diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
index 3a19c72b..b43d22b9 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -23,6 +23,7 @@ What controls are being affected by the issue
  - Ansible Version: [e.g. 2.10] 
  - Host Python Version: [e.g. Python 3.7.6]
  - Ansible Server Python Version: [e.g. Python 3.7.6]
+ - Using branch: [e.g. main]
  - Additional Details:
 
 **Additional Notes**
diff --git a/.github/workflows/OS.tfvars b/.github/workflows/OS.tfvars
index 6017787b..587ae210 100644
--- a/.github/workflows/OS.tfvars
+++ b/.github/workflows/OS.tfvars
@@ -4,6 +4,6 @@ ami_os        = "rocky8"
 ami_username  = "rocky"
 ami_user_home = "/home/rocky"
 instance_tags = {
-  Name        = "RHEL8-STIG"
+  Name        = "RHEL8-CIS"
   Environment = "lockdown_github_repo_workflow"
 }
diff --git a/.github/workflows/github_networks.tf b/.github/workflows/github_networks.tf
index d5a0db02..4db9025a 100644
--- a/.github/workflows/github_networks.tf
+++ b/.github/workflows/github_networks.tf
@@ -1,11 +1,11 @@
 resource "aws_vpc" "Main" {
   cidr_block = var.main_vpc_cidr
-  tags = var.instance_tags
+  tags       = var.instance_tags
 }
 
 resource "aws_internet_gateway" "IGW" {
   vpc_id = aws_vpc.Main.id
   tags = {
-    Name      = "${var.namespace}-IGW"
+    Name = "${var.namespace}-IGW"
   }
 }
diff --git a/.github/workflows/github_vars.tfvars b/.github/workflows/github_vars.tfvars
index 38be3edc..4d40f72a 100644
--- a/.github/workflows/github_vars.tfvars
+++ b/.github/workflows/github_vars.tfvars
@@ -3,7 +3,7 @@
 // Declared in variables.tf
 // 
 
-namespace         = "github_actions"
+namespace = "github_actions"
 
 // Matching pair name found in AWS for keypairs PEM key
 ami_key_pair_name = "github_actions"
diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf
index 9ad9240b..29fd6f30 100644
--- a/.github/workflows/main.tf
+++ b/.github/workflows/main.tf
@@ -28,7 +28,7 @@ resource "aws_security_group" "github_actions" {
     protocol    = "tcp"
     cidr_blocks = ["0.0.0.0/0"]
   }
-  
+
   ingress {
     from_port   = 80
     to_port     = 80
@@ -44,7 +44,7 @@ resource "aws_security_group" "github_actions" {
   }
   tags = {
     Name = "${var.namespace}-SG"
- }
+  }
 }
 
 // instance setup
@@ -57,16 +57,16 @@ resource "aws_instance" "testing_vm" {
   tags                        = var.instance_tags
   vpc_security_group_ids      = [aws_security_group.github_actions.id]
   root_block_device {
-        delete_on_termination = true
+    delete_on_termination = true
   }
 }
 
 // generate inventory file
 resource "local_file" "inventory" {
-  filename = "./hosts.yml"
+  filename             = "./hosts.yml"
   directory_permission = "0755"
   file_permission      = "0644"
-  content  = <<EOF
+  content              = <<EOF
     # benchmark host
     all:
       hosts:
diff --git a/.github/workflows/terraform.tfvars b/.github/workflows/terraform.tfvars
deleted file mode 100644
index 6d98b8bb..00000000
--- a/.github/workflows/terraform.tfvars
+++ /dev/null
@@ -1,5 +0,0 @@
-// vars should be loaded by OSname.tfvars
-aws_region    = "us-east-1"
-ami_os        = var.ami_os
-ami_username  = var.ami_username
-instance_tags = var.instance_tags
diff --git a/.github/workflows/variables.tf b/.github/workflows/variables.tf
index eabec247..58544fc9 100644
--- a/.github/workflows/variables.tf
+++ b/.github/workflows/variables.tf
@@ -29,7 +29,7 @@ variable "ami_os" {
 
 variable "ami_id" {
   description = "AMI ID reference"
-  type = string
+  type        = string
 }
 
 variable "ami_username" {
diff --git a/Changelog.md b/Changelog.md
index 7fa3bc69..70b09991 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -1,5 +1,70 @@
 # Changes to rhel8CIS
 
+## 1.3.9
+
+- tidy up become statements
+
+Improvements for idempotency
+
+- update to auditd template
+  - uses facts and template new variable
+    - update_audit_template (default false)
+- 3.4.1.5 discovery improvement
+- 5.6.1.4 discovery improvement
+
+
+## 1.3.8
+
+Issues
+
+- #185 thanks to @flwitten rsyslog and journald work
+- #189
+- #190 being addressed thanks to @ztmr - any feedback helpful on this one
+- #196 #200 thanks to @Thulium-Drake
+- #203 thanks to @scottdoane
+- #204 thanks to @ccravens
+- #206 flush handler tidy up
+
+## improvements
+
+- Dynamic UID discovery
+- Several title updates and alignments
+- Logic and idempotence improvement
+- Tag updates and fixes
+- Removed config no longer used
+- Dynamic container discovery
+- Update container variables and usage
+
+## 1.3.7
+
+Issues
+
+- thanks to @ccravens
+  - #160 & #183 - Please not this changes the variable for the aide cron job from /etc/crontab - manual tidy up maybe required.
+- thanks to @flwitten
+  - #180 - update to assert in main.yml and 1.4.1 conditional update
+  - #181 - 1.8.5 typo resolved
+  - #182 - 1.2.2 fixed variable and enhanced gpg check with vendor key
+
+Improvements
+
+- changed crypto to DEFAULT in defaults/main and updated as allowed option
+- 3.4.1.2 - removed enabled option as errors if masked and enable option
+- workflow added branch option to issues.
+
+## 1.3.6
+
+- Issues
+  - #164
+  - #165
+  - #168
+  - #176
+
+## 1.3.5
+
+- Update to V2.0.0
+  - many changes inline with new benchamrk requirements please refer to official docs
+
 ## 1.3.4
 
 - CentOS no longer supported due to moving to Stream updates
diff --git a/README.md b/README.md
index 62247f6c..292e7b3e 100644
--- a/README.md
+++ b/README.md
@@ -29,6 +29,18 @@ To use release version please point to main branch
 - [Wiki](https://github.com/ansible-lockdown/RHEL8-CIS/wiki)
 - [Repo GitHub Page](https://ansible-lockdown.github.io/RHEL8-CIS/)
 
+### Running level1 or level2 only
+
+While the defaults/main.yml has the options this is used for auditing purposes.
+In order to run level(1|2)-server level(1|2)-workstation  This is carried out via tags.
+
+e.g.
+
+``` shell
+ansible-playbook -l test-server -i test_inv site.yml -t level1-server
+
+```
+
 ## Auditing (new)
 
 This can be turned on or off within the defaults/main.yml file with the variable rhel8cis_run_audit. The value is false by default, please refer to the wiki for more details.
@@ -130,6 +142,13 @@ uses:
 - runs the audit using the devel branch
 - This is an automated test that occurs on pull requests into devel
 
+## known-issues
+
+cloud0init - due to a bug this will stop working if noexec is added to /var.
+rhel8cis_rule_1_1_3_3
+
+https://bugs.launchpad.net/cloud-init/+bug/1839899
+
 ## Support
 
 This is a community project at its core and will be managed as such.
diff --git a/defaults/main.yml b/defaults/main.yml
index ba7b5f1d..0228580e 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -2,7 +2,10 @@
 # defaults file for rhel8-cis
 
 rhel8cis_skip_for_travis: false
-rhel8cis_system_is_container: false
+system_is_container: false
+# Place to find the container yml file for your environment - /vars/... This can be adjusted for your requirements.
+container_vars_file: is_container.yml
+
 os_check: true
 # rhel8cis is left off the front of this var for consistency in testing pipeline
 # system_is_ec2 toggle will disable tasks that fail on Amazon EC2 instances. Set true to skip and false to run tasks
@@ -430,7 +433,7 @@ rhel8cis_set_boot_pass: false
 
 # 1.10/1.11 Set crypto policy (LEGACY, DEFAULT, FUTURE, FIPS)
 # Control 1.10 sates not ot use LEGACY and control 1.11 says to use FUTURE or FIPS.
-rhel8cis_crypto_policy: "FUTURE"
+rhel8cis_crypto_policy: "DEFAULT"
 
 # System network parameters (host only OR host and router)
 rhel8cis_is_router: false
@@ -443,7 +446,7 @@ rhel8cis_config_aide: true
 # AIDE cron settings
 rhel8cis_aide_cron:
     cron_user: root
-    cron_file: /etc/crontab
+    cron_file: /etc/cron.d/cis_aide
     aide_job: '/usr/sbin/aide --check'
     aide_minute: 0
     aide_hour: 5
@@ -499,8 +502,9 @@ rhel8cis_int_zone: customezone
 rhel8cis_interface: eth0
 
 rhel8cis_firewall_services:
-    - ssh
+    - cockpit
     - dhcpv6-client
+    - ssh
 
 # 3.4.2.5 Set nftables new table create
 # 3.4.2.6
@@ -521,6 +525,8 @@ rhel8cis_warning_banner: |
 
 ## Section4 vars
 
+update_audit_template: false
+
 rhel8cis_auditd:
     space_left_action: email
     action_mail_acct: root
@@ -535,10 +541,14 @@ rhel8cis_audit_back_log_limit: 8192
 # The max_log_file parameter should be based on your sites policy
 rhel8cis_max_log_file_size: 10
 
-# RHEL-08-4.2.1.4/4.2.1.5 remote and destation log server name
+# OS logging system - either rsyslog or journald or other if 3rd party tool
+rhel8cis_syslog: rsyslog
+rhel8cis_rsyslog_ansiblemanaged: true
+
+# RHEL-08-4.2.1.4/4.2.1.5 remote and destination log server name
 rhel8cis_remote_log_server: logagg.example.com
 
-# 4.2.1.5
+# 4.2.1.5, 4.2.2.1.3, 4.2.2.1.4
 rhel8cis_system_is_log_server: false
 
