diff --git a/shared/templates/static/ansible/accounts_logon_fail_delay.yml b/shared/templates/static/ansible/accounts_logon_fail_delay.yml
index e61f368b6de..b1fde53e343 100644
--- a/shared/templates/static/ansible/accounts_logon_fail_delay.yml
+++ b/shared/templates/static/ansible/accounts_logon_fail_delay.yml
@@ -1,9 +1,9 @@
 # platform = multi_platform_rhel
-- name: "Set accounts logon fail delay to (ansible-populate var_accounts_fail_delay)"
+- name: Set accounts logon fail delay to (ansible-populate var_accounts_fail_delay)
   lineinfile:
-    dest="/etc/login.defs"
-    regexp="^FAIL_DELAY"
-    line="FAIL_DELAY (ansible-populate var_accounts_fail_delay)"
+    dest: /etc/login.defs
+    regexp: ^FAIL_DELAY
+    line: FAIL_DELAY (ansible-populate var_accounts_fail_delay)
   tags:
     @ANSIBLE_TAGS@
 
diff --git a/shared/templates/static/ansible/accounts_max_concurrent_login_sessions.yml b/shared/templates/static/ansible/accounts_max_concurrent_login_sessions.yml
new file mode 100644
index 00000000000..8f9cf0384dd
--- /dev/null
+++ b/shared/templates/static/ansible/accounts_max_concurrent_login_sessions.yml
@@ -0,0 +1,14 @@
+# platform = multi_platform_fedora, Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 6
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: "Limit the Number of Concurrent Login Sessions Allowed Per User"
+  lineinfile:
+    state: present
+    dest: /etc/security/limits.conf
+    insertbefore: '^# End of file'
+    regexp: '^#?\\*.*maxlogins'
+    line: '*           hard    maxlogins     (ansible-populate var_accounts_max_concurrent_login_sessions)'
+  tags:
+    @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/accounts_maximum_age_login_defs.yml b/shared/templates/static/ansible/accounts_maximum_age_login_defs.yml
new file mode 100644
index 00000000000..78ebc15f6a4
--- /dev/null
+++ b/shared/templates/static/ansible/accounts_maximum_age_login_defs.yml
@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: Set Password Maximum Age
+  lineinfile:
+      create: yes
+      dest: /etc/login.defs
+      regexp: ^#?PASS_MAX_DAYS
+      line: PASS_MAX_DAYS (ansible-populate var_accounts_maximum_age_login_defs)
+  tags:
+    @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/accounts_minimum_age_login_defs.yml b/shared/templates/static/ansible/accounts_minimum_age_login_defs.yml
new file mode 100644
index 00000000000..6d9d2f53e60
--- /dev/null
+++ b/shared/templates/static/ansible/accounts_minimum_age_login_defs.yml
@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: Set Password Minimum Age
+  lineinfile:
+      create: yes
+      dest: /etc/login.defs
+      regexp: ^#?PASS_MIN_DAYS
+      line: PASS_MIN_DAYS (ansible-populate var_accounts_minimum_age_login_defs)
+  tags:
+    @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/accounts_password_minlen_login_defs.yml b/shared/templates/static/ansible/accounts_password_minlen_login_defs.yml
new file mode 100644
index 00000000000..6db4ec434db
--- /dev/null
+++ b/shared/templates/static/ansible/accounts_password_minlen_login_defs.yml
@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: "Set Password Minimum Length in login.defs"
+  lineinfile:
+    dest: /etc/login.defs
+    regexp: "^PASS_MIN_LEN *[0-9]*"
+    state: present
+    line: "PASS_MIN_LEN        (ansible-populate var_accounts_password_minlen_login_defs)"
+  tags:
+    @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/accounts_password_pam_maxclassrepeat.yml b/shared/templates/static/ansible/accounts_password_pam_maxclassrepeat.yml
new file mode 100644
index 00000000000..65cddd16a6f
--- /dev/null
+++ b/shared/templates/static/ansible/accounts_password_pam_maxclassrepeat.yml
@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: 
+  lineinfile:
+      create: yes
+      dest: /etc/security/pwquality.conf
+      regexp: '^#?\s*maxclassrepeat'
+      line: maxclassrepeat = (ansible-populate var_password_pam_maxclassrepeat)
+  tags:
+    @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/accounts_password_pam_maxrepeat.yml b/shared/templates/static/ansible/accounts_password_pam_maxrepeat.yml
new file mode 100644
index 00000000000..2bf2de8be03
--- /dev/null
+++ b/shared/templates/static/ansible/accounts_password_pam_maxrepeat.yml
@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: Set Password Maximum Consecutive Repeating Characters
+  lineinfile:
+      create: yes
+      dest: /etc/security/pwquality.conf
+      regexp: '^#?\s*maxrepeat'
+      line: maxrepeat = (ansible-populate var_password_pam_maxrepeat)
