diff --git a/cloud/destroy_vm.yml b/cloud/destroy_vm.yml
index fe73c58..94a6a4e 100644
--- a/cloud/destroy_vm.yml
+++ b/cloud/destroy_vm.yml
@@ -1,5 +1,5 @@
 ---
-- hosts: "{{ HOSTS }}"
+- hosts: "{{ _hosts }}"
   gather_facts: no
 
   tasks:
diff --git a/linux/hardening.yml b/linux/hardening.yml
new file mode 100644
index 0000000..67f1392
--- /dev/null
+++ b/linux/hardening.yml
@@ -0,0 +1,31 @@
+---
+- name: harden linux systems
+  hosts: "{{ HOSTS | default('web') }}"
+  become: true
+  vars:
+    - harden_firewall: false
+    - harden_time: false
+    - harden_ssh: false
+    - harden_pci: false
+
+  tasks:
+    - name: Configure Firewall
+      when: harden_firewall | bool
+      include_role:
+        name: linux-system-roles.firewall
+
+    - name: Configure Timesync
+      when: harden_time | bool
+      include_role:
+        name: redhat.rhel_system_roles.timesync
+
+    - name: SSH Hardening
+      when: harden_ssh | bool
+      include_role:
+        name: dev-sec.ssh-hardening
+
+    # run with --skip-tags accounts_passwords_pam_faillock_deny
+    - name: Apply PCI Baseline
+      when: harden_pci | bool
+      include_role:
+        name: redhatofficial.rhel8_pci_dss