 # 4.2.2.1.2
@@ -619,9 +629,7 @@ rhel8cis_pass:
     max_days: 365
     min_days: 7
     warn_age: 7
-# Syslog system - either rsyslog or syslog-ng
-rhel8cis_syslog: rsyslog
-rhel8cis_rsyslog_ansiblemanaged: true
+
 
 # 5.6.1.4
 rhel8cis_inactivelock:
@@ -635,8 +643,10 @@ rhel8cis_pam_password:
     minlen: 14
     minclass: 4
 
-# Starting GID for interactive users
-rhel8cis_int_gid: 1000
+# This is a dynamic check but can be overridden here marking it as false and uncomment
+rhel8uid_info_dynamic: true
+#rhel8uid_interactive_uid_start: 1000
+#rhel8uid_interactive_uid_stop: 60000
 
 # 5.6.3
 # Session timeout setting file (TMOUT setting can be set in multiple files)
@@ -690,6 +700,11 @@ audit_files_url: "some url maybe s3?"
 audit_files: "/var/tmp/{{ benchmark }}-Audit/"
 
 ## Goss configuration information
+# Set correct env for the run_audit.sh script from https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git"
+audit_run_script_environment:
+    AUDIT_BIN: "{{ audit_bin }}"
+    AUDIT_FILE: 'goss.yml'
+    AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}"
 # Where the goss configs and outputs are stored
 audit_out_dir: '/var/tmp'
 audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit"
diff --git a/handlers/main.yml b/handlers/main.yml
index 18b22372..3d55dc24 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -2,27 +2,26 @@
 # handlers file for RHEL8-CIS
 
 - name: sysctl flush ipv4 route table
-  become: yes
   sysctl:
       name: net.ipv4.route.flush
       value: '1'
       sysctl_set: yes
   ignore_errors: yes
-  when: ansible_virtualization_type != "docker"
+  when:
+      - not system_is_container
   tags:
       - skip_ansible_lint
 
 - name: sysctl flush ipv6 route table
-  become: yes
   sysctl:
       name: net.ipv6.route.flush
       value: '1'
       sysctl_set: yes
   ignore_errors: yes
-  when: ansible_virtualization_type != "docker"
+  when:
+      - not system_is_container
 
 - name: systemd restart tmp.mount
-  become: yes
   systemd:
       name: tmp.mount
       daemon_reload: yes
@@ -31,7 +30,6 @@
       state: reloaded
 
 - name: systemd restart var-tmp.mount
-  become: yes
   systemd:
       name: var-tmp.mount
       daemon_reload: yes
@@ -45,31 +43,26 @@
       warn: false
 
 - name: restart firewalld
-  become: yes
   service:
       name: firewalld
       state: restarted
 
 - name: restart xinetd
-  become: yes
   service:
       name: xinetd
       state: restarted
 
 - name: restart sshd
-  become: yes
   service:
       name: sshd
       state: restarted
 
 - name: restart postfix
-  become: yes
   service:
       name: postfix
       state: restarted
 
 - name: reload dconf
-  become: yes
   command: dconf update
 
 - name: update auditd
@@ -103,7 +96,7 @@
       name: systemd-journal-upload
       state: restarted
 
-- name: grub2cfg
+- name: rhel8cis_grub2cfg
   command: "grub2-mkconfig -o {{ grub_cfg.stat.lnk_source }}"
   ignore_errors: True
   notify: change_requires_reboot
@@ -111,17 +104,10 @@
       - skip_ansible_lint
 
 - name: restart rsyslog
-  become: yes
   service:
       name: rsyslog
       state: restarted
 
-- name: restart syslog-ng
-  become: yes
-  service:
-      name: syslog-ng
-      state: restarted
-
 - name: systemd_daemon_reload
   systemd:
       daemon-reload: yes
diff --git a/site.yml b/site.yml
index 81bc4657..0b07c441 100644
--- a/site.yml
+++ b/site.yml
@@ -7,5 +7,5 @@
   roles:
 
       - role: "{{ playbook_dir }}"
-        rhel8cis_system_is_container: "{{ is_container | default(false) }}"
+        system_is_container: "{{ is_container | default(false) }}"
         rhel8cis_skip_for_travis: false
diff --git a/tasks/audit_homedirperms.yml b/tasks/audit_homedirperms.yml
deleted file mode 100644
index 489cd522..00000000
--- a/tasks/audit_homedirperms.yml
+++ /dev/null
@@ -1,46 +0,0 @@
----
-- name: "SCORED | 6.2.8 | PATCH | Ensure users' home directories permissions are 750 or more restrictive"
-  find:
-      paths:
-          - "{{ homedir }}"
-      recurse: true
-      file_type: any
-  register: rhel_08_6_2_8_results
-  when:
-      - rhel8cis_rule_6_2_8|bool
-  tags:
-      - level1
-      - patch
-      - rule_6.2.8
-
-- name: "SCORED | 6.2.8 | PATCH | Ensure users' home directories permissions are 750 or more restrictive"
-  file:
-      path: "{{ line_item.path }}"
-      mode: 0640
-  loop: "{{ rhel_08_6_2_8_results.files }}"
-  loop_control:
-      label: "{{ line_item.path }}"
-      loop_var: line_item
-  when:
-      - rhel_08_6_2_8_results.files.isreg is defined
-      - rhel8cis_rule_6_2_8|bool
-  tags:
-      - level1
-      - patch
-      - rule_6.2.8
-
-- name: "SCORED | 6.2.8 | PATCH | Ensure users' home directories permissions are 750 or more restrictive"
-  file:
-      path: "{{ line_item.path }}"
-      mode: 0750
-  loop: "{{ rhel_08_6_2_8_results.files }}"
-  loop_control:
-      label: "{{ line_item.path }}"
-      loop_var: line_item
-  when:
-      - rhel_08_6_2_8_results.files.isdir is defined
-      - rhel8cis_rule_6_2_8|bool
-  tags:
-      - level1
-      - patch
-      - rule_6.2.8
diff --git a/tasks/auditd.yml b/tasks/auditd.yml
new file mode 100644
index 00000000..c6f45678
--- /dev/null
+++ b/tasks/auditd.yml
@@ -0,0 +1,25 @@
+- name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added
+  template:
+      src: audit/99_auditd.rules.j2
+      dest: /etc/audit/rules.d/99_auditd.rules
+      owner: root
+      group: root
+      mode: 0600
+  register: audit_rules_update
+  notify: update auditd
+
+- name: POST | AUDITD | Discover if auditd immutable - Set reboot required if auditd immutable
+  block:
+      - name: POST | AUDITD | Discover if auditd immutable - will require reboot if auditd template applied
+        shell: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules
+        changed_when: false
+        register: auditd_immutable_check
+
+      - name: POST | AUDITD | Set reboot required if auditd immutable
+        debug:
+            msg: "Reboot required for auditd to apply new rules as immutable set"
+        notify: change_requires_reboot
+        when:
+            - auditd_immutable_check.stdout == '1'
+  when:
+      - audit_rules_update.changed
\ No newline at end of file
diff --git a/tasks/main.yml b/tasks/main.yml
index 0c1aff66..8e36e30f 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -26,11 +26,35 @@
 
 - name: Check rhel8cis_bootloader_password_hash variable has been changed
   assert:
-      that: rhel8cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword'
-      msg: "This role will not be able to run single user password commands as rhel8cis_bootloader_password_hash variable has not been set"
+      that: rhel8cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel8cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword'
+      msg: "This role will not be able to run single user password commands as rhel8cis_bootloader_password_hash variable has not been set correctly"
   when:
       - rhel8cis_set_boot_pass
-      - rhel8cis_rule_1_5_2
+      - rhel8cis_rule_1_4_1
+  tags:
+    - always
+
+- name: Setup rules if container
+  block:
+      - name: Discover and set container variable if required
+        set_fact:
+            system_is_container: true
+
+      - name: Load variable for container
+        include_vars:
+            file: "{{ container_vars_file }}"
+
+      - name: output if discovered is a container
+        debug:
+            msg: system has been discovered as a container
+        when:
+            - system_is_container
+  when:
+      - ansible_connection == 'docker' or
+        ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"]
+  tags:
+      - container_discovery
+      - always
 
 - name: "check sugroup exists if used"
   block:
@@ -88,58 +112,43 @@
       - rhel8cis_section5 or 
         rhel8cis_section6
   tags:
-      - rule_5.5.2
-      - rule_6.2.7
-      - rule_6.2.8
-      - rule_6.2.20
-      - rhel9cis_section5
-      - rhel9cis_section6
+      - always
 
 - name: run Section 1 tasks
   import_tasks: section_1/main.yml
-  become: true
   when: rhel8cis_section1
   tags:
       - rhel8cis_section1
 
 - name: run Section 2 tasks
   import_tasks: section_2/main.yml
-  become: true
   when: rhel8cis_section2
 
 - name: run Section 3 tasks
   import_tasks: section_3/main.yml
-  become: true
   when: rhel8cis_section3
 
 - name: run Section 4 tasks
   import_tasks: section_4/main.yml
-  become: true
   when: rhel8cis_section4
 
 - name: run Section 5 tasks
   import_tasks: section_5/main.yml
-  become: true
   when: rhel8cis_section5
 
 - name: run Section 6 tasks
   import_tasks: section_6/main.yml
-  become: true
   when: rhel8cis_section6
 
-- name: flush handlers
-  meta: flush_handlers
+- name: run auditd logic
+  import_tasks: auditd.yml
+  when:
+      - update_audit_template
   tags:
-      - section1
-      - section2
-      - section3
-      - section4
-      - section5
-      - section6
+      - always
 
 - name: run post remediation tasks
   import_tasks: post.yml
-  become: true
   tags:
       - post_tasks
       - always
diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml
index 17ef3f87..8c457bd1 100644
--- a/tasks/post_remediation_audit.yml
+++ b/tasks/post_remediation_audit.yml
@@ -2,6 +2,7 @@
 
 - name: "Post Audit | Run post_remediation {{ benchmark }} audit"
   shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}"
+  environment: "{{ audit_run_script_environment|default({}) }}"
   vars:
       warn: false
 
diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml
index ab2d0447..c6264682 100644
--- a/tasks/pre_remediation_audit.yml
+++ b/tasks/pre_remediation_audit.yml
@@ -86,6 +86,7 @@
 