+  tags:
+    @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/accounts_password_pam_minlen.yml b/shared/templates/static/ansible/accounts_password_pam_minlen.yml
new file mode 100644
index 00000000000..78041b118e4
--- /dev/null
+++ b/shared/templates/static/ansible/accounts_password_pam_minlen.yml
@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: Set Password Minimum Length - /etc/security/pwquality.conf
+  lineinfile:
+    dest: /etc/security/pwquality.conf
+    regexp: ^minlen =
+    state: present
+    line: minlen = (ansible-populate var_password_pam_minlen)
+  tags:
+    @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/accounts_password_warn_age_login_defs.yml b/shared/templates/static/ansible/accounts_password_warn_age_login_defs.yml
new file mode 100644
index 00000000000..a9c3f858860
--- /dev/null
+++ b/shared/templates/static/ansible/accounts_password_warn_age_login_defs.yml
@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: "Set Password Warning Age"
+  lineinfile:
+    dest: /etc/login.defs
+    regexp: "^PASS_WARN_AGE *[0-9]*"
+    state: present
+    line: "PASS_WARN_AGE        (ansible-populate var_accounts_password_warn_age_login_defs)"
+  tags:
+    @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/accounts_tmout.yml b/shared/templates/static/ansible/accounts_tmout.yml
new file mode 100644
index 00000000000..752937959c0
--- /dev/null
+++ b/shared/templates/static/ansible/accounts_tmout.yml
@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: Set Interactive Session Timeout
+  lineinfile:
+      create: yes
+      dest: /etc/profile
+      regexp: ^#?TMOUT
+      line: TMOUT=(ansible-populate var_accounts_tmout)
+  tags:
+    @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/auditd_data_retention_action_mail_acct.yml b/shared/templates/static/ansible/auditd_data_retention_action_mail_acct.yml
new file mode 100644
index 00000000000..358180bb60e
--- /dev/null
+++ b/shared/templates/static/ansible/auditd_data_retention_action_mail_acct.yml
@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: Configure auditd mail_acct Action on Low Disk Space
+  lineinfile:
+    dest: /etc/audit/auditd.conf
+    line: "action_mail_acct = (ansible-populate var_auditd_action_mail_acct)"
+    state: present
+  #notify: reload auditd
+  tags:
+    @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/auditd_data_retention_admin_space_left_action.yml b/shared/templates/static/ansible/auditd_data_retention_admin_space_left_action.yml
new file mode 100644
index 00000000000..6727746b65e
--- /dev/null
+++ b/shared/templates/static/ansible/auditd_data_retention_admin_space_left_action.yml
@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: Configure auditd admin_space_left Action on Low Disk Space
+  lineinfile:
+    dest: /etc/audit/auditd.conf
+    line: "admin_space_left_action = (ansible-populate var_auditd_admin_space_left_action)"
+    regexp: "^admin_space_left_action*"
+  #notify: reload auditd
+  tags:
+    @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/auditd_data_retention_flush.yml b/shared/templates/static/ansible/auditd_data_retention_flush.yml
new file mode 100644
index 00000000000..3f01650e563
--- /dev/null
+++ b/shared/templates/static/ansible/auditd_data_retention_flush.yml
@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: Configure auditd Flush Priority
+  lineinfile:
+    dest: /etc/audit/auditd.conf
+    regexp: '.*flush.*'
+    line: flush = data
+  #notify: reload auditd
+  tags:
+    @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/auditd_data_retention_max_log_file.yml b/shared/templates/static/ansible/auditd_data_retention_max_log_file.yml
new file mode 100644
index 00000000000..ce828443a2c
--- /dev/null
+++ b/shared/templates/static/ansible/auditd_data_retention_max_log_file.yml
@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: Configure auditd Max Log File Size
+  lineinfile:
+    dest: /etc/audit/auditd.conf
+    line: "max_log_file (ansible-populate var_auditd_max_log_file)"
+    state: present
+  #notify: reload auditd
+  tags:
+    @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/auditd_data_retention_max_log_file_action.yml b/shared/templates/static/ansible/auditd_data_retention_max_log_file_action.yml
new file mode 100644
index 00000000000..87393069f00
--- /dev/null
+++ b/shared/templates/static/ansible/auditd_data_retention_max_log_file_action.yml
@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: Configure auditd max_log_file_action Upon Reaching Maximum Log Size
