diff --git a/tasks/configure-fail2ban.yml b/tasks/configure-fail2ban.yml
index 0f50d438c00622a71a168a0625b431e6847c3e1f..7208bc8b17deae587ce3cdd3a263e4857ca46f96 100644
--- a/tasks/configure-fail2ban.yml
+++ b/tasks/configure-fail2ban.yml
@@ -4,7 +4,7 @@
   package:
     name: "fail2ban"
     state: present
-  tags: [fail2ban, apt, yum]
+  tags: [apt, yum]
 
 # neue Konfiguration einspielen
 - name: Konfiguration fuer fail2ban einspielen (1/4)
@@ -77,7 +77,6 @@
       logpath = /var/log/fail2ban.log
       maxretry = 20
       destemail = {{ vault_destemail }}
-  tags: [fail2ban]
   notify: restart fail2ban.service
 
 - name: Konfiguration fuer fail2ban einspielen (2/4)
@@ -98,7 +97,6 @@
       failregex = \]\s+Ban\s+<HOST>
       ignoreregex = \[f2b-loop.*\]\s+Ban\s+<HOST>
       # (Author: Walter Heitman Jr.  https://blog.shanock.com/fail2ban-increased-ban-times-for-repeat-offenders/)
-  tags: [fail2ban]
   notify: restart fail2ban.service
 
 - name: see if fail2ban.local exists
@@ -111,7 +109,6 @@
     path: "/etc/fail2ban/fail2ban.local"
     state: absent
   when: old_fail2ban_local.stat.exists
-  tags: [fail2ban]
   notify: restart fail2ban.service
 
 - name: Konfiguration fuer fail2ban einspielen (4/4)
@@ -134,7 +131,6 @@
       pidfile = /var/run/fail2ban/fail2ban.pid
       dbfile = /var/lib/fail2ban/fail2ban.sqlite3
       dbpurgeage = 86400
-  tags: [fail2ban]
   notify: restart fail2ban.service
 
 # Ordner für Check_MK-Plugin anlegen
@@ -145,7 +141,6 @@
     owner: "root"
     group: "root"
     mode: "0755"
-  tags: [fail2ban]
 
 # Plugin bereitstellen
 - name: Check_MK-Plugin installieren (fail2ban-Zustand)
@@ -155,7 +150,7 @@
     owner: "root"
     group: "root"
     mode: "0750"
-  tags: [fail2ban, monitoring]
+  tags: [monitoring]
   notify: restart fail2ban.service
 
 ### Documentation
diff --git a/tasks/configure-home-permissions.yml b/tasks/configure-home-permissions.yml
index f8295038b6a06f4abf6cd2441b53807a49e6fbc7..145b039ed2e573788d2ff67c0c5d91e6ced4f1e4 100644
--- a/tasks/configure-home-permissions.yml
+++ b/tasks/configure-home-permissions.yml
@@ -6,7 +6,6 @@
         file_type: directory
         paths: "/home/"
       register: ls_out
-      tags: [users]
     - name: striktere Berechtigungen für Homeverzeichnisse setzen
       file:
         path: "{{ item.path }}/"
@@ -14,5 +13,3 @@
       with_items:
         # - "{{ ls_out.files | difference(['import','zih']) }}"
         - "{{ ls_out.files }}"
-      tags: [users]
-  tags: [users]
diff --git a/tasks/configure-iptables.yml b/tasks/configure-iptables.yml
index b1e1f71cfcc4c4c2471afb414ceb9c4ea3fcd05f..75a32a8126f7cb9ea22d650c20f19bcd88dc853b 100644
--- a/tasks/configure-iptables.yml
+++ b/tasks/configure-iptables.yml
@@ -9,7 +9,6 @@
       state: "stopped"
       enabled: false
   when: ansible_os_family == "RedHat"
-  tags: [iptables]
 
 # - name: clean IPtables rules (1)
 #   iptables:
@@ -21,7 +20,7 @@
 #     - "ipv6"
 #   notify:
 #     - save iptables rules
-#   tags: [iptables, molecule-notest]
+#   tags: [molecule-notest]
 #
 # - name: clean IPtables rules (2)
 #   iptables:
@@ -29,7 +28,7 @@
 #     flush: "true"
 #   notify:
 #     - save iptables rules
-#   tags: [iptables, molecule-notest]
+#   tags: [molecule-notest]
 
 
 - name: Allow related and established IPv4 connections
@@ -41,7 +40,6 @@
     state: present
   notify:
     - save iptables rules
-  tags: [iptables]
 
 # - name: Allow related and established IPv4 connections
 #   iptables:
@@ -52,7 +50,6 @@
 #     action: "insert"
 #   notify:
 #     - save iptables rules
-#   tags: [iptables]
 