 - name: "Pre Audit | Run pre_remediation {{ benchmark }} audit"
   shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}"
+  environment: "{{ audit_run_script_environment|default({}) }}"
   vars:
       warn: false
 
diff --git a/tasks/prelim.yml b/tasks/prelim.yml
index bb48c24f..7a207dd3 100644
--- a/tasks/prelim.yml
+++ b/tasks/prelim.yml
@@ -9,6 +9,27 @@
   check_mode: no
   register: users
 
+- name: "PRELIM | Gather interactive user ID min and max"
+  block:
+      - name: "PRELIM | Gather interactive user ID min"
+        shell: grep ^UID_MIN /etc/login.defs | awk '{print $2}'
+        changed_when: false
+        failed_when: false
+        register: rhel8cis_min_uid
+
+      - name: "PRELIM | Gather interactive user ID max"
+        shell: grep ^UID_MAX /etc/login.defs | awk '{print $2}'
+        changed_when: false
+        failed_when: false
+        register: rhel8cis_max_uid
+
+      - name: "PRELIM | Setting the fact"
+        set_fact:
+            rhel8uid_interactive_uid_start: "{{ rhel8cis_min_uid.stdout | string }}"
+            rhel8uid_interactive_uid_stop: "{{ rhel8cis_max_uid.stdout | string }}"
+  when:
+      - rhel8uid_info_dynamic
+
 - name: "PRELIM | Gather accounts with empty password fields"
   shell: "cat /etc/shadow | awk -F: '($2 == \"\" ) {j++;print $1; } END {exit j}'"
   args:
@@ -103,12 +124,6 @@
             grub2_path: /etc/grub2-efi.cfg
         when: rhel_08_efi_boot.stat.exists
 
-# - name: debug legacy boot var
-#   debug:
-#       msg: |
-#           legacy_boot={{ rhel8cis_legacy_boot }}
-#           grub2_path={{ grub2_path }}
-
 - name: "PRELIM | AUDIT | Ensure permissions on bootloader config are configured | Get grub config file stats"
   stat:
       path: "{{ grub2_path }}"
diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml
index f521aec4..328583fa 100644
--- a/tasks/section_1/cis_1.1.1.x.yml
+++ b/tasks/section_1/cis_1.1.1.x.yml
@@ -14,7 +14,8 @@
         modprobe:
             name: cramfs
             state: absent
-        when: ansible_connection != 'docker'
+        when:
+            - not system_is_container
   when:
       - rhel8cis_rule_1_1_1_1
   tags:
@@ -39,7 +40,8 @@
         modprobe:
             name: squashfs
             state: absent
-        when: ansible_connection != 'docker'
+        when:
+            - not system_is_container
   when:
       - rhel8cis_rule_1_1_1_2
   tags:
@@ -64,7 +66,8 @@
         modprobe:
             name: udf
             state: absent
-        when: ansible_connection != 'docker'
+        when:
+            - not system_is_container
   when:
       - rhel8cis_rule_1_1_1_3
   tags:
diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml
index 06c4eefa..ee31ee78 100644
--- a/tasks/section_1/cis_1.1.2.x.yml
+++ b/tasks/section_1/cis_1.1.2.x.yml
@@ -68,7 +68,6 @@
   tags:
       - level1-server
       - level1-workstation
-      - scored
       - patch
       - mounts
       - rule_1.1.2.1
diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml
index a095c966..9d8486aa 100644
--- a/tasks/section_1/cis_1.2.x.yml
+++ b/tasks/section_1/cis_1.2.x.yml
@@ -20,11 +20,13 @@
       - skip_ansible_lint  # Added as no_log still errors on ansuible-lint
 
 - name: "1.2.2 | AUDIT | Ensure GPG keys are configured"
-  command: gpg --quiet --with-fingerprint "{{ rpm_gpg_key }}"
+  shell: "PKG=`rpm -qf {{ rpm_gpg_key }}` && rpm -q --queryformat \"%{PACKAGER} %{SIGPGP:pgpsig}\\n\" \"${PKG}\" | grep \"^{{ rpm_packager }}.*Key.ID.{{ rpm_key }}\""
+  changed_when: false
   when:
       - rhel8cis_rule_1_2_2
       - ansible_distribution == "RedHat" or
-        ansible_distribution == "Rocky"
+        ansible_distribution == "Rocky" or
+        ansible_distribution == "AlmaLinux"
   tags:
       - level1-server
       - level1-workstation
diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml
index 96936024..fa63d20f 100644
--- a/tasks/section_1/cis_1.4.x.yml
+++ b/tasks/section_1/cis_1.4.x.yml
@@ -7,11 +7,9 @@
       owner: root
       group: root
       mode: 0600
-  notify: grub2cfg
+  notify: rhel8cis_grub2cfg
   when:
       - rhel8cis_set_boot_pass
-      - grub_pass is defined and grub_pass.passhash is defined
-      - grub_pass.passhash | length > 0
       - rhel8cis_rule_1_4_1
   tags:
       - level1-server
diff --git a/tasks/section_1/cis_1.6.1.x.yml b/tasks/section_1/cis_1.6.1.x.yml
index ef103cb6..0253e551 100644
--- a/tasks/section_1/cis_1.6.1.x.yml
+++ b/tasks/section_1/cis_1.6.1.x.yml
@@ -20,13 +20,12 @@
       replace: ''
   register: selinux_grub_patch
   ignore_errors: yes
-  notify: grub2cfg
+  notify: rhel8cis_grub2cfg
   when:
       - rhel8cis_rule_1_6_1_2
   tags:
       - level1-server
       - level1-workstation
-      - scored
       - patch
       - rule_1.6.1.2
 
diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml
index ce828b04..71552502 100644
--- a/tasks/section_1/cis_1.8.x.yml
+++ b/tasks/section_1/cis_1.8.x.yml
@@ -7,6 +7,7 @@
   when:
       - rhel8cis_rule_1_8_1
       - "'gdm' in ansible_facts.packages"
+      - not rhel8cis_gui
   tags:
       - level2-server
       - automated
@@ -90,7 +91,7 @@
 - name: "1.8.5 | PATCH | Ensure automatic mounting of removable media is disabled"
   lineinfile:
       path: /etc/dconf/db/local.d/00-media-automount
-      regex: "{{ item.regex }}"
+      regexp: "{{ item.regex }}"
       line: "{{ item.line }}"
       create: yes
   notify: reload dconf
diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml
index 6ae5be8c..599d06d8 100644
--- a/tasks/section_2/cis_2.1.x.yml
+++ b/tasks/section_2/cis_2.1.x.yml
@@ -6,7 +6,7 @@
       state: present
   when:
       - rhel8cis_rule_2_1_1
-      - not rhel8cis_system_is_container
+      - not system_is_container
   tags:
       - level1-server
       - level1-workstation
@@ -34,7 +34,7 @@
   when:
       - rhel8cis_time_synchronization == "chrony"
       - rhel8cis_rule_2_1_2
-      - not rhel8cis_system_is_container
+      - not system_is_container
   tags:
       - level1-server
       - level1-workstation
diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml
index 3290a58f..8df78aea 100644
--- a/tasks/section_2/cis_2.2.x.yml
+++ b/tasks/section_2/cis_2.2.x.yml
@@ -22,6 +22,7 @@
   when:
       - rhel8cis_rule_2_2_2
       - "'xorg-x11-server-common' in ansible_facts.packages"
+      - not rhel8cis_xwindows_required or not rhel8cis_gui
   tags:
       - level1-server
       - automated
diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml
index f9ad3719..77c20a74 100644
--- a/tasks/section_3/cis_3.1.x.yml
+++ b/tasks/section_3/cis_3.1.x.yml
@@ -60,7 +60,7 @@
 
 - name: "3.1.4 | PATCH | Ensure wireless interfaces are disabled"
   block:
-      - name: "3.1.4 | AUDIT |  Ensure wireless interfaces are disabled | Check if nmcli command is available"
+      - name: "3.1.4 | AUDIT | Ensure wireless interfaces are disabled | Check if nmcli command is available"
         command: rpm -q NetworkManager
         changed_when: false
         failed_when: false
diff --git a/tasks/section_3/cis_3.4.1.x.yml b/tasks/section_3/cis_3.4.1.x.yml
index e3af1f25..9d147e53 100644
--- a/tasks/section_3/cis_3.4.1.x.yml
+++ b/tasks/section_3/cis_3.4.1.x.yml
@@ -22,7 +22,6 @@
       - name: "3.4.1.2 | PATCH | Ensure iptables-services not installed with firewalld | Stop running services"
         systemd:
             name: "{{ item }}"
-            enabled: false
             masked: true
         with_items:
             - iptables
@@ -77,7 +76,17 @@
       - rule_3_4_1_4
 
 - name: "3.4.1.5 | PATCH | Ensure firewalld default zone is set"
-  command: firewall-cmd --set-default-zone="{{ rhel8cis_default_zone }}"
+  block:
+      - name: "3.4.1.5 | AUDIT | Ensure firewalld default zone is set"
+        shell: "firewall-cmd --get-default-zone | grep {{ rhel8cis_default_zone }}"
+        changed_when: false
+        failed_when: ( firewalld_zone_set.rc not in [ 0, 1 ] )
+        register: firewalld_zone_set
+    
+      - name: "3.4.1.5 | AUDIT | Ensure firewalld default zone is set"
+        command: firewall-cmd --set-default-zone="{{ rhel8cis_default_zone }}"
+        when:
+            - firewalld_zone_set.rc != 0
   when:
       - rhel8cis_firewall == "firewalld"
       - rhel8cis_rule_3_4_1_5
diff --git a/tasks/section_3/cis_3.4.3.2.x.yml b/tasks/section_3/cis_3.4.3.2.x.yml
index fd6502f2..e2afdb5b 100644
--- a/tasks/section_3/cis_3.4.3.2.x.yml
+++ b/tasks/section_3/cis_3.4.3.2.x.yml
@@ -16,7 +16,7 @@
             out_interface: lo
             jump: ACCEPT
 