+  lineinfile:
+    dest: /etc/audit/auditd.conf
+    line: "max_log_file_action (ansible-populate var_auditd_max_log_file_action)"
+    state: present
+  #notify: reload auditd
+  tags:
+    @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/auditd_data_retention_space_left_action.yml b/shared/templates/static/ansible/auditd_data_retention_space_left_action.yml
new file mode 100644
index 00000000000..0d88ab6d78e
--- /dev/null
+++ b/shared/templates/static/ansible/auditd_data_retention_space_left_action.yml
@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: Configure auditd space_left Action on Low Disk Space
+  lineinfile:
+    dest: /etc/audit/auditd.conf
+    line: space_left_action = (ansible-populate var_auditd_space_left_action)
+    regexp: ^space_left_action*
+  #notify: reload auditd
+  tags:
+    @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/bootloader_audit_argument.yml b/shared/templates/static/ansible/bootloader_audit_argument.yml
new file mode 100644
index 00000000000..5f409fe6876
--- /dev/null
+++ b/shared/templates/static/ansible/bootloader_audit_argument.yml
@@ -0,0 +1,9 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = true
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: "Enable Auditing for Processes Which Start Prior to the Audit Daemon"
+  shell: /sbin/grubby --update-kernel=ALL --args="audit=1"
+  tags:
+    @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/clean_components_post_updating.yml b/shared/templates/static/ansible/clean_components_post_updating.yml
new file mode 100644
index 00000000000..60d16942788
--- /dev/null
+++ b/shared/templates/static/ansible/clean_components_post_updating.yml
@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: "Ensure YUM Removes Previous Package Versions"
+  lineinfile:
+      dest: /etc/yum.conf
+      regexp: ^#?clean_requirements_on_remove
+      line: clean_requirements_on_remove=1
+      insertafter: '\[main\]'
+  tags:
+    @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/disable_host_auth.yml b/shared/templates/static/ansible/disable_host_auth.yml
index f81320b4f8c..31706fe7172 100644
--- a/shared/templates/static/ansible/disable_host_auth.yml
+++ b/shared/templates/static/ansible/disable_host_auth.yml
@@ -3,11 +3,11 @@
 # strategy = restrict
 # complexity = low
 # disruption = low
-- name: "Disable Host-Based Authentication"
+- name: Disable Host-Based Authentication
   lineinfile:
-    create=yes
-    dest="/etc/ssh/sshd_config"
-    regexp="^HostbasedAuthentication"
-    line="HostbasedAuthentication no"
+    create: yes
+    dest: /etc/ssh/sshd_config
+    regexp: ^HostbasedAuthentication
+    line: HostbasedAuthentication no
   tags:
     @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/enable_selinux_bootloader.yml b/shared/templates/static/ansible/enable_selinux_bootloader.yml
index dce2b86a081..757e2f0a10a 100644
--- a/shared/templates/static/ansible/enable_selinux_bootloader.yml
+++ b/shared/templates/static/ansible/enable_selinux_bootloader.yml
@@ -3,9 +3,9 @@
 # strategy = restrict
 # complexity = low
 # disruption = low
-- name: "Ensure SELinux Not Disabled in /etc/default/grub"
+- name: Ensure SELinux Not Disabled in /etc/default/grub
   replace:
     dest: /etc/default/grub
-    regexp: "selinux=0"
+    regexp: selinux=0
   tags:
     @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/ensure_gpgcheck_never_disabled.yml b/shared/templates/static/ansible/ensure_gpgcheck_never_disabled.yml
new file mode 100644
index 00000000000..8bf542e1cec
--- /dev/null
+++ b/shared/templates/static/ansible/ensure_gpgcheck_never_disabled.yml
@@ -0,0 +1,21 @@
+# platform = multi_platform_rhel
+# reboot = false
+# strategy = unknown
+# complexity = low
+# disruption = medium
+#
+- name: Find All Yum Repositories
+  find:
+    paths: "/etc/yum.repos.d/"
+    patterns: "*.repo"
+  register: yum_find
+
+- name: Ensure gpgcheck Enabled For All Yum Package Repositories
+  with_items: "{{ yum_find.files }}"
+  lineinfile:
+    create: yes
+    dest: "{{ item.path }}"
+    regexp: '^gpgcheck'
+    line: 'gpgcheck=1'
+  tags:
+    @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/ensure_redhat_gpgkey_installed.yml b/shared/templates/static/ansible/ensure_redhat_gpgkey_installed.yml
index b1cf2fe1146..277e946521a 100644
--- a/shared/templates/static/ansible/ensure_redhat_gpgkey_installed.yml
+++ b/shared/templates/static/ansible/ensure_redhat_gpgkey_installed.yml
@@ -13,21 +13,21 @@
 
