diff --git a/defaults/main.yml b/defaults/main.yml
index 464def5a..6bf32260 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -416,6 +416,7 @@ ubtu20cis_smb_server: false
 ubtu20cis_squid_server: false
 ubtu20cis_snmp_server: false
 ubtu20cis_rsync_server: false
+ubtu20cis_rsync_masked: false
 ubtu20cis_nis_server: false
 ubtu20cis_nfs_client: false
 # rpcbind is required by nfs-common which is required on client and server
diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml
index 26301f5c..4d95d155 100644
--- a/tasks/section_2/cis_2.2.x.yml
+++ b/tasks/section_2/cis_2.2.x.yml
@@ -328,14 +328,27 @@
       - rule_2.2.16
       - postfix
 
-- name: "2.2.17 | PATCH | Ensure rsync service is not installed"
-  ansible.builtin.package:
-      name: rsync
-      state: absent
-  when:
-      - ubtu20cis_rule_2_2_17
-      - not ubtu20cis_rsync_server
-      - "'rsync' in ansible_facts.packages"
+- name: "2.2.17 | PATCH | Ensure rsync service is not installed or masked"
+  block:
+    - name: "2.2.17 | PATCH | Ensure rsync service is disabled and masked"
+      ansible.builtin.service:
+          name: rsync.service
+          state: stopped
+          enabled: false
+          masked: true
+      when:
+          - ubtu20cis_rule_2_2_17
+          - ubtu20cis_rsync_masked
+          - "'rsync' in ansible_facts.packages"
+    - name: "2.2.17 | PATCH | Ensure rsync service is not installed"
+      ansible.builtin.package:
+          name: rsync
+          state: absent
+      when:
+          - ubtu20cis_rule_2_2_17
+          - not ubtu20cis_rsync_masked
+          - not ubtu20cis_rsync_server
+          - "'rsync' in ansible_facts.packages"
   tags:
       - level1-server
       - level1-workstation