-      - name: "3.4.3.2.1 | L1 | PATCH | Ensure iptables loopback traffic is configured | INPUT Loopback 127.0.0.0/8"
+      - name: "3.4.3.2.1 | PATCH | Ensure iptables loopback traffic is configured | INPUT Loopback 127.0.0.0/8"
         iptables:
             action: append
             chain: INPUT
diff --git a/tasks/section_4/cis_4.1.1.x.yml b/tasks/section_4/cis_4.1.1.x.yml
index 2c1e6aea..34860cfe 100644
--- a/tasks/section_4/cis_4.1.1.x.yml
+++ b/tasks/section_4/cis_4.1.1.x.yml
@@ -31,7 +31,6 @@
   when:
       - not rhel8cis_skip_for_travis
       - rhel8cis_rule_4_1_1_2
-      - ansible_connection != 'docker'
   tags:
       - level2-server
       - level2-workstation
@@ -54,7 +53,7 @@
             path: /etc/default/grub
             regexp: 'audit=.'
             replace: 'audit=1'
-        notify: grub2cfg
+        notify: rhel8cis_grub2cfg
         when: "'audit=' in rhel8cis_4_1_1_3_grub_cmdline_linux.stdout"
 
       - name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Add audit setting if missing"
@@ -62,7 +61,7 @@
             path: /etc/default/grub
             regexp: '^GRUB_CMDLINE_LINUX='
             line: '{{ rhel8cis_4_1_1_3_grub_cmdline_linux.stdout }} audit=1"'
-        notify: grub2cfg
+        notify: rhel8cis_grub2cfg
         when: "'audit=' not in rhel8cis_4_1_1_3_grub_cmdline_linux.stdout"
   when:
       - rhel8cis_rule_4_1_1_3
@@ -89,7 +88,7 @@
             path: /etc/default/grub
             regexp: 'audit_backlog_limit=\d+'
             replace: 'audit_backlog_limit={{ rhel8cis_audit_back_log_limit }}'
-        notify: grub2cfg
+        notify: rhel8cis_grub2cfg
         when: "'audit_backlog_limit=' in rhel8cis_4_1_1_4_grub_cmdline_linux.stdout"
 
       - name: "4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Add audit_backlog_limit setting if missing"
@@ -97,7 +96,7 @@
             path: /etc/default/grub
             regexp: '^GRUB_CMDLINE_LINUX='
             line: '{{ rhel8cis_4_1_1_4_grub_cmdline_linux.stdout }} audit_backlog_limit={{ rhel8cis_audit_back_log_limit }}"'
-        notify: grub2cfg
+        notify: rhel8cis_grub2cfg
         when: "'audit_backlog_limit=' not in rhel8cis_4_1_1_4_grub_cmdline_linux.stdout"
   when:
       - rhel8cis_rule_4_1_1_4
diff --git a/tasks/section_4/cis_4.1.3.x.yml b/tasks/section_4/cis_4.1.3.x.yml
index 30276211..e32a4ed8 100644
--- a/tasks/section_4/cis_4.1.3.x.yml
+++ b/tasks/section_4/cis_4.1.3.x.yml
@@ -1,10 +1,8 @@
 ---
 
 - name: "4.1.3.1 | PATCH | Ensure changes to system administration scope (sudoers) is collected"
-  debug:
-      msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
-  changed_when: true
-  notify: update auditd
+  set_fact:
+      update_audit_template: true
   when:
       - rhel8cis_rule_4_1_3_1
   tags:
@@ -16,10 +14,8 @@
       - rule_4.1.3.1
 
 - name: "4.1.3.2 | PATCH | Ensure actions as another user are always logged"
-  debug:
-      msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
-  changed_when: true
-  notify: update auditd
+  set_fact:
+      update_audit_template: true
   when:
       - rhel8cis_rule_4_1_3_2
   tags:
@@ -31,10 +27,8 @@
       - rule_4.1.3.2
 
 - name: "4.1.3.3 | PATCH | Ensure events that modify the sudo log file are collected"
-  debug:
-      msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
-  changed_when: true
-  notify: update auditd
+  set_fact:
+      update_audit_template: true
   when:
       - rhel8cis_rule_4_1_3_3
   tags:
@@ -46,10 +40,8 @@
       - rule_4.1.3.3
 
 - name: "4.1.3.4 | PATCH | Ensure events that modify date and time information are collected"
-  debug:
-      msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
-  changed_when: true
-  notify: update auditd
+  set_fact:
+      update_audit_template: true
   when:
       - rhel8cis_rule_4_1_3_4
   tags:
@@ -61,10 +53,8 @@
       - rule_4.1.3.4
 
 - name: "4.1.3.5 | PATCH | Ensure events that modify the system's network environment are collected"
-  debug:
-      msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
-  changed_when: true
-  notify: update auditd
+  set_fact:
+      update_audit_template: true
   when:
       - rhel8cis_rule_4_1_3_5
   tags:
@@ -85,9 +75,8 @@
         register: priv_procs
 
       - name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected"
-        debug:
-            msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
-        changed_when: true
+        set_fact:
+            update_audit_template: true
         notify: update auditd
   when:
       - rhel8cis_rule_4_1_3_6
@@ -100,10 +89,8 @@
       - rule_4.1.3.6
 
 - name: "4.1.3.7 | PATCH | Ensure unsuccessful unauthorized file access attempts are collected"
-  debug:
-      msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
-  changed_when: true
-  notify: update auditd
+  set_fact:
+      update_audit_template: true
   when:
       - rhel8cis_rule_4_1_3_7
   tags:
@@ -115,10 +102,8 @@
       - rule_4.1.3_7
 
 - name: "4.1.3.8 | PATCH | Ensure events that modify user/group information are collected"
-  debug:
-      msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
-  changed_when: true
-  notify: update auditd
+  set_fact:
+      update_audit_template: true
   when:
       - rhel8cis_rule_4_1_3_8
   tags:
@@ -130,10 +115,8 @@
       - rule_4.1.3.8
 
 - name: "4.1.3.9 | PATCH | Ensure discretionary access control permission modification events are collected"
-  debug:
-      msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
-  changed_when: true
-  notify: update auditd
+  set_fact:
+      update_audit_template: true
   when:
       - rhel8cis_rule_4_1_3_9
   tags:
@@ -145,10 +128,8 @@
       - rule_4.1.3.9
 
 - name: "4.1.3.10 | PATCH | Ensure successful file system mounts are collected"
-  debug:
-      msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
-  changed_when: true
-  notify: update auditd
+  set_fact:
+      update_audit_template: true
   when:
       - rhel8cis_rule_4_1_3_10
   tags:
@@ -160,10 +141,8 @@
       - rule_4.1.3.10
 
 - name: "4.1.3.11 | PATCH | Ensure session initiation information is collected"
-  debug:
-      msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
-  changed_when: true
-  notify: update auditd
+  set_fact:
+      update_audit_template: true
   when:
       - rhel8cis_rule_4_1_3_11
   tags:
@@ -175,10 +154,8 @@
       - rule_4.1.3.11
 
 - name: "4.1.3.12 | PATCH | Ensure login and logout events are collected"
-  debug:
-      msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
-  changed_when: true
-  notify: update auditd
+  set_fact:
+      update_audit_template: true
   when:
       - rhel8cis_rule_4_1_3_12
   tags:
@@ -190,10 +167,8 @@
       - rule_4.1.3.12
 
 - name: "4.1.3.13 | PATCH | Ensure file deletion events by users are collected"
-  debug:
-      msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
-  changed_when: true
-  notify: update auditd
+  set_fact:
+      update_audit_template: true
   when:
       - rhel8cis_rule_4_1_3_13
   tags:
@@ -204,10 +179,8 @@
       - rule_4.1.3.13
 
 - name: "4.1.3.14 | PATCH | Ensure events that modify the system's Mandatory Access Controls are collected"
-  debug:
-      msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
-  changed_when: true
-  notify: update auditd
+  set_fact:
+      update_audit_template: true
   when:
       - rhel8cis_rule_4_1_3_14
   tags:
@@ -219,10 +192,8 @@
       - rule_4.1.3.14
 
 - name: "4.1.3.15 | PATCH | Ensure successful and unsuccessful attempts to use the chcon command are recorded"
-  debug:
-      msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
-  changed_when: true
-  notify: update auditd
+  set_fact:
+      update_audit_template: true
   when:
       - rhel8cis_rule_4_1_3_15
   tags:
@@ -234,10 +205,8 @@
       - rule_4.1.3.15
 
 - name: "4.1.3.16 | PATCH | Ensure successful and unsuccessful attempts to use the setfacl command are recorded"
-  debug:
-      msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
-  changed_when: true
-  notify: update auditd
+  set_fact:
+      update_audit_template: true
   when:
       - rhel8cis_rule_4_1_3_16
   tags:
@@ -249,10 +218,8 @@
       - rule_4.1.3.16
 
 - name: "4.1.3.17 | PATCH | Ensure successful and unsuccessful attempts to use the chacl command are recorded"
-  debug:
-      msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
-  changed_when: true
-  notify: update auditd
+  set_fact:
+      update_audit_template: true
   when:
       - rhel8cis_rule_4_1_3_17
   tags:
@@ -264,10 +231,8 @@
       - rule_4.1.3.17
 
 - name: "4.1.3.18 | PATCH | Ensure successful and unsuccessful attempts to use the usermod command are recorded"
-  debug:
-      msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
-  changed_when: true
-  notify: update auditd
+  set_fact:
+      update_audit_template: true
   when:
       - rhel8cis_rule_4_1_3_18
   tags:
@@ -279,10 +244,8 @@
       - rule_4.1.3.18
 
 - name: "4.1.3.19 | PATCH | Ensure kernel module loading and unloading is collected"
-  debug:
-      msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
-  changed_when: true
-  notify: update auditd
+  set_fact:
+      update_audit_template: true
   when:
       - rhel8cis_rule_4_1_3_19
   tags:
@@ -294,10 +257,8 @@
       - rule_4.1.3.19
 