 - name: Allow all loop back traffic
   iptables:
@@ -63,7 +60,6 @@
     jump: "ACCEPT"
   notify:
     - save iptables rules
-  tags: [iptables]
 
 # - name: Allow all loop back traffic
 #   iptables:
@@ -74,7 +70,6 @@
 #     jump: "ACCEPT"
 #   notify:
 #     - save iptables rules
-#   tags: [iptables]
 
 # Set default policy for INPUT chain
 - name: iptables-Policy für INPUT-Chain setzen
@@ -87,7 +82,7 @@
     - "ipv6"
   notify:
     - save iptables rules
-  tags: [iptables, molecule-notest]
+  tags: [molecule-notest]
 
 ## Set default policy for OUTPUT chain
 # - name: iptables-Policy für OUTPUT-Chain setzen
@@ -100,7 +95,7 @@
 #     - "ipv6"
 #   notify:
 #     - save iptables rules
-#   tags: [iptables, molecule-notest]
+#   tags: [molecule-notest]
 
 # Configure specific rules - Chain INPUT
 - name: iptables-Regeln (IPv4) setzen - Chain INPUT
@@ -124,7 +119,7 @@
   loop: "{{ vault_iptables_input|flatten(levels=1) }}"
   notify:
     - save iptables rules
-  tags: [iptables, molecule-notest]
+  tags: [molecule-notest]
 # http://shouldiblockicmp.com
 
 # TODO: Outgoing iptables Regeln erstellen, und bloß keine vergessen!!!
@@ -151,7 +146,7 @@
 #    loop: "{{ vault_iptables_output|flatten(levels=1) }}"
 #    notify:
 #      - save iptables rules
-#    tags: [iptables, molecule-notest]
+#    tags: [molecule-notest]
 
 # THESE NEED TO BE THE LAST RULES IN IPTABLES' RULE LIST!!!
 - name: iptables-Regeln (IPv4) setzen - REJECT
@@ -168,4 +163,4 @@
     - chain: "FORWARD"
   notify:
     - save iptables rules
-  tags: [iptables, molecule-notest]
+  tags: [molecule-notest]
diff --git a/tasks/configure-kernel-parameters.yml b/tasks/configure-kernel-parameters.yml
index 0da50679ea1bbaa510892f5008b859027f944fdc..daf4440a12d6b6a5ee10fd4af7e84f918a94ec74 100644
--- a/tasks/configure-kernel-parameters.yml
+++ b/tasks/configure-kernel-parameters.yml
@@ -116,8 +116,6 @@
           # DEFAULT: kernel.panic = 0
           # kernel.panic = 10
       notify: activate kernel parameter changes
-      tags: [kernel]
-  tags: [kernel]
 
 # show all available Kernel parameters by using:
 # sudo sysctl -a
diff --git a/tasks/configure-pam.yml b/tasks/configure-pam.yml
index f76263d029988db0fe1f69cdca85f66125f2602a..b2ffa7a023095695663534cab9a27c65955ff83c 100644
--- a/tasks/configure-pam.yml
+++ b/tasks/configure-pam.yml
@@ -16,7 +16,6 @@
 
         # Uncomment and edit /etc/security/time.conf if you need to set time restrainst on su usage. (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs as well as /etc/porttime)
         account    requisite  pam_time.so
-  tags: [pam]
 
 - name: configure times for certain system actions
   blockinfile:
@@ -41,7 +40,6 @@
         # Members of the "operator" group are not allowed to login during
         # night times. We don't want them to login when they're not rested.
         login;tty*;operator;!Al2300-0500
-  tags: [pam]
 
