_procs.stdout_lines -%}
+{% for proc in discovered_privilege_processes.stdout_lines -%}
 -a always,exit -F path={{ proc }} -F perm=x -F auid>=1000 -F auid!=unset -k privileged
 {% endfor %}
 {% endif %}
--- a/templates/etc/systemd/system/aidecheck.timer.j2
+++ b/templates/etc/systemd/system/aidecheck.timer.j2
@ -2,7 +2,7 @@
 Description=Aide check
 [Timer]
-OnCalendar={{ ubtu24cis_aide_cron.aide_day }}-{{ ubtu24cis_aide_cron.aide_month }}-{{ ubtu24cis_aide_cron.aide_weekday }} {{ ubtu24cis_aide_cron.aide_hour }}:{{ ubtu24cis_aide_cron.aide_minute }}:00
+OnCalendar={{ ubtu24cis_aide_cron_aide_day }}-{{ ubtu24cis_aide_cron_aide_month }}-{{ ubtu24cis_aide_cron_aide_weekday }} {{ ubtu24cis_aide_cron_aide_hour }}:{{ ubtu24cis_aide_cron_aide_minute }}:00
 Unit=aidecheck.service
 [Install]
--- a/templates/fs_with_cves.sh.j2
+++ b/templates/fs_with_cves.sh.j2
@ -1,5 +1,4 @@
-#!/usr/bin/env bash
+{% raw %}#!/usr/bin/env bash
 {% raw %}
 # Based on original Script provided by CIS
 # CVEs correct at time of creation - April2024
--- a/vars/audit.yml
+++ b/vars/audit.yml
@ -35,7 +35,7 @@ audit_format: json
 audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_facts.hostname }}.yml"
 audit_results: |
-      The{% if not audit_only %} pre remediation{% endif %} audit results are: {{ pre_audit_results }}
+  The{% if not audit_only %} pre remediation{% endif %} audit results are: {{ pre_audit_results }}
-      {% if not audit_only %}The post remediation audit results are: {{ post_audit_results }}{% endif %}
+  {% if not audit_only %}The post remediation audit results are: {{ post_audit_results }}{% endif %}
-      Full breakdown can be found in {{ audit_log_dir }}
+  Full breakdown can be found in {{ audit_log_dir }}
--- a/vars/is_container.yml
+++ b/vars/is_container.yml
@ -13,63 +13,74 @@ ubtu24cis_firewall_package: None
 ## Related individual rules
 # Aide
-ubtu24cis_rule_1_4_1: false
+ubtu24cis_rule_6_3_1: false
-ubtu24cis_rule_1_4_2: false
+ubtu24cis_rule_6_3_2: false
 # AppArmor
-ubtu24cis_rule_1_6_1: false
+ubtu24cis_rule_1_3_1: false
-ubtu24cis_rule_1_6_2: false
+ubtu24cis_rule_1_3_2: false
-ubtu24cis_rule_1_6_3: false
+ubtu24cis_rule_1_3_3: false
-ubtu24cis_rule_1_6_4: false
+ubtu24cis_rule_1_3_4: false
 # time sync
-ubtu24cis_rule_2_1_1_1: false
+ubtu24cis_rule_2_3_2_1: false
-ubtu24cis_rule_2_2_1_2: false
+ubtu24cis_rule_2_3_2_2: false
 # Auditd
-ubtu24cis_rule_4_1_1_1: false
+ubtu24cis_rule_6_2_1_1: false
-ubtu24cis_rule_4_1_1_2: false
+ubtu24cis_rule_6_2_1_2: false
-ubtu24cis_rule_4_1_1_3: false
+ubtu24cis_rule_6_2_1_3: false
-ubtu24cis_rule_4_1_1_4: false
+ubtu24cis_rule_6_2_1_4: false
-ubtu24cis_rule_4_1_2_1: false
+ubtu24cis_rule_6_2_2_1: false
-ubtu24cis_rule_4_1_2_2: false
+ubtu24cis_rule_6_2_2_2: false
-ubtu24cis_rule_4_1_2_3: false
+ubtu24cis_rule_6_2_2_3: false
 # Auditd rules
-ubtu24cis_rule_4_1_3_1: false
+ubtu24cis_rule_6_2_3_1: false
-ubtu24cis_rule_4_1_3_2: false
+ubtu24cis_rule_6_2_3_2: false
-ubtu24cis_rule_4_1_3_3: false
+ubtu24cis_rule_6_2_3_3: false
-ubtu24cis_rule_4_1_3_4: false
+ubtu24cis_rule_6_2_3_4: false
-ubtu24cis_rule_4_1_3_5: false
+ubtu24cis_rule_6_2_3_5: false
-ubtu24cis_rule_4_1_3_6: false
+ubtu24cis_rule_6_2_3_6: false
-ubtu24cis_rule_4_1_3_7: false
+ubtu24cis_rule_6_2_3_7: false
-ubtu24cis_rule_4_1_3_8: false
+ubtu24cis_rule_6_2_3_8: false
-ubtu24cis_rule_4_1_3_9: false
+ubtu24cis_rule_6_2_3_9: false
-ubtu24cis_rule_4_1_3_10: false