 # It should fail if it doesn't find any fingerprints in file - maybe file was not parsed well.
 
-- name: "Read signatures in GPG key"
-  shell: "gpg --with-fingerprint '/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release' | grep 'Key fingerprint =' | tr -s ' ' | sed 's;.*= ;;g'"
+- name: Read signatures in GPG key
+  shell: gpg --with-fingerprint '/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release' | grep 'Key fingerprint =' | tr -s ' ' | sed 's;.*= ;;g'
   changed_when: False
   register: gpg_fingerprints
   check_mode: no
   tags:
     @ANSIBLE_TAGS@
 
-- name: "Set Fact: Valid fingerprints"
+- name: Set Fact - Valid fingerprints
   set_fact:
      gpg_valid_fingerprints: ("567E 347A D004 4ADE 55BA 8A5F 199E 2F91 FD43 1D51" "43A6 E49C 4A38 F4BE 9ABF 2A53 4568 9C88 2FA6 58E0")
   tags:
     @ANSIBLE_TAGS@
 
-- name: "Import RedHat GPG key"
+- name: Import RedHat GPG key
   rpm_key:
     state: present
     key: /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
@@ -38,4 +38,3 @@
     and (ansible_distribution == "RedHat")
   tags:
     @ANSIBLE_TAGS@
-
diff --git a/shared/templates/static/ansible/firewalld_sshd_port_enabled.yml b/shared/templates/static/ansible/firewalld_sshd_port_enabled.yml
index 17633005069..eb338bc9ca1 100644
--- a/shared/templates/static/ansible/firewalld_sshd_port_enabled.yml
+++ b/shared/templates/static/ansible/firewalld_sshd_port_enabled.yml
@@ -4,21 +4,21 @@
 # strategy = configure
 # disruption = low
 
-- name: "Enable SSHD in firewalld (custom port)"
+- name: Enable SSHD in firewalld (custom port)
   firewalld:
-    port="(ansible-populate sshd_listening_port)/tcp"
-    permanent="yes"
-    state="enabled"
-  when: "(ansible-populate sshd_listening_port)" != "22"
+    port: (ansible-populate sshd_listening_port)/tcp
+    permanent: yes
+    state: enabled
+  when: (ansible-populate sshd_listening_port) != 22
   tags:
     @ANSIBLE_TAGS@
 
-- name: "Enable SSHD in firewalld (default port)"
+- name: Enable SSHD in firewalld (default port)
   firewalld:
-    service="ssh"
-    permanent="yes"
-    state="enabled"
-  when: "(ansible-populate sshd_listening_port)" == "22"
+    service: ssh
+    permanent: yes
+    state: enabled
+  when: (ansible-populate sshd_listening_port) == 22
   tags:
     @ANSIBLE_TAGS@
 
diff --git a/shared/templates/static/ansible/no_direct_root_logins.yml b/shared/templates/static/ansible/no_direct_root_logins.yml
new file mode 100644
index 00000000000..56e4d0e3c6e
--- /dev/null
+++ b/shared/templates/static/ansible/no_direct_root_logins.yml
@@ -0,0 +1,9 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: "Direct root Logins Not Allowed"
+  shell: echo > /etc/securetty
+  tags:
+    @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/no_rsh_trust_files.yml b/shared/templates/static/ansible/no_rsh_trust_files.yml
new file mode 100644
index 00000000000..ef8e82f96eb
--- /dev/null
+++ b/shared/templates/static/ansible/no_rsh_trust_files.yml
@@ -0,0 +1,22 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- block:
+    - name: "Detect shosts.equiv Files on the System"
+      find:
+          paths: /
+          recurse: yes
+          patterns: shosts.equiv
+      check_mode: no
+      register: shosts_equiv_locations
+
+    - name: "Remove Rsh Trust Files"
+      file:
+          path: "{{ item.path }}"
+          state: absent
+      with_items: "{{ shosts_equiv_locations }}"
+  when: shosts_equiv_locations
+  tags:
+    @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/require_smb_client_signing.yml b/shared/templates/static/ansible/require_smb_client_signing.yml
new file mode 100644
index 00000000000..770c6ea2269
--- /dev/null
+++ b/shared/templates/static/ansible/require_smb_client_signing.yml
@@ -0,0 +1,22 @@
+# platform = multi_platform_rhel, multi_platform_fedora
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = medium
+- name: Check if /etc/samba/smb.conf exists
+  stat:
+    path: /etc/samba/smb.conf
+  register: st_smb
+  tags:
+    @ANSIBLE_TAGS@
+
+- name: Require Client SMB Packet Signing, if using smbclient
+  lineinfile:
+    dest: /etc/samba/smb.conf
+    line: client signing = mandatory
+    state: present
+    insertafter: [global]
+  when: st_smb.stat.exists
+  tags:
+    @ANSIBLE_TAGS@
+
diff --git a/shared/templates/static/ansible/account_disable_post_pw_expiration.yml b/shared/templates/static/ansible/restrict_serial_port_logins.yml
similarity index 55%