 - name: configure login actions
   blockinfile:
@@ -61,4 +59,3 @@
       # Benutzern vor der Anmeldung eine Nachricht anzeigen. Standardmäßig
       # deaktiviert.
       # auth       required   pam_issue.so issue=/etc/issue
-  tags: [pam]
diff --git a/tasks/configure-portable-storage.yml b/tasks/configure-portable-storage.yml
index 76c7bc574e23b7622460431ee93537ec1580f82c..df8abdf18c8b5473962a42004be738a41e8d854d 100644
--- a/tasks/configure-portable-storage.yml
+++ b/tasks/configure-portable-storage.yml
@@ -18,4 +18,3 @@
       line: "blacklist firewire-core"
     - path: "thunderbolt.conf"
       line: "blacklist thunderbolt"
-  tags: [usb]
diff --git a/tasks/configure-root.yml b/tasks/configure-root.yml
index 928a4a5fc679c3a62ba08820c28f90f957fe50c6..09c75f5a7d7747788f425ef3fad90b546de75fd8 100644
--- a/tasks/configure-root.yml
+++ b/tasks/configure-root.yml
@@ -7,4 +7,3 @@
     # local: "yes"
     local: false
     password_lock: "yes"
-  tags: [users]
diff --git a/tasks/configure-ssh-hardening.yml b/tasks/configure-ssh-hardening.yml
index 9814b24bfd9f4d6f09828bfac5393b652d5ad1db..1ce0dc2ebd46607450a6eda125385984dd3ce9da 100644
--- a/tasks/configure-ssh-hardening.yml
+++ b/tasks/configure-ssh-hardening.yml
@@ -49,4 +49,3 @@
       {{ "PasswordAuthentication no" if ansible_os_family == "Debian" else "PasswordAuthentication yes" }}
   notify:
     - restart sshd
-  tags: [ssh]
diff --git a/tasks/configure-umask.yml b/tasks/configure-umask.yml
index b22aa561ca52492f1747258e103ef4a9866d2b43..f5a52331338ecf8d6e97bcbeaa930536857db948 100644
--- a/tasks/configure-umask.yml
+++ b/tasks/configure-umask.yml
@@ -11,7 +11,6 @@
     block: |
       # install more secure umask with no privileges for "others"
       umask 026
-  tags: [umask]
 
 - name: libpam-umask installieren (Debian)
   block:
@@ -19,7 +18,7 @@
       apt:
         name: "libpam-umask"
         state: present
-      tags: [pam, apt, umask]
+      tags: [apt]
 
     - name: Standard-umask mit PAM anpassen
       blockinfile:
@@ -34,9 +33,8 @@
           # Das Paket libpam-umask passt die Standard-Umask eines Benutzers mit
           # Hilfe von PAM an.
           session    optional     pam_umask.so umask=026
-      tags: [pam]
   when: ansible_os_family == "Debian"
-  tags: [pam, apt, umask]
+  tags: [apt]
 
 - name: set default login umask
   lineinfile:
@@ -47,7 +45,6 @@
     - umask:
         Debian: "UMASK		022"
         RedHat: "UMASK           077"
-  tags: [umask]
 
 # umask could also be set in:
 # - /etc/profile.d/umask (Setting umask in profile.d sets it for all users who
diff --git a/tasks/install-auditd.yml b/tasks/install-auditd.yml
index 67b7adcb7241b505ed159955229716a90e3adb38..62ecb17bab5625f7f656d65c2d0ca87f90eb87c0 100644
--- a/tasks/install-auditd.yml
+++ b/tasks/install-auditd.yml
@@ -6,14 +6,14 @@
     name: "auditd"
     state: present
   when: ansible_os_family == "Debian"
-  tags: [auditd, apt]
+  tags: [apt]
 
 - name: install auditd package (RedHat)
   yum:
     name: "audit"
     state: present
   when: ansible_os_family == "RedHat"
-  tags: [auditd, yum]
+  tags: [yum]
 
 - name: configure auditd rules
   copy:
@@ -24,7 +24,6 @@
     group: "root"
   notify:
     - restart auditd.service
-  tags: [auditd]
 
 # show active rules: sudo auditctl -l
 # find related event for passwd file: ausearch -f /etc/passwd
diff --git a/tasks/install-clamav.yml b/tasks/install-clamav.yml
index 5a1a6c53b74b9e41f0bf7d7048d58c719203e53f..7fca265d5807faa01382433d5d5dce3514bbb44d 100644
--- a/tasks/install-clamav.yml
+++ b/tasks/install-clamav.yml
@@ -1,14 +1,14 @@
 ---
 - name: include vars clamav
   include_vars: "clamav.yml"
-  tags: [clamav, apt]
+  tags: [apt]
 
 - name: install clamav packages (Debian)
   apt:
     name: "clamav-daemon"
     state: present
   when: ansible_os_family == "Debian"
-  tags: [clamav, apt]
+  tags: [apt]
 
 - name: install clamav packages (RedHat)
   yum:
@@ -18,7 +18,7 @@
     ]
     state: present
   when: ansible_os_family == "RedHat"
-  tags: [clamav, yum]
+  tags: [yum]
 
 # clamav-freshclam.service und clamav-daemon.service laufen nach der Installation sofort los
 - name: configure freshclam
@@ -59,7 +59,6 @@
       DatabaseMirror db.de.clamav.net
       DatabaseMirror database.clamav.net
       OnUpdateExecute "/usr/local/bin/refresh_rkhunter.sh"
-  tags: [clamav]
 
 - name: configure ClamD exclude paths
   blockinfile:
@@ -77,13 +76,11 @@
   notify:
     - restart clamav-daemon service
     - restart clamd service
-  tags: [clamav]
 