 - name: "4.1.3.20 | PATCH | Ensure the audit configuration is immutable"
-  debug:
-      msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
-  changed_when: true
-  notify: update auditd
+  set_fact:
+      update_audit_template: true
   when:
       - rhel8cis_rule_4_1_3_20
   tags:
@@ -321,3 +282,10 @@
       - patch
       - auditd
       - rule_4.1.3.21
+
+- name: Auditd | 4.1.3 | Auditd controls updated
+  debug:
+      msg: "Auditd Controls handled in POST using template - updating /etc/auditd/rules.d/99_auditd.rules"
+  changed_when: false
+  when:
+      - update_audit_template
diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml
index 55ab46bf..d00e22d0 100644
--- a/tasks/section_4/cis_4.2.1.x.yml
+++ b/tasks/section_4/cis_4.2.1.x.yml
@@ -44,7 +44,7 @@
       - patch
       - rule_4.2.1.3
 
-- name: "4.2.1.4 | L1 | PATCH | Ensure rsyslog default file permissions configured"
+- name: "4.2.1.4 | PATCH | Ensure rsyslog default file permissions configured"
   lineinfile:
       path: /etc/rsyslog.conf
       regexp: '^\$FileCreateMode'
@@ -148,7 +148,7 @@
         blockinfile:
             path: /etc/rsyslog.conf
             state: present
-            marker: "#{mark} Auth SETTINGS (ANSIBLE MANAGED)"
+            marker: "#{mark} Cron SETTINGS (ANSIBLE MANAGED)"
             block: |
               # Cron settings to meet CIS standards
               cron.*                                                   /var/log/cron
diff --git a/tasks/section_4/cis_4.2.2.x.yml b/tasks/section_4/cis_4.2.2.x.yml
index 34ff0d54..39d0e5a3 100644
--- a/tasks/section_4/cis_4.2.2.x.yml
+++ b/tasks/section_4/cis_4.2.2.x.yml
@@ -41,6 +41,7 @@
       state: started
       enabled: yes
   when:
+      - rhel8cis_system_is_log_server
       - rhel8cis_rule_4_2_2_1_3
   tags:
       - level1-server
@@ -52,11 +53,12 @@
 
 - name: "4.2.2.1.4 | PATCH | Ensure journald is not configured to recieve logs from a remote client"
   systemd:
-      name: systemd-journal-remote
+      name: systemd-journal-remote.socket
       state: stopped
       enabled: no
       masked: yes
   when:
+      - not rhel8cis_system_is_log_server
       - rhel8cis_rule_4_2_2_1_4
   tags:
       - level1-server
diff --git a/tasks/section_4/main.yml b/tasks/section_4/main.yml
index ec99ab25..da90bb4e 100644
--- a/tasks/section_4/main.yml
+++ b/tasks/section_4/main.yml
@@ -3,6 +3,8 @@
 # 4.1 Configure System Accounting (auditd)
 - name: "SECTION | 4.1| Ensure auditing is enabled"
   import_tasks: cis_4.1.1.x.yml
+  when:
+      - not system_is_container
 
 - name: "SECTION | 4.1.2.x| Configure Data Retention"
   import_tasks: cis_4.1.2.x.yml
@@ -10,13 +12,15 @@
 - name: "SECTION | 4.1.3.x| Configure auditd rules"
   import_tasks: cis_4.1.3.x.yml
 
+
 # 4.2 Configure Logging
 - name: "SECTION | 4.2.1.x| Configure rsyslog"
   include_tasks: cis_4.2.1.x.yml
   when: rhel8cis_syslog == 'rsyslog'
 
 - name: "SECTION | 4.2.2.x| Configure journald"
-  import_tasks: cis_4.2.2.x.yml
+  include_tasks: cis_4.2.2.x.yml
+  when: rhel8cis_syslog == 'journald'
 
 - name: "SECTION | 4.2.3 | Configure logile perms"
   import_tasks: cis_4.2.3.yml
diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml
index d8d420e9..ccc151f2 100644
--- a/tasks/section_5/cis_5.1.x.yml
+++ b/tasks/section_5/cis_5.1.x.yml
@@ -64,7 +64,7 @@
       - cron
       - rule_5.1.4
 
-- name: "5.1.5 | L1 | PATCH | Ensure permissions on /etc/cron.weekly are configured"
+- name: "5.1.5 | PATCH | Ensure permissions on /etc/cron.weekly are configured"
   file:
       path: /etc/cron.weekly
       state: directory
diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml
index a7427512..5fbb3bd0 100644
--- a/tasks/section_5/cis_5.2.x.yml
+++ b/tasks/section_5/cis_5.2.x.yml
@@ -257,10 +257,22 @@
       - rule_5.2.13
 
 - name: "5.2.14 | PATCH | Ensure system-wide crypto policy is not over-ridden"
-  shell: sed -ri "s/^\s*(CRYPTO_POLICY\s*=.*)$/# \1/" /etc/sysconfig/sshd
-  args:
-      warn: no
-  notify: restart sshd
+  block:
+      - name: "5.2.14 | AUDIT | Ensure system-wide crypto policy is not over-ridden"
+        shell: grep -i '^\s*CRYPTO_POLICY=' /etc/sysconfig/sshd
+        failed_when: ( crypto_policy_override.rc not in [ 0, 1 ] )
+        args:
+            warn: no
+        changed_when: false
+        register: crypto_policy_override
+
+      - name: "5.2.14 | PATCH | Ensure system-wide crypto policy is not over-ridden"
+        shell: sed -ri "s/^\s*(CRYPTO_POLICY\s*=.*)$/# \1/" /etc/sysconfig/sshd
+        args:
+            warn: no
+        notify: restart sshd
+        when:
+            - crypto_policy_override.stdout | length > 0
   when:
       - rhel8cis_rule_5_2_14
   tags:
@@ -271,7 +283,7 @@
       - ssh
       - rule_5.2.14
 
-- name: "5.2.15 | L1 | PATCH | Ensure SSH warning banner is configured"
+- name: "5.2.15 | PATCH | Ensure SSH warning banner is configured"
   lineinfile:
       path: /etc/ssh/sshd_config
       regexp: '^Banner'
@@ -316,7 +328,7 @@
       - ssh
       - rule_5.2.17
 
-- name: "5.2.18 | L1 | PATCH | Ensure SSH MaxSessions is set to 10 or less"
+- name: "5.2.18 | PATCH | Ensure SSH MaxSessions is set to 10 or less"
   lineinfile:
       path: /etc/ssh/sshd_config
       regexp: "^#MaxSessions|^MaxSessions"
diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml
index d7bb9536..9207c401 100644
--- a/tasks/section_5/cis_5.5.x.yml
+++ b/tasks/section_5/cis_5.5.x.yml
@@ -65,9 +65,13 @@
             - { regexp: '^\s*deny\s*=\s*[1-5]\b', line: 'deny = 5' }
             - { regexp: '^\s*unlock_time\s*=\s*(0|9[0-9][0-9]|[1-9][0-9][0-9][0-9]+)\b', line: 'unlock_time = 900' }
         when: ansible_distribution_version >= "8.2"
-  when: 
-      - ansible_distribution_version <= "8.1"
+  when:
       - rhel8cis_rule_5_5_2
+  tags:
+      - level1-server
+      - level1-workstation
+      - patch
+      - rule_5.5.2
 
 - name: "5.5.3 | PATCH | Ensure password reuse is limited"
   block:
diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml
index 0b5172f8..b145de45 100644
--- a/tasks/section_5/cis_5.6.1.x.yml
+++ b/tasks/section_5/cis_5.6.1.x.yml
@@ -59,13 +59,13 @@
         when: rhel8cis_5_6_1_4_inactive_settings.stdout | length == 0
 
       - name: "5.6.1.4 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list"
-        shell: 'egrep ^[^:]+:[^\!*] /etc/shadow | cut -d: -f1'
+        shell: "awk -F: '/^[^#:]+:[^\\!\\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\\s*$/ {print $1}' /etc/shadow"
         changed_when: false
         check_mode: no
         register: rhel_8_5_6_1_4_user_list
 
       - name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts"
-        command: chage --inactive {{ rhel8cis_inactivelock.lock_days }} "{{ item }}"
+        command: "chage --inactive {{ rhel8cis_inactivelock.lock_days }} {{ item }}"
         with_items:
             - "{{ rhel_8_5_6_1_4_user_list.stdout_lines }}"
   when:
diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml
index a29c3ced..079d5049 100644
--- a/tasks/section_5/cis_5.6.x.yml
+++ b/tasks/section_5/cis_5.6.x.yml
@@ -13,7 +13,7 @@
             - item.id != "sync"
             - item.id != "shutdown"
             - item.id != "halt"
-            - rhel8cis_int_gid | int < item.gid
+            - item.gid < rhel8uid_interactive_uid_start | int
             - item.shell != "      /bin/false"
             - item.shell != "      /usr/sbin/nologin"
         loop_control:
@@ -31,7 +31,7 @@
             - item.id != "sync"
             - item.id != "root"
             - item.id != "nfsnobody"
-            - rhel8cis_int_gid | int < item.gid
+            - item.gid < rhel8uid_interactive_uid_start | int
             - item.shell != "      /bin/false"
             - item.shell != "      /usr/sbin/nologin"
         loop_control:
diff --git a/tasks/section_5/main.yml b/tasks/section_5/main.yml
index b7db8599..d47c3aab 100644
--- a/tasks/section_5/main.yml
+++ b/tasks/section_5/main.yml
@@ -6,12 +6,12 @@
   import_tasks: cis_5.1.x.yml
 
 - name: "SECTION | 5.2 | Configure SSH Server"
-  include_tasks: cis_5.2.x.yml
+  import_tasks: cis_5.2.x.yml
   when:
       - "'openssh-server' in ansible_facts.packages"
 
 - name: "SECTION | 5.3 | Configure privilege escalation"
-  include_tasks: cis_5.3.x.yml
+  import_tasks: cis_5.3.x.yml
 
 - name: "SECTION | 5.4 | Configure authselect"
   import_tasks: cis_5.4.x.yml
diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml
index b0668c04..532b7cc9 100644
--- a/tasks/section_6/cis_6.1.x.yml
+++ b/tasks/section_6/cis_6.1.x.yml
@@ -12,7 +12,7 @@
 