rename from shared/templates/static/ansible/account_disable_post_pw_expiration.yml
rename to shared/templates/static/ansible/restrict_serial_port_logins.yml
index 0d9d68b0fa8..1729e32e732 100644
--- a/shared/templates/static/ansible/account_disable_post_pw_expiration.yml
+++ b/shared/templates/static/ansible/restrict_serial_port_logins.yml
@@ -3,12 +3,10 @@
 # strategy = restrict
 # complexity = low
 # disruption = low
-- name: "Disable POST password expiration"
+- name: "Restrict Serial Port Root Logins"
   lineinfile:
-    create=yes
-    dest="/etc/default/useradd"
-    regexp="^INACTIVE"
-    line="INACTIVE=-1"
+    dest: /etc/securetty
+    regexp: 'ttyS[0-9]'
+    state: absent
   tags:
     @ANSIBLE_TAGS@
-
diff --git a/shared/templates/static/ansible/securetty_root_login_console_only.yml b/shared/templates/static/ansible/securetty_root_login_console_only.yml
new file mode 100644
index 00000000000..8cc3507cac7
--- /dev/null
+++ b/shared/templates/static/ansible/securetty_root_login_console_only.yml
@@ -0,0 +1,12 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: "Restrict Virtual Console Root Logins"
+  lineinfile:
+    dest: /etc/securetty
+    regexp: '^vc'
+    state: absent
+  tags:
+    @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/security_patches_up_to_date.yml b/shared/templates/static/ansible/security_patches_up_to_date.yml
index b46caa7aa05..5b7ab01bdcf 100644
--- a/shared/templates/static/ansible/security_patches_up_to_date.yml
+++ b/shared/templates/static/ansible/security_patches_up_to_date.yml
@@ -5,8 +5,8 @@
 # disruption = high
 - name: "Security patches are up to date"
   package:
-    name="*"
-    state="latest"
+    name: "*"
+    state: "latest"
   tags:
     @ANSIBLE_TAGS@
 
diff --git a/shared/templates/static/ansible/set_password_hashing_algorithm_libuserconf.yml b/shared/templates/static/ansible/set_password_hashing_algorithm_libuserconf.yml
new file mode 100644
index 00000000000..d632ef74938
--- /dev/null
+++ b/shared/templates/static/ansible/set_password_hashing_algorithm_libuserconf.yml
@@ -0,0 +1,14 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: Set Password Hashing Algorithm in /etc/libuser.conf
+  lineinfile:
+    dest: /etc/libuser.conf
+    insertafter: "^.default]"
+    regexp: ^#?crypt_style
+    line: crypt_style = sha512
+    state: present
+  tags:
+    @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/set_password_hashing_algorithm_logindefs.yml b/shared/templates/static/ansible/set_password_hashing_algorithm_logindefs.yml
new file mode 100644
index 00000000000..3569246f15c
--- /dev/null
+++ b/shared/templates/static/ansible/set_password_hashing_algorithm_logindefs.yml
@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: Set Password Hashing Algorithm in /etc/login.defs
+  lineinfile:
+      dest: /etc/login.defs
+      regexp: ^#?ENCRYPT_METHOD
+      line: ENCRYPT_METHOD SHA512
+      state: present
+  tags:
+    @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/sshd_allow_only_protocol2.yml b/shared/templates/static/ansible/sshd_allow_only_protocol2.yml
index 2d81527c352..83d43303564 100644
--- a/shared/templates/static/ansible/sshd_allow_only_protocol2.yml
+++ b/shared/templates/static/ansible/sshd_allow_only_protocol2.yml
@@ -9,7 +9,7 @@
     dest: /etc/ssh/sshd_config
     regexp: "^Protocol [0-9]"
     line: "Protocol 2"
-  notify:
-    - reload ssh
+    validate: sshd -t -f %s
+  #notify: :reload ssh
   tags:
     @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/sshd_disable_compression.yml b/shared/templates/static/ansible/sshd_disable_compression.yml
index e7c27e91755..4ab4abb3ee0 100644
--- a/shared/templates/static/ansible/sshd_disable_compression.yml
+++ b/shared/templates/static/ansible/sshd_disable_compression.yml
@@ -5,9 +5,11 @@
 # disruption = low
 - name: "Disable Compression or Set Compression to delayed"
   lineinfile:
-    create=yes
-    dest="/etc/ssh/sshd_config"
-    regexp="^Compression"
-    line="Compression delayed"
+    create: yes
+    dest: /etc/ssh/sshd_config
+    regexp: (?i)^#?compression 
+    line: Compression delayed
+    validate: sshd -t -f %s
+  #notify: restart sshd
   tags:
     @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/sshd_disable_empty_passwords.yml b/shared/templates/static/ansible/sshd_disable_empty_passwords.yml
index 8b37fdd1d71..04ac923c102 100644
--- a/shared/templates/static/ansible/sshd_disable_empty_passwords.yml
+++ b/shared/templates/static/ansible/sshd_disable_empty_passwords.yml