 - name: remove old ClamD refresh dir
   file:
     path: "/etc/clamav/onupdateexecute.d/refresh_rkhunter.sh"
     state: absent
-  tags: [clamav]
 
 - name: configure ClamD to refresh rkhunter after DB updates
   blockinfile:
@@ -100,4 +97,3 @@
       if [ -x /usr/bin/rkhunter ]; then
           /usr/bin/rkhunter --propupd --nolog
       fi
-  tags: [clamav]
diff --git a/tasks/install-debsecan.yml b/tasks/install-debsecan.yml
index b480430d6a8b51887ac18795e1df7b60cbce9f4f..8ae3ea1560c4d30d1e52b0201e3d79911c94603a 100644
--- a/tasks/install-debsecan.yml
+++ b/tasks/install-debsecan.yml
@@ -2,13 +2,11 @@
 - block:
     - name: include vars debsecan
       include_vars: debsecan_preseed.yml
-      tags: [debsecan]
 
     - name: install debsecan package
       apt:
         name: "debsecan"
         state: present
-      tags: [debsecan]
 
     - name: reconfigure debsecan package (dpkg-reconfigure)
       debconf:
@@ -17,7 +15,6 @@
         value: "{{ item.value }}"
         vtype: "{{ item.vtype }}"
       loop: "{{ debsecan_dpkg | flatten(levels=1) }}"
-      tags: [debsecan]
 
     - name: reconfigure debsecan package (/etc/default/debsecan)
       template:
@@ -27,6 +24,3 @@
         group: "root"
         mode: "0644"
         force: "yes"
-      tags: [debsecan]
-  when: ansible_distribution == "Debian"
-  tags: [debsecan]
diff --git a/tasks/install-rkhunter.yml b/tasks/install-rkhunter.yml
index 020f5f232cace74a1bd2402f8f74e1788025a369..410c1c7a2db95b51381b10ce35baa1402cd997f6 100644
--- a/tasks/install-rkhunter.yml
+++ b/tasks/install-rkhunter.yml
@@ -5,7 +5,7 @@
   package:
     name: "rkhunter"
     state: present
-  tags: [rkhunter]
+  tags: [apt]
 
 - name: create /var/log/rkhunter/rkhunter.log if it doesn't exist, so logrotate doesn't fail
   file:
@@ -21,7 +21,6 @@
     - path: "/var/log/rkhunter/rkhunter.log"
       mode: "0640"
       state: touch
-  tags: [rkhunter]
 
 - name: configure /etc/default/rkhunter
   lineinfile:
@@ -37,7 +36,6 @@
     - regexp: '^NICE="0"'
       line: 'NICE="-10"'
   when: ansible_distribution == "Debian"
-  tags: [rkhunter]
 
 - name: create rkhunter config directory
   file:
@@ -46,7 +44,6 @@
     owner: "root"
     group: "root"
     mode: 0755
-  tags: [rkhunter]
 
 - name: configure /etc/rkhunter.d/rkhunter.local.conf
   blockinfile:
@@ -105,7 +102,6 @@
       # This option has no default value.
       WEB_CMD=""
     # validate: rkhunter --config-check --configfile %s
-  tags: [rkhunter]
 
 - name: stop & disable RKhunter service unit & timer
   systemd:
@@ -116,7 +112,7 @@
     - "service"
     - "timer"
   when: ansible_distribution == "Debian"
-  tags: [rkhunter, molecule-notest]
+  tags: [molecule-notest]
   ignore_errors: "yes"
 
 - name: remove Rkhunter service unit & timer
@@ -127,7 +123,6 @@
     - "service"
     - "timer"
   when: ansible_distribution == "Debian"
-  tags: [rkhunter]
 
 # Unitfiles neu einlesen (implizit mit enable), Services sofort starten & automatisch bei jedem Booten starten
 # - name: Service automatisch bei jedem Booten starten - rkhunter.service
@@ -135,7 +130,6 @@
 #   loop:
 #     - "/etc/systemd/user/rkhunter.service"
 #     - "/etc/systemd/user/rkhunter.timer"
-#   tags: [rkhunter]
 
 
 # sudo rkhunter --check
diff --git a/tasks/main.yml b/tasks/main.yml
index 44b56698208fab6b4c72ca413ca0d803cd89bf89..2dbcf5020d78e8f6bbb9f80bad31715e835f9e8e 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -30,7 +30,7 @@
 
 - name: configure fail2ban
   import_tasks: ./configure-fail2ban.yml
-  tags: [always]
+  tags: [fail2ban, ssh]
 
 - name: configure $HOME permissions
   import_tasks: ./configure-home-permissions.yml