       - name: "6.1.1 | AUDIT | Audit system file permissions | Create list and warning"
         block:
-            - name: "6.1.1 | Audit system file permissions | Add file discrepancy list to system"
+            - name: "6.1.1 | AUDIT | Audit system file permissions | Add file discrepancy list to system"
               copy:
                   dest: "{{ rhel8cis_rpm_audit_file }}"
                   content: "{{ rhel8cis_6_1_1_packages_rpm.stdout }}"
@@ -90,7 +90,7 @@
 
 - name: "6.1.5 | PATCH |  Ensure permissions on /etc/group are configured"
   file:
-      path: /etc/group-
+      path: /etc/group
       owner: root
       group: root
       mode: 0644
diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml
index f80c585a..e6e1ceb9 100644
--- a/tasks/section_6/cis_6.2.x.yml
+++ b/tasks/section_6/cis_6.2.x.yml
@@ -189,7 +189,7 @@
                 - "The following paths have colon end: {{ rhel8cis_6_2_7_path_colon_end.stdout_lines }}"
                 - "The following paths have a dot in the path: {{ rhel8cis_6_2_7_dot_in_path.stdout_lines }}"
 
-      - name: "6.2.7 | PATCH | Ensure root PATH Integrity (Scored) | Determine rights and owner"
+      - name: "6.2.7 | PATCH | Ensure root PATH Integrity | Determine rights and owner"
         file: >
           path='{{ item }}'
           follow=yes
@@ -230,7 +230,7 @@
         stat:
             path: "{{ item }}"
         register: rhel_08_6_2_9_audit
-        with_items: "{{ rhel8cis_passwd | selectattr('uid', '>=', rhel8cis_int_gid) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}"
+        with_items: "{{ rhel8cis_passwd | selectattr('uid', '>=', rhel8uid_interactive_uid_start|int ) | selectattr('uid', '<=', rhel8uid_interactive_uid_stop|int ) | map(attribute='dir') | list }}"
 
       - name: "6.2.9 | AUDIT | Ensure all users' home directories exist"
         command: find -H {{ item.0 | quote }} -not -type l -perm /027
@@ -270,7 +270,8 @@
             recursive: yes
             etype: "{{ item.1.etype }}"
             permissions: "{{ item.1.mode }}"
-        when: not rhel8cis_system_is_container
+        when: 
+            - not system_is_container
         with_nested:
             - "{{ (ansible_check_mode | ternary(rhel_08_6_2_9_patch_audit, rhel_08_6_2_9_patch)).results |
               rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}"
@@ -299,7 +300,8 @@
   loop_control:
       label: "{{ rhel8cis_passwd_label }}"
   when:
-      - item.uid >= rhel8cis_int_gid
+      - item.uid >= rhel8uid_interactive_uid_start|int
+      - item.id != 'nobody'
       - rhel8cis_rule_6_2_10
   tags:
       - skip_ansible_lint  # settings found on 6_2_7
@@ -315,7 +317,7 @@
       - name: "6.2.11 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive"
         stat:
             path: "{{ item }}"
-        with_items: "{{ rhel8cis_passwd | selectattr('uid', '>=', rhel8cis_int_gid) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}"
+        with_items: "{{ rhel8cis_passwd | selectattr('uid', '>=', rhel8uid_interactive_uid_start|int) | selectattr('uid', '<=', rhel8uid_interactive_uid_stop|int) | map(attribute='dir') | list }}"
         register: rhel_08_6_2_11_audit
 
       - name: "6.2.11 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive"
@@ -356,7 +358,8 @@
             recursive: yes
             etype: "{{ item.1.etype }}"
             permissions: "{{ item.1.mode }}"
-        when: not rhel8cis_system_is_container
+        when: 
+            - not system_is_container
         with_nested:
             - "{{ (ansible_check_mode | ternary(rhel_08_6_2_11_patch_audit, rhel_08_6_2_11_patch)).results |
               rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}"
diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2
index 1e76a93d..1bf7da64 100644
--- a/templates/ansible_vars_goss.yml.j2
+++ b/templates/ansible_vars_goss.yml.j2
@@ -452,8 +452,7 @@ rhel8cis_firewall_interface:
 - enp0s3 
 - enp0s8
 
-rhel8cis_firewall_services: {{ rhel8cis_firewall_services }}
-
+rhel8cis_firewall_services: {% for svc in rhel8cis_firewall_services %}{{ svc }} {% endfor %}
 
 
 ### Section 4
@@ -466,7 +465,7 @@ rhel8cis_auditd:
   auditd_backlog_limit: {{ rhel8cis_audit_back_log_limit }}
 
 ## syslog
-rhel8_cis_rsyslog: true
+rhel8cis_syslog: {{ rhel8cis_syslog }}
 
 ### Section 5
 rhel8cis_sshd_limited: false
diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2
index ded49965..76bb41a8 100644
--- a/templates/audit/99_auditd.rules.j2
+++ b/templates/audit/99_auditd.rules.j2
@@ -1,3 +1,5 @@
+## This file is managed by Ansible, YOUR CHANGED WILL BE LOST!
+
 # This template will set all of the auditd configurations via a handler in the role in one task instead of individually
 {% if rhel8cis_rule_4_1_3_1 %}
 -w /etc/sudoers -p wa -k scope
@@ -26,14 +28,14 @@
 {% endif %}
 {% if rhel8cis_rule_4_1_3_6 %}
 {% for proc in priv_procs.stdout_lines -%}
--a always,exit -F path={{ proc }} -F perm=x -F auid>={{ rhel8cis_int_gid }} -F auid!=4294967295 -k privileged
+-a always,exit -F path={{ proc }} -F perm=x -F auid>={{ rhel8uid_interactive_uid_start }} -F auid!=4294967295 -k privileged
 {% endfor %}
 {% endif %}
 {% if rhel8cis_rule_4_1_3_7 %}
--a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ rhel8cis_int_gid }} -F auid!=4294967295 -F key=access
--a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ rhel8cis_int_gid }} -F auid!=4294967295 -F key=access
--a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ rhel8cis_int_gid }} -F auid!=-4294967295 -F key=access
--a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ rhel8cis_int_gid }} -F auid!=4294967295 -F key=access
+-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ rhel8uid_interactive_uid_start }} -F auid!=4294967295 -F key=access
+-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ rhel8uid_interactive_uid_start }} -F auid!=4294967295 -F key=access
+-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ rhel8uid_interactive_uid_start }} -F auid!=4294967295 -F key=access
+-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ rhel8uid_interactive_uid_start }} -F auid!=4294967295 -F key=access
 {% endif %}
 {% if rhel8cis_rule_4_1_3_8 %}
 -w /etc/group -p wa -k identity
@@ -43,16 +45,16 @@
 -w /etc/security/opasswd -p wa -k identity
 {% endif %}
 {% if rhel8cis_rule_4_1_3_9 %}
--a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>={{ rhel8cis_int_gid }} -F auid!=4294967295 -F key=perm_mod
--a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>={{ rhel8cis_int_gid }} -F auid!=4294967295 -F key=perm_mod
--a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>={{ rhel8cis_int_gid }} -F auid!=4294967295 -F key=perm_mod
--a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>={{ rhel8cis_int_gid }} -F auid!=4294967295 -F key=perm_mod
--a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ rhel8cis_int_gid }} -F auid!=4294967295 -F key=perm_mod
--a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ rhel8cis_int_gid }} -F auid!=4294967295 -F key=perm_mod
+-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>={{ rhel8uid_interactive_uid_start }} -F auid!=4294967295 -F key=perm_mod
+-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>={{ rhel8uid_interactive_uid_start }} -F auid!=4294967295 -F key=perm_mod
+-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>={{ rhel8uid_interactive_uid_start }} -F auid!=4294967295 -F key=perm_mod
+-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>={{ rhel8uid_interactive_uid_start }} -F auid!=4294967295 -F key=perm_mod
+-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ rhel8uid_interactive_uid_start }} -F auid!=4294967295 -F key=perm_mod
+-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ rhel8uid_interactive_uid_start }} -F auid!=4294967295 -F key=perm_mod
 {% endif %}
 {% if rhel8cis_rule_4_1_3_10 %}
--a always,exit -F arch=b32 -S mount -F auid>={{ rhel8cis_int_gid }} -F auid!=4294967295 -k mounts
--a always,exit -F arch=b64 -S mount -F auid>={{ rhel8cis_int_gid }} -F auid!=4294967295 -k mounts
+-a always,exit -F arch=b32 -S mount -F auid>={{ rhel8uid_interactive_uid_start }} -F auid!=4294967295 -k mounts
+-a always,exit -F arch=b64 -S mount -F auid>={{ rhel8uid_interactive_uid_start }} -F auid!=4294967295 -k mounts
 {% endif %}
 {% if rhel8cis_rule_4_1_3_11 %}
 -w /var/run/utmp -p wa -k session
@@ -64,28 +66,28 @@
 -w /var/run/faillock -p wa -k logins
 {% endif %}
 {% if rhel8cis_rule_4_1_3_13 %}
--a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>={{ rhel8cis_int_gid }} -F auid!=4294967295 -F key=delete
--a always,exit -F arch=b32 -S rename,unlink,unlinkat,renameat -F auid>={{ rhel8cis_int_gid }} -F auid!=4294967295 -F key=delete
+-a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>={{ rhel8uid_interactive_uid_start }} -F auid!=4294967295 -F key=delete
+-a always,exit -F arch=b32 -S rename,unlink,unlinkat,renameat -F auid>={{ rhel8uid_interactive_uid_start }} -F auid!=4294967295 -F key=delete
 {% endif %}
 {% if rhel8cis_rule_4_1_3_14 %}
 -w /etc/selinux/ -p wa -k MAC-policy
 -w /usr/share/selinux/ -p wa -k MAC-policy
 {% endif %}
 {% if rhel8cis_rule_4_1_3_15 %}
--a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>={{ rhel8cis_int_gid }} -F auid!=4294967295 -k perm_chng
+-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>={{ rhel8uid_interactive_uid_start }} -F auid!=4294967295 -k perm_chng
 {% endif %}
 {% if rhel8cis_rule_4_1_3_16 %}
--a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>={{ rhel8cis_int_gid }} -F auid!=4294967295 -k perm_chng
+-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>={{ rhel8uid_interactive_uid_start }} -F auid!=4294967295 -k perm_chng
 {% endif %}
 {% if rhel8cis_rule_4_1_3_17 %}
--a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ rhel8cis_int_gid }} -F auid!=4294967295 -k priv_cmd
+-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ rhel8uid_interactive_uid_start }} -F auid!=4294967295 -k priv_cmd
 {% endif %}
 {% if rhel8cis_rule_4_1_3_18 %}
--a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{ rhel8cis_int_gid }} -F auid!=4294967295 -k usermod
+-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{ rhel8uid_interactive_uid_start }} -F auid!=4294967295 -k usermod
 {% endif %}
 {% if rhel8cis_rule_4_1_3_19 %}
--a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>={{ rhel8cis_int_gid }} -F auid!=4294967295 -k kernel_modules
--a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>={{ rhel8cis_int_gid }} -F auid!=4294967295 -k kernel_modules
+-a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>={{ rhel8uid_interactive_uid_start }} -F auid!=4294967295 -k kernel_modules
+-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>={{ rhel8uid_interactive_uid_start }} -F auid!=4294967295 -k kernel_modules
 {% endif %}
 {% if rhel8cis_rule_4_1_3_20 %}
 -e 2
diff --git a/templates/chrony.conf.j2 b/templates/chrony.conf.j2
index 1e65073b..e0c31130 100644
--- a/templates/chrony.conf.j2
+++ b/templates/chrony.conf.j2
@@ -1,3 +1,5 @@
+## This file is managed by Ansible, YOUR CHANGED WILL BE LOST!
+
 # This the default chrony.conf file for the Debian chrony package.  After
 # editing this file use the command 'invoke-rc.d chrony restart' to make
 # your changes take effect.  John Hasler <jhasler@debian.org> 1998-2008
diff --git a/templates/etc/systemd/system/tmp.mount.j2 b/templates/etc/systemd/system/tmp.mount.j2
index 8e5851b7..0fd570a0 100644
--- a/templates/etc/systemd/system/tmp.mount.j2
+++ b/templates/etc/systemd/system/tmp.mount.j2
@@ -1,3 +1,5 @@
+## This file is managed by Ansible, YOUR CHANGED WILL BE LOST!
+
 #  SPDX-License-Identifier: LGPL-2.1+
 #
 #  This file is part of systemd.
diff --git a/templates/hosts.allow.j2 b/templates/hosts.allow.j2
index 9743ef99..eca5d0db 100644
--- a/templates/hosts.allow.j2
+++ b/templates/hosts.allow.j2
@@ -1,4 +1,5 @@
-#
+## This file is managed by Ansible, YOUR CHANGED WILL BE LOST!
+
 # hosts.allow	This file contains access rules which are used to
 #		allow or deny connections to network services that
 #		either use the tcp_wrappers library or that have been
diff --git a/templates/ntp.conf.j2 b/templates/ntp.conf.j2
index 62c51eb4..1fc240a3 100644
--- a/templates/ntp.conf.j2
+++ b/templates/ntp.conf.j2
@@ -1,3 +1,5 @@
+## This file is managed by Ansible, YOUR CHANGED WILL BE LOST!
+
 # For more information about this file, see the man pages
 # ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).
 