@@ -3,11 +3,12 @@
 # strategy = restrict
 # complexity = low
 # disruption = low
-- name: "Diable SSH Access via Empty Passwords"
+- name: Diable SSH Access via Empty Passwords
   lineinfile:
-    create=yes
-    dest="/etc/ssh/sshd_config"
-    regexp="^PermitEmptyPasswords"
-    line="PermitEmptyPasswords no"
+    create: yes
+    dest: /etc/ssh/sshd_config
+    regexp: ^PermitEmptyPasswords
+    line: PermitEmptyPasswords no
+    validate: sshd -t -f %s
   tags:
-    @ANSIBLE_TAGS@
\ No newline at end of file
+    @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/sshd_disable_gssapi_auth.yml b/shared/templates/static/ansible/sshd_disable_gssapi_auth.yml
index 4036bc13f7a..346634d3285 100644
--- a/shared/templates/static/ansible/sshd_disable_gssapi_auth.yml
+++ b/shared/templates/static/ansible/sshd_disable_gssapi_auth.yml
@@ -5,9 +5,11 @@
 # disruption = low
 - name: "Disable GSSAPI Authentication"
   lineinfile:
-    create=yes
-    dest="/etc/ssh/sshd_config"
-    regexp="^GSSAPIAuthentication"
-    line="GSSAPIAuthentication no"
+    create: yes
+    dest: /etc/ssh/sshd_config
+    regexp: (?i)^#?gssapiauthentication
+    line: GSSAPIAuthentication no
+    validate: sshd -t -f %s
+  #notify: sshd -t -f %s
   tags:
     @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/sshd_disable_kerb_auth.yml b/shared/templates/static/ansible/sshd_disable_kerb_auth.yml
index 054c43cbb04..4c1e359cc2e 100644
--- a/shared/templates/static/ansible/sshd_disable_kerb_auth.yml
+++ b/shared/templates/static/ansible/sshd_disable_kerb_auth.yml
@@ -5,9 +5,11 @@
 # disruption = low
 - name: "Disable Kerberos Authentication"
   lineinfile:
-    create=yes
-    dest="/etc/ssh/sshd_config"
-    regexp="^KerberosAuthentication"
-    line="KerberosAuthentication no"
+    create: yes
+    dest: /etc/ssh/sshd_config
+    regexp: (?i)^#?kerberosauthentication
+    line: KerberosAuthentication no
+    validate: sshd -t -f %s
+  #notify: restart sshd
   tags:
     @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/sshd_disable_rhosts.yml b/shared/templates/static/ansible/sshd_disable_rhosts.yml
index 91d01270a31..1ca41449f9a 100644
--- a/shared/templates/static/ansible/sshd_disable_rhosts.yml
+++ b/shared/templates/static/ansible/sshd_disable_rhosts.yml
@@ -3,11 +3,12 @@
 # strategy = restrict
 # complexity = low
 # disruption = low
-- name: "Disable SSH Support for .rhosts Files"
+- name: Disable SSH Support for .rhosts Files
   lineinfile:
-    create=yes
-    dest="/etc/ssh/sshd_config"
-    regexp="^IgnoreRhosts"
-    line="IgnoreRhosts yes"
+    create: yes
+    dest: /etc/ssh/sshd_config
+    regexp: ^IgnoreRhosts
+    line: IgnoreRhosts yes
+    validate: sshd -t -f %s
   tags:
     @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/sshd_disable_rhosts_rsa.yml b/shared/templates/static/ansible/sshd_disable_rhosts_rsa.yml
index ccacf9365d6..812f7fb4c3c 100644
--- a/shared/templates/static/ansible/sshd_disable_rhosts_rsa.yml
+++ b/shared/templates/static/ansible/sshd_disable_rhosts_rsa.yml
@@ -3,11 +3,12 @@
 # strategy = restrict
 # complexity = low
 # disruption = low
-- name: "Disable SSH Support for Rhosts RSA Authentication"
+- name: Disable SSH Support for Rhosts RSA Authentication
   lineinfile:
-    create=yes
-    dest="/etc/ssh/sshd_config"
-    regexp="^RhostsRSAAuthentication"
-    line="RhostsRSAAuthentication no"
+    create: yes
+    dest: /etc/ssh/sshd_config
+    regexp: ^RhostsRSAAuthentication
+    line: RhostsRSAAuthentication no
+    validate: sshd -t -f %s
   tags:
     @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/sshd_disable_root_login.yml b/shared/templates/static/ansible/sshd_disable_root_login.yml
index cc1b0717836..ddbca31d81e 100644
--- a/shared/templates/static/ansible/sshd_disable_root_login.yml
+++ b/shared/templates/static/ansible/sshd_disable_root_login.yml
@@ -5,9 +5,12 @@
 # disruption = low
 - name: "Disable SSH Root Login"
   lineinfile:
-    create=yes
-    dest="/etc/ssh/sshd_config"
-    regexp="^PermitRootLogin"
-    line="PermitRootLogin no"
+    create: yes
+    dest: "/etc/ssh/sshd_config"
+    regexp: "^PermitRootLogin"
+    line: "PermitRootLogin no"
+    insertafter: '(?i)^#?authentication'
+    validate: sshd -t -f %s
+  #notify: restart sshd
   tags:
     @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/sshd_disable_user_known_hosts.yml b/shared/templates/static/ansible/sshd_disable_user_known_hosts.yml
