diff --git a/roles/hardening/handlers/main.yml b/roles/hardening/handlers/main.yml
index 5b8df80..49016c1 100644
--- a/roles/hardening/handlers/main.yml
+++ b/roles/hardening/handlers/main.yml
@@ -1,3 +1,4 @@
 ---
 - name: restart sshd
   systemd: name=sshd state=restarted
+  become: true
diff --git a/roles/hardening/tasks/centos-selinux.yml b/roles/hardening/tasks/centos-selinux.yml
index 2b3a4e2..5d5fa37 100644
--- a/roles/hardening/tasks/centos-selinux.yml
+++ b/roles/hardening/tasks/centos-selinux.yml
@@ -1,13 +1,15 @@
 ---
 
 - name: Install required dependency libsemanage-python
+  become: true
   yum:
     name: libsemanage-python
-    state: latest
+    state: present
   when: (ansible_distribution_major_version is version('7', '='))
 
 - name: Install required dependency python3-policycoreutils
+  become: true
   dnf:
     name: python3-policycoreutils
-    state: latest
+    state: present
   when: (ansible_distribution_major_version is version('8', '>='))
diff --git a/roles/hardening/tasks/fedora-selinux.yml b/roles/hardening/tasks/fedora-selinux.yml
index 6a91c6e..428ab79 100644
--- a/roles/hardening/tasks/fedora-selinux.yml
+++ b/roles/hardening/tasks/fedora-selinux.yml
@@ -1,13 +1,15 @@
 ---
 
 - name: Install required dependency python3-libsemanage
+  become: true
   dnf:
     name: python3-libsemanage
-    state: latest
+    state: present
   when: (ansible_distribution_major_version is version('31', '>='))
 
 - name: Install required dependency libsemanage-python
+  become: true
   dnf:
     name: libsemanage-python
-    state: latest
+    state: present
   when: (ansible_distribution_major_version is version('30', '<='))
diff --git a/roles/hardening/tasks/main.yml b/roles/hardening/tasks/main.yml
index ef53844..60ccc96 100644
--- a/roles/hardening/tasks/main.yml
+++ b/roles/hardening/tasks/main.yml
@@ -2,48 +2,82 @@
 
 - name: include SELinux package tasks for EL (CentOS/RHEL)
   include_tasks: centos-selinux.yml
+  tags: selinux
   when: (ansible_distribution in ["CentOS" , "Red Hat Enterprise Linux", "RedHat"])
 
 - name: include SELinux package tasks for Fedora (non-atomic)
   include_tasks: fedora-selinux.yml
+  tags: selinux
   when: (ansible_distribution in ["Fedora"] and not is_atomic)
 
 # likely to break on non-RHEL/derivatives, could use improvement.
+- name: ensure firewalld is installed
+  become: true
+  package:
+    name: firewalld
+    state: present
+
 - name: enable firewalld
+  become: true
   service:
     name: firewalld
     state: started
-    enabled: yes
+    enabled: true
 
-- name: SSH - disable password auth
-  lineinfile:
-    dest: /etc/ssh/sshd_config 
-    regexp: "^PasswordAuthentication" 
-    line: "PasswordAuthentication no"
-    state: present
-  notify: restart sshd
+- name: harden sshd
+  tags: harden_sshd
+  become: true
+  block:
+    - name: "SSH: disable password auth"
+      lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: "^PasswordAuthentication"
+        line: "PasswordAuthentication no"
+        validate: '/usr/sbin/sshd -t -f %s'
+      notify: restart sshd
+    - name: "SSH: config custom port"
+      lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: '^Port '
+        line: "Port {{ hardened_ssh_port }}"
+        insertbefore: "(^|#)AddressFamily.*"
+        validate: '/usr/sbin/sshd -t -f %s'
+      when: (hardened_ssh_port is defined)
+      notify: restart sshd
+    - name: "only allow root logins with keys"
+      lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: '^PermitRootLogin '
+        line: 'PermitRootLogin prohibit-password'
+        validate: '/usr/sbin/sshd -t -f %s'
+      notify: restart sshd
+    - name: "disallow keyboard interactive auth to address some PAM edge cases"
+      lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: '^KbdInteractiveAuthentication '
+        line: 'KbdInteractiveAuthentication no'
+        validate: '/usr/sbin/sshd -t -f %s'
+      notify: restart sshd
 
-- name: SSH - config port 1181
-  lineinfile:
-    path: /etc/ssh/sshd_config
-    regexp: '^Port '
-    line: 'Port 1181'
-    insertbefore: "(^|#)AddressFamily.*"
-    validate: '/usr/sbin/sshd -t -f %s'
-  notify: restart sshd
-
-- name: allow custom SSH port in selinux
+- name: "permit custom SSH port ({{ hardened_ssh_port }})"
+  become: true
   seport:
-    ports: 1181
+    ports: "{{ hardened_ssh_port }}"
     proto: tcp
     setype: ssh_port_t
     state: present
-  when: (ansible_selinux is defined and ansible_selinux != False and ansible_selinux.status == 'enabled')
+  when:
+    - hardened_ssh_port is defined
+    - ansible_selinux is defined
+    - ansible_selinux.status == 'enabled'
+  tags: selinux
 
 # also likely to break on non-RHEL/derivatives, could use improvement too.
-- name: allow custom SSH port in firewalld
+- name: "firewalld: grant access to custom SSH port"
+  become: true
   firewalld:
-    port: 1181/tcp
-    permanent: yes
-    immediate: yes
+    port: "{{ hardened_ssh_port }}/tcp"
+    permanent: true
+    immediate: true
     state: enabled
+  when: (hardened_ssh_port is defined)