diff --git a/vars/AlmaLinux.yml b/vars/AlmaLinux.yml
index 8f9f4b77..18c8e17b 100644
--- a/vars/AlmaLinux.yml
+++ b/vars/AlmaLinux.yml
@@ -1,4 +1,6 @@
 ---
 # OS Specific Settings
 
-rpm_gpg_key: RPM-GPG-KEY-AlmaLinux
\ No newline at end of file
+rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux
+rpm_packager: "AlmaLinux Packaging Team"
+rpm_key: "51d6647ec21ad6ea"  # found on https://wiki.almalinux.org/cloud/Generic-cloud.html#download-and-verification note lower case
\ No newline at end of file
diff --git a/vars/CentOS.yml b/vars/CentOS.yml
new file mode 100644
index 00000000..fbed60bd
--- /dev/null
+++ b/vars/CentOS.yml
@@ -0,0 +1,6 @@
+---
+# OS Specific Settings
+
+rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-{{ ansible_distribution|lower }}official
+rpm_packager: "The CentOS Project"
+rpm_key: "8483C65D"  # found on https://www.centos.org/keys/ 
diff --git a/vars/RedHat.yml b/vars/RedHat.yml
index d67cedc4..abc45f00 100644
--- a/vars/RedHat.yml
+++ b/vars/RedHat.yml
@@ -1,4 +1,6 @@
 ---
 # OS Specific Settings
 
-rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-{{ ansible_distribution|lower }}-official
+rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-{{ ansible_distribution|lower }}-release
+rpm_packager: "Red Hat, Inc"
+rpm_key: "199e2f91fd431d51"  # found on https://access.redhat.com/security/team/key/
\ No newline at end of file
diff --git a/vars/Rocky.yml b/vars/Rocky.yml
index 7c8ae0ba..d2e1e102 100644
--- a/vars/Rocky.yml
+++ b/vars/Rocky.yml
@@ -2,3 +2,5 @@
 # OS Specific Settings
 
 rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-rockyofficial
+rpm_packager: "infrastructure@rockylinux.org"
+rpm_key: "15af5dac6d745a60"  # found on https://rockylinux.org/keys/ note lower case
diff --git a/vars/is_container.yml b/vars/is_container.yml
new file mode 100644
index 00000000..0e61eb2f
--- /dev/null
+++ b/vars/is_container.yml
@@ -0,0 +1,302 @@
+rhel8cis_section1: true
+rhel8cis_section2: true
+rhel8cis_section3: true
+rhel8cis_section4: true
+rhel8cis_section5: true
+rhel8cis_section6: true
+
+# These variables correspond with the CIS rule IDs or paragraph numbers defined in
+# the CIS benchmark documents.
+# PLEASE NOTE: These work in coordination with the section # group variables and tags.
+# You must enable an entire section in order for the variables below to take effect.
+# Section 1 rules
+rhel8cis_rule_1_1_1_1: true
+rhel8cis_rule_1_1_1_2: true
+rhel8cis_rule_1_1_1_3: true
+rhel8cis_rule_1_1_2_1: true
+rhel8cis_rule_1_1_2_2: true
+rhel8cis_rule_1_1_2_3: true
+rhel8cis_rule_1_1_2_4: true
+rhel8cis_rule_1_1_3_1: true
+rhel8cis_rule_1_1_3_2: true
+rhel8cis_rule_1_1_3_3: true
+rhel8cis_rule_1_1_3_4: true
+rhel8cis_rule_1_1_4_1: true
+rhel8cis_rule_1_1_4_2: true
+rhel8cis_rule_1_1_4_3: true
+rhel8cis_rule_1_1_4_4: true
+rhel8cis_rule_1_1_5_1: true
+rhel8cis_rule_1_1_5_2: true
+rhel8cis_rule_1_1_5_3: true
+rhel8cis_rule_1_1_5_4: true
+rhel8cis_rule_1_1_6_1: true
+rhel8cis_rule_1_1_6_2: true
+rhel8cis_rule_1_1_6_3: true
+rhel8cis_rule_1_1_6_4: true
+rhel8cis_rule_1_1_7_1: true
+rhel8cis_rule_1_1_7_2: true
+rhel8cis_rule_1_1_7_3: true
+rhel8cis_rule_1_1_7_4: true
+rhel8cis_rule_1_1_7_5: true
+rhel8cis_rule_1_1_8_1: true
+rhel8cis_rule_1_1_8_2: true
+rhel8cis_rule_1_1_8_3: true
+rhel8cis_rule_1_1_18: true
+rhel8cis_rule_1_1_19: true
+rhel8cis_rule_1_1_20: true
+rhel8cis_rule_1_1_21: true
+rhel8cis_rule_1_1_9: true
+rhel8cis_rule_1_1_10: true
+rhel8cis_rule_1_2_1: true
+rhel8cis_rule_1_2_2: true
+rhel8cis_rule_1_2_3: true
+rhel8cis_rule_1_2_4: true
+rhel8cis_rule_1_3_1: true
+rhel8cis_rule_1_3_2: true
+rhel8cis_rule_1_4_1: true
+rhel8cis_rule_1_4_2: true
+rhel8cis_rule_1_4_3: true
+rhel8cis_rule_1_5_1: true
+rhel8cis_rule_1_5_2: true
+rhel8cis_rule_1_5_3: true
+rhel8cis_rule_1_6_1: true
+rhel8cis_rule_1_6_2: true
+rhel8cis_rule_1_6_1_1: true
+rhel8cis_rule_1_6_1_2: true
+rhel8cis_rule_1_6_1_3: true
+rhel8cis_rule_1_6_1_4: true
+rhel8cis_rule_1_6_1_5: true
+rhel8cis_rule_1_6_1_6: true
+rhel8cis_rule_1_6_1_7: true
+rhel8cis_rule_1_6_1_8: true
+rhel8cis_rule_1_7_1: true
+rhel8cis_rule_1_7_2: true
+rhel8cis_rule_1_7_3: true
+rhel8cis_rule_1_7_4: true
+rhel8cis_rule_1_7_5: true
+rhel8cis_rule_1_7_6: true
+rhel8cis_rule_1_8_1: true
+rhel8cis_rule_1_8_2: true
+rhel8cis_rule_1_8_3: true
+rhel8cis_rule_1_8_4: true
+rhel8cis_rule_1_8_5: true
+rhel8cis_rule_1_9: true
+rhel8cis_rule_1_10: true
+rhel8cis_rule_1_11: true
+
+# Section 2 rules
+rhel8cis_rule_2_1_1: true
+rhel8cis_rule_2_1_2: true
+rhel8cis_rule_2_2_1: true
+rhel8cis_rule_2_2_2: true
+rhel8cis_rule_2_2_3: true
+rhel8cis_rule_2_2_4: true
+rhel8cis_rule_2_2_5: true
+rhel8cis_rule_2_2_6: true
+rhel8cis_rule_2_2_7: true
+rhel8cis_rule_2_2_8: true
+rhel8cis_rule_2_2_9: true
+rhel8cis_rule_2_2_10: true
+rhel8cis_rule_2_2_11: true
+rhel8cis_rule_2_2_12: true
+rhel8cis_rule_2_2_13: true
+rhel8cis_rule_2_2_14: true
+rhel8cis_rule_2_2_15: true
+rhel8cis_rule_2_2_16: true
+rhel8cis_rule_2_2_17: true
+rhel8cis_rule_2_2_18: true
+rhel8cis_rule_2_2_19: true
+rhel8cis_rule_2_2_20: true
+rhel8cis_rule_2_3_1: true
+rhel8cis_rule_2_3_2: true
+rhel8cis_rule_2_3_3: true
+rhel8cis_rule_2_3_4: true
+rhel8cis_rule_2_3_5: true
+rhel8cis_rule_2_3_6: true
+rhel8cis_rule_2_4: true
+
+# Section 3 rules
+rhel8cis_rule_3_1_1: true
+rhel8cis_rule_3_1_2: true
+rhel8cis_rule_3_1_3: true
+rhel8cis_rule_3_1_4: true
+rhel8cis_rule_3_2_1: true
+rhel8cis_rule_3_2_2: true
+rhel8cis_rule_3_3_1: true
+rhel8cis_rule_3_3_2: true
+rhel8cis_rule_3_3_3: true
+rhel8cis_rule_3_3_4: true
+rhel8cis_rule_3_3_5: true
+rhel8cis_rule_3_3_6: true
+rhel8cis_rule_3_3_7: true
+rhel8cis_rule_3_3_8: true
+rhel8cis_rule_3_3_9: true
+rhel8cis_rule_3_4_1_1: true
+rhel8cis_rule_3_4_1_2: true
+rhel8cis_rule_3_4_1_3: true
+rhel8cis_rule_3_4_1_4: true
+rhel8cis_rule_3_4_1_5: true
+rhel8cis_rule_3_4_1_6: true
+rhel8cis_rule_3_4_1_7: true
+rhel8cis_rule_3_4_2_1: true
+rhel8cis_rule_3_4_2_2: true
+rhel8cis_rule_3_4_2_3: true
+rhel8cis_rule_3_4_2_4: true
+rhel8cis_rule_3_4_2_5: true
+rhel8cis_rule_3_4_2_6: true
+rhel8cis_rule_3_4_2_7: true
+rhel8cis_rule_3_4_2_8: true
+rhel8cis_rule_3_4_2_9: true
+rhel8cis_rule_3_4_2_10: true
+rhel8cis_rule_3_4_2_11: true
+rhel8cis_rule_3_4_3_1_1: true
+rhel8cis_rule_3_4_3_1_2: true
+rhel8cis_rule_3_4_3_1_3: true
+rhel8cis_rule_3_4_3_2_1: true
+rhel8cis_rule_3_4_3_2_2: true
+rhel8cis_rule_3_4_3_2_3: true
+rhel8cis_rule_3_4_3_2_4: true
+rhel8cis_rule_3_4_3_2_5: true
+rhel8cis_rule_3_4_3_2_6: true
+rhel8cis_rule_3_4_3_3_1: true
+rhel8cis_rule_3_4_3_3_2: true
+rhel8cis_rule_3_4_3_3_3: true
+rhel8cis_rule_3_4_3_3_4: true
+rhel8cis_rule_3_4_3_3_5: true
+rhel8cis_rule_3_4_3_3_6: true
+
+# Section 4 rules
+rhel8cis_rule_4_1_1_1: true
+rhel8cis_rule_4_1_1_2: true
+rhel8cis_rule_4_1_1_3: true
+rhel8cis_rule_4_1_1_4: true
+rhel8cis_rule_4_1_2_1: true
+rhel8cis_rule_4_1_2_2: true
+rhel8cis_rule_4_1_2_3: true
+rhel8cis_rule_4_1_3_1: true
+rhel8cis_rule_4_1_3_2: true
+rhel8cis_rule_4_1_3_3: true
+rhel8cis_rule_4_1_3_4: true
+rhel8cis_rule_4_1_3_5: true
+rhel8cis_rule_4_1_3_6: true
+rhel8cis_rule_4_1_3_7: true
+rhel8cis_rule_4_1_3_8: true
+rhel8cis_rule_4_1_3_9: true
+rhel8cis_rule_4_1_3_10: true
+rhel8cis_rule_4_1_3_11: true
+rhel8cis_rule_4_1_3_12: true
+rhel8cis_rule_4_1_3_13: true
+rhel8cis_rule_4_1_3_14: true
+rhel8cis_rule_4_1_3_15: true
+rhel8cis_rule_4_1_3_16: true
+rhel8cis_rule_4_1_3_17: true
+rhel8cis_rule_4_1_3_18: true
+rhel8cis_rule_4_1_3_19: true
+rhel8cis_rule_4_1_3_20: true
+rhel8cis_rule_4_1_3_21: true
+rhel8cis_rule_4_2_1_1: true
+rhel8cis_rule_4_2_1_2: true
+rhel8cis_rule_4_2_1_3: true
+rhel8cis_rule_4_2_1_4: true
+rhel8cis_rule_4_2_1_5: true
+rhel8cis_rule_4_2_1_6: true
+rhel8cis_rule_4_2_1_7: true
+rhel8cis_rule_4_2_2_1_1: true
+rhel8cis_rule_4_2_2_1_2: true
+rhel8cis_rule_4_2_2_1_3: true
+rhel8cis_rule_4_2_2_1_4: true
+rhel8cis_rule_4_2_2_2: true
+rhel8cis_rule_4_2_2_3: true
+rhel8cis_rule_4_2_2_4: true
+rhel8cis_rule_4_2_2_5: true
+rhel8cis_rule_4_2_2_6: true
+rhel8cis_rule_4_2_2_7: true
+rhel8cis_rule_4_2_3: true
+rhel8cis_rule_4_3: true
+
+# Section 5 rules
+rhel8cis_rule_5_1_1: true
+rhel8cis_rule_5_1_2: true
+rhel8cis_rule_5_1_3: true
+rhel8cis_rule_5_1_4: true
+rhel8cis_rule_5_1_5: true
+rhel8cis_rule_5_1_6: true
+rhel8cis_rule_5_1_7: true
+rhel8cis_rule_5_1_8: true
+rhel8cis_rule_5_1_9: true
+rhel8cis_rule_5_2_1: true
+rhel8cis_rule_5_2_2: true
+rhel8cis_rule_5_2_3: true
+rhel8cis_rule_5_2_4: true
+rhel8cis_rule_5_2_5: true
+rhel8cis_rule_5_2_6: true
+rhel8cis_rule_5_2_7: true
+rhel8cis_rule_5_2_8: true
+rhel8cis_rule_5_2_9: true
+rhel8cis_rule_5_2_10: true
+rhel8cis_rule_5_2_12: true
+rhel8cis_rule_5_2_11: true
+rhel8cis_rule_5_2_13: true
+rhel8cis_rule_5_2_14: true
+rhel8cis_rule_5_2_15: true
+rhel8cis_rule_5_2_16: true
+rhel8cis_rule_5_2_17: true
+rhel8cis_rule_5_2_18: true
+rhel8cis_rule_5_2_19: true
+rhel8cis_rule_5_2_20: true
+rhel8cis_rule_5_3_1: true
+rhel8cis_rule_5_3_2: true
+rhel8cis_rule_5_3_3: true
+rhel8cis_rule_5_3_4: true
+rhel8cis_rule_5_3_5: true
+rhel8cis_rule_5_3_6: true
+rhel8cis_rule_5_3_7: true
+rhel8cis_rule_5_4_1: true
+rhel8cis_rule_5_4_2: true
+rhel8cis_rule_5_5_1: true
+rhel8cis_rule_5_5_2: true
+rhel8cis_rule_5_5_3: true
+rhel8cis_rule_5_5_4: true
+rhel8cis_rule_5_5_5: true
+rhel8cis_rule_5_6_1_1: true
+rhel8cis_rule_5_6_1_2: true
+rhel8cis_rule_5_6_1_3: true
+rhel8cis_rule_5_6_1_4: true
+rhel8cis_rule_5_6_1_5: true
+rhel8cis_rule_5_6_2: true
+rhel8cis_rule_5_6_3: true
+rhel8cis_rule_5_6_4: true
+rhel8cis_rule_5_6_5: true
+
+# Section 6 rules
+rhel8cis_rule_6_1_1: true
+rhel8cis_rule_6_1_2: true
+rhel8cis_rule_6_1_3: true
+rhel8cis_rule_6_1_4: true
+rhel8cis_rule_6_1_5: true
+rhel8cis_rule_6_1_6: true
+rhel8cis_rule_6_1_7: true
+rhel8cis_rule_6_1_8: true
+rhel8cis_rule_6_1_9: true
+rhel8cis_rule_6_1_10: true
+rhel8cis_rule_6_1_11: true
+rhel8cis_rule_6_1_12: true
+rhel8cis_rule_6_1_13: true
+rhel8cis_rule_6_1_14: true
+rhel8cis_rule_6_1_15: true
+rhel8cis_rule_6_2_1: true
+rhel8cis_rule_6_2_2: true
+rhel8cis_rule_6_2_3: true
+rhel8cis_rule_6_2_4: true
+rhel8cis_rule_6_2_5: true
+rhel8cis_rule_6_2_6: true
+rhel8cis_rule_6_2_7: true
+rhel8cis_rule_6_2_8: false
+rhel8cis_rule_6_2_9: true
+rhel8cis_rule_6_2_10: true
+rhel8cis_rule_6_2_11: true
+rhel8cis_rule_6_2_12: true
+rhel8cis_rule_6_2_13: true
+rhel8cis_rule_6_2_14: true
+rhel8cis_rule_6_2_15: true
+rhel8cis_rule_6_2_16: true
\ No newline at end of file
diff --git a/vars/main.yml b/vars/main.yml
index 913e63e9..e9d64c03 100644
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -3,5 +3,6 @@
 
 min_ansible_version: 2.9
 rhel8cis_allowed_crypto_policies:
+    - 'DEFAULT'
     - 'FUTURE'
     - 'FIPS'