+ubtu24cis_rule_6_2_3_10: false
-ubtu24cis_rule_4_1_3_11: false
+ubtu24cis_rule_6_2_3_11: false
-ubtu24cis_rule_4_1_3_12: false
+ubtu24cis_rule_6_2_3_12: false
-ubtu24cis_rule_4_1_3_13: false
+ubtu24cis_rule_6_2_3_13: false
-ubtu24cis_rule_4_1_3_14: false
+ubtu24cis_rule_6_2_3_14: false
-ubtu24cis_rule_4_1_3_15: false
+ubtu24cis_rule_6_2_3_15: false
-ubtu24cis_rule_4_1_3_16: false
+ubtu24cis_rule_6_2_3_16: false
-ubtu24cis_rule_4_1_3_17: false
+ubtu24cis_rule_6_2_3_17: false
-ubtu24cis_rule_4_1_3_18: false
+ubtu24cis_rule_6_2_3_18: false
-ubtu24cis_rule_4_1_3_19: false
+ubtu24cis_rule_6_2_3_19: false
-ubtu24cis_rule_4_1_3_20: false
+ubtu24cis_rule_6_2_3_20: false
-ubtu24cis_rule_4_1_3_21: false
+ubtu24cis_rule_6_2_3_21: false
 # Auditd file access
-ubtu24cis_rule_4_1_4_1: false
+ubtu24cis_rule_6_2_4_1: false
-ubtu24cis_rule_4_1_4_2: false
+ubtu24cis_rule_6_2_4_2: false
-ubtu24cis_rule_4_1_4_3: false
+ubtu24cis_rule_6_2_4_3: false
-ubtu24cis_rule_4_1_4_4: false
+ubtu24cis_rule_6_2_4_4: false
-ubtu24cis_rule_4_1_4_5: false
+ubtu24cis_rule_6_2_4_5: false
-ubtu24cis_rule_4_1_4_6: false
+ubtu24cis_rule_6_2_4_6: false
-ubtu24cis_rule_4_1_4_7: false
+ubtu24cis_rule_6_2_4_7: false
-ubtu24cis_rule_4_1_4_8: false
+ubtu24cis_rule_6_2_4_8: false
-ubtu24cis_rule_4_1_4_9: false
+ubtu24cis_rule_6_2_4_9: false
-ubtu24cis_rule_4_1_4_10: false
+ubtu24cis_rule_6_2_4_10: false
-ubtu24cis_rule_4_1_4_11: false
+ubtu24cis_rule_6_2_4_11: false
 # cron
 ubtu24cis_rule_2_4_1_1: false
 ubtu24cis_rule_2_4_1_2: false
 ubtu24cis_rule_2_4_1_3: false
 ubtu24cis_rule_2_4_1_4: false
 ubtu24cis_rule_2_4_1_5: false
 ubtu24cis_rule_2_4_1_6: false
 ubtu24cis_rule_2_4_1_7: false
 ubtu24cis_rule_2_4_1_8: false
 ubtu24cis_rule_2_4_2_1: false
 # ssh
 ubtu24cis_rule_5_1_1: false
 ubtu24cis_rule_5_1_2: false
 ubtu24cis_rule_5_1_3: false
@ -78,27 +89,17 @@ ubtu24cis_rule_5_1_5: false
 ubtu24cis_rule_5_1_6: false
 ubtu24cis_rule_5_1_7: false
 ubtu24cis_rule_5_1_8: false
-
+ubtu24cis_rule_5_1_9: false
-# ssh
+ubtu24cis_rule_5_1_10: false
-ubtu24cis_rule_5_2_1: false
+ubtu24cis_rule_5_1_11: false
-ubtu24cis_rule_5_2_2: false
+ubtu24cis_rule_5_1_12: false
-ubtu24cis_rule_5_2_3: false
+ubtu24cis_rule_5_1_13: false
-ubtu24cis_rule_5_2_4: false
+ubtu24cis_rule_5_1_14: false
-ubtu24cis_rule_5_2_5: false
+ubtu24cis_rule_5_1_15: false
-ubtu24cis_rule_5_2_6: false
+ubtu24cis_rule_5_1_16: false
-ubtu24cis_rule_5_2_7: false
+ubtu24cis_rule_5_1_17: false
-ubtu24cis_rule_5_2_8: false
+ubtu24cis_rule_5_1_18: false
-ubtu24cis_rule_5_2_9: false
+ubtu24cis_rule_5_1_19: false
-ubtu24cis_rule_5_2_10: false
+ubtu24cis_rule_5_1_20: false
-ubtu24cis_rule_5_2_11: false
+ubtu24cis_rule_5_1_21: false
-ubtu24cis_rule_5_2_12: false
+ubtu24cis_rule_5_1_22: false
 ubtu24cis_rule_5_2_13: false
 ubtu24cis_rule_5_2_14: false
 ubtu24cis_rule_5_2_15: false
 ubtu24cis_rule_5_2_16: false
 ubtu24cis_rule_5_2_17: false
 ubtu24cis_rule_5_2_18: false
 ubtu24cis_rule_5_2_19: false
 ubtu24cis_rule_5_2_20: false
 ubtu24cis_rule_5_2_21: false
 ubtu24cis_rule_5_2_22: false
--- a/vars/main.yml
+++ b/vars/main.yml
@ -12,3 +12,16 @@ system_is_container: false
 # Used to control warning summary
 warn_control_list: ""
 warn_count: 0
 # Aide initiate command for new DB creation
 aide_initiate_command: aideinit -y -f
 # Audit vars
 audit_bins:
  - /sbin/auditctl
  - /sbin/aureport
  - /sbin/ausearch
  - /sbin/autrace
  - /sbin/auditd
  - /sbin/augenrules