index e01e520a47f..ea75fb4fd0b 100644
--- a/shared/templates/static/ansible/sshd_disable_user_known_hosts.yml
+++ b/shared/templates/static/ansible/sshd_disable_user_known_hosts.yml
@@ -5,9 +5,11 @@
 # disruption = low
 - name: "Disable SSH Support for User Known Hosts"
   lineinfile:
-    create=yes
-    dest="/etc/ssh/sshd_config"
-    regexp="^IgnoreUserKnownHosts"
-    line="IgnoreUserKnownHosts yes"
+    create: yes
+    dest: /etc/ssh/sshd_config
+    regexp: ^IgnoreUserKnownHosts
+    line: IgnoreUserKnownHosts yes
+    validate: sshd -t -f %s
+  #notify: restart sshd
   tags:
     @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/sshd_do_not_permit_user_env.yml b/shared/templates/static/ansible/sshd_do_not_permit_user_env.yml
index b59526e353c..62018440adc 100644
--- a/shared/templates/static/ansible/sshd_do_not_permit_user_env.yml
+++ b/shared/templates/static/ansible/sshd_do_not_permit_user_env.yml
@@ -3,11 +3,12 @@
 # strategy = restrict
 # complexity = low
 # disruption = low
-- name: "Do Not Allow SSH Environment Options"
+- name: Do Not Allow SSH Environment Options
   lineinfile:
-    create=yes
-    dest="/etc/ssh/sshd_config"
-    regexp="^PermitUserEnvironment"
-    line="PermitUserEnvironment no"
+    create: yes
+    dest: /etc/ssh/sshd_config
+    regexp: ^PermitUserEnvironment
+    line: PermitUserEnvironment no
+    validate: sshd -t -f %s
   tags:
-    @ANSIBLE_TAGS@
\ No newline at end of file
+    @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/sshd_enable_strictmodes.yml b/shared/templates/static/ansible/sshd_enable_strictmodes.yml
index da8f9cdd360..b93089d81ba 100644
--- a/shared/templates/static/ansible/sshd_enable_strictmodes.yml
+++ b/shared/templates/static/ansible/sshd_enable_strictmodes.yml
@@ -5,9 +5,11 @@
 # disruption = low
 - name: "Enable Use of Strict Mode Checking"
   lineinfile:
-    create=yes
-    dest="/etc/ssh/sshd_config"
-    regexp="^StrictModes"
-    line="StrictModes yes"
+    create: yes
+    dest: /etc/ssh/sshd_config
+    regexp: (?i)^#?strictmodes
+    line: StrictModes yes
+    validate: sshd -t -f %s
+  #notify: restart sshd
   tags:
     @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/sshd_enable_warning_banner.yml b/shared/templates/static/ansible/sshd_enable_warning_banner.yml
index 1ae5c033359..5c2aadc0979 100644
--- a/shared/templates/static/ansible/sshd_enable_warning_banner.yml
+++ b/shared/templates/static/ansible/sshd_enable_warning_banner.yml
@@ -3,11 +3,12 @@
 # strategy = restrict
 # complexity = low
 # disruption = low
-- name: "Enable SSH Warning Banner"
+- name: Enable SSH Warning Banner
   lineinfile:
-    create=yes
-    dest="/etc/ssh/sshd_config"
-    regexp="^Banner"
-    line="Banner /etc/issue"
+    create: yes
+    dest: /etc/ssh/sshd_config
+    regexp: ^Banner
+    line: Banner /etc/issue
+    validate: sshd -t -f %s
   tags:
-    @ANSIBLE_TAGS@
\ No newline at end of file
+    @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/sshd_enable_x11_forwarding.yml b/shared/templates/static/ansible/sshd_enable_x11_forwarding.yml
new file mode 100644
index 00000000000..a443b66ee4c
--- /dev/null
+++ b/shared/templates/static/ansible/sshd_enable_x11_forwarding.yml
@@ -0,0 +1,14 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: Enable Encrypted X11 Forwarding
+  lineinfile:
+    create: yes
+    dest: /etc/ssh/sshd_config
+    regexp: ^X11Forwarding
+    line: X11Forwarding yes
+    validate: sshd -t -f %s
+  tags:
+    @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/sshd_print_last_log.yml b/shared/templates/static/ansible/sshd_print_last_log.yml
index 2f9ce399acb..1fba2f1e914 100644
--- a/shared/templates/static/ansible/sshd_print_last_log.yml
+++ b/shared/templates/static/ansible/sshd_print_last_log.yml
@@ -1,9 +1,11 @@
 # platform = multi_platform_rhel
-- name: "Print last log"
+- name: Print last log
   lineinfile:
-    create=yes
-    dest="/etc/ssh/sshd_config"
-    regexp="^PrintLastLog"
-    line="PrintLastLog yes"
+    create: yes
+    dest: /etc/ssh/sshd_config
+    regexp: ^PrintLastLog
+    line: PrintLastLog yes
+    validate: sshd -t -f %s
+  #notify: restart sshd
   tags:
     @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/sshd_set_idle_timeout.yml b/shared/templates/static/ansible/sshd_set_idle_timeout.yml
index dac189e44e2..99f023a27b5 100644
--- a/shared/templates/static/ansible/sshd_set_idle_timeout.yml
+++ b/shared/templates/static/ansible/sshd_set_idle_timeout.yml
@@ -3,11 +3,13 @@
 # strategy = restrict
 # complexity = low
 # disruption = low
-- name: "Set SSH Idle Timeout Interval"
+- name: Set SSH Idle Timeout Interval
   lineinfile:
-    create=yes
-    dest="/etc/ssh/sshd_config"
-    regexp="^ClientAliveInterval"
-    line="ClientAliveInterval (ansible-populate sshd_idle_timeout_value)"
+    create: yes
+    dest: /etc/ssh/sshd_config
+    regexp: ^ClientAliveInterval
+    line: ClientAliveInterval (ansible-populate sshd_idle_timeout_value)
+    validate: sshd -t -f %s
+  #notify: restart sshd
   tags:
-    @ANSIBLE_TAGS@
\ No newline at end of file
+    @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/sshd_set_keepalive.yml b/shared/templates/static/ansible/sshd_set_keepalive.yml
index 0045ea19beb..caee774b682 100644
--- a/shared/templates/static/ansible/sshd_set_keepalive.yml
+++ b/shared/templates/static/ansible/sshd_set_keepalive.yml
@@ -3,11 +3,13 @@
 # strategy = restrict
 # complexity = low
 # disruption = low
-- name: "Set SSH Client Alive Count"
+- name: Set SSH Client Alive Count
   lineinfile:
-    create=yes
-    dest="/etc/ssh/sshd_config"
-    regexp="^ClientAliveCountMax"
-    line="ClientAliveCountMax 0"
+    create: yes
+    dest: /etc/ssh/sshd_config
+    regexp: ^ClientAliveCountMax
+    line: tClientAliveCountMax 0
+    validate: sshd -t -f %s
+  #notify: restart sshd
   tags:
     @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/sshd_use_approved_ciphers.yml b/shared/templates/static/ansible/sshd_use_approved_ciphers.yml
index 6ba8eb59b3f..9e2dfed99fb 100644
--- a/shared/templates/static/ansible/sshd_use_approved_ciphers.yml
+++ b/shared/templates/static/ansible/sshd_use_approved_ciphers.yml
@@ -3,11 +3,13 @@
 # strategy = restrict
 # complexity = low
 # disruption = low
-- name: "Use Only Approved Ciphers"
+- name: Use Only Approved Ciphers
   lineinfile:
-    create=yes
-    dest="/etc/ssh/sshd_config"
-    regexp="^Ciphers"
-    line="Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc"
+    create: yes
+    dest: /etc/ssh/sshd_config
+    regexp: ^Ciphers
+    line: Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
+    validate: sshd -t -f %s
+  #notify: restart sshd
   tags:
     @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/sshd_use_approved_macs.yml b/shared/templates/static/ansible/sshd_use_approved_macs.yml
index 17fa3c38867..4ac5d5f5899 100644
--- a/shared/templates/static/ansible/sshd_use_approved_macs.yml
+++ b/shared/templates/static/ansible/sshd_use_approved_macs.yml
@@ -5,10 +5,12 @@
 # disruption = low
 - name: "Use Only Approved MACs"
   lineinfile:
-    create=yes
-    dest="/etc/ssh/sshd_config"
-    regexp="^MACs"
-    line="MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1"
+    create: yes
+    dest: /etc/ssh/sshd_config
+    regexp: ^MACs
+    line: MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1
+    validate: sshd -t -f %s
+  #notify: restart sshd
   tags:
     @ANSIBLE_TAGS@
 
diff --git a/shared/templates/static/ansible/sshd_use_priv_separation.yml b/shared/templates/static/ansible/sshd_use_priv_separation.yml
index 4e69abecbe2..85b1eab33d6 100644
--- a/shared/templates/static/ansible/sshd_use_priv_separation.yml
+++ b/shared/templates/static/ansible/sshd_use_priv_separation.yml
@@ -5,9 +5,11 @@
 # disruption = low
 - name: "Enable use of Privilege Separation"
   lineinfile:
-    create=yes
-    dest="/etc/ssh/sshd_config"
-    regexp="^UsePrivilegeSeparation"
-    line="UsePrivilegeSeparation sandbox"
+    create: yes
+    dest: /etc/ssh/sshd_config
+    regexp: (?i)^#?useprivilegeseparation
+    line: UsePrivilegeSeparation yes
+    validate: sshd -t -f %s
+  #notify: restart sshd
   tags:
     @ANSIBLE_TAGS@
diff --git a/shared/xccdf/system/auditing.xml b/shared/xccdf/system/auditing.xml
index 2c7ca4cbc25..699f764a909 100644
--- a/shared/xccdf/system/auditing.xml
+++ b/shared/xccdf/system/auditing.xml
@@ -136,6 +136,12 @@ GRUB 2 command line for the Linux operating system in
 Inspect the form of default GRUB 2 command line for the Linux operating system
 in <tt>/etc/default/grub</tt>. If they include <tt>audit=1</tt>, then auditing
 is enabled at boot time.
+<br /><br />
+To ensure <tt>audit=1</tt> is configured on all installed kernels, the
+following command may be used:
+<br />
+<pre>$ sudo /sbin/grubby --update-kernel=ALL --args="audit=1"</pre>
+<br />
 </ocil>
 <rationale>
 Each process on the system carries an "auditable" flag which indicates whether