infra-run/ansible/roles/cis-aix7-hardening/tasks/postcheck.yml

---
- name: Validate sshd configuration after hardening
  ansible.builtin.command: "{{ cis_sshd_test_command }}"
  changed_when: false
  failed_when: false
  check_mode: false
  register: cis_aix_post_sshd

- name: Show selected AIX network security values
  ansible.builtin.command: "no -o {{ item.key }}"
  changed_when: false
  failed_when: false
  check_mode: false
  loop: "{{ cis_network_no_settings | dict2items }}"
  register: cis_aix_post_network

- name: Show key SRC service states
  ansible.builtin.command: "lssrc -s {{ item }}"
  changed_when: false
  failed_when: false
  check_mode: false
  loop:
    - sshd
    - syslogd
    - audit
  register: cis_aix_post_services

- name: Show password policy summary
  ansible.builtin.command: lssec -f /etc/security/user -s default -a minlen histsize maxage minage minalpha minother loginretries
  changed_when: false
  failed_when: false
  check_mode: false
  register: cis_aix_post_password

- name: Build AIX hardening validation summary
  ansible.builtin.set_fact:
    cis_aix_validation_summary:
      oslevel: "{{ cis_aix_oslevel.stdout | default('unavailable') }}"
      sshd_config_valid: "{{ cis_aix_post_sshd.rc == 0 }}"
      sshd_validation_output: "{{ cis_aix_post_sshd.stderr | default(cis_aix_post_sshd.stdout | default('')) }}"
      network_values: "{{ cis_aix_post_network.results | map(attribute='stdout') | list }}"
      service_states: "{{ cis_aix_post_services.results | map(attribute='stdout') | list }}"
      password_policy: "{{ cis_aix_post_password.stdout | default('unavailable') }}"
      recommendations:
        - "Validate SSH access from a second privileged session before enforcing passwordless-only access."
        - "Review audit classes and events with security operations before setting cis_enable_audit=true."
        - "Keep cis_manage_mount_options=false until filesystem owners approve remount or chfs behavior."

- name: Print AIX operational postcheck recommendations
  ansible.builtin.debug:
    msg:
      - >-
        {{ 'OK: sshd configuration validates.'
           if cis_aix_post_sshd.rc == 0 else 'CRITICAL: sshd validation failed; review SSH config before restarting sessions.' }}
      - "OK: Service states: {{ cis_aix_validation_summary.service_states }}"
      - "OK: Password policy summary: {{ cis_aix_validation_summary.password_policy }}"
      - "WARNING: This role is selected baseline and does not represent a complete compliance certification implementation."
      - "{{ cis_aix_validation_summary.recommendations }}"
Add IBM AIX 7 CIS-inspired hardening playbook 2026-05-06 09:21:15 +00:00			`---`
			`- name: Validate sshd configuration after hardening`
			`ansible.builtin.command: "{{ cis_sshd_test_command }}"`
			`changed_when: false`
			`failed_when: false`
			`check_mode: false`
			`register: cis_aix_post_sshd`

			`- name: Show selected AIX network security values`
			`ansible.builtin.command: "no -o {{ item.key }}"`
			`changed_when: false`
			`failed_when: false`
			`check_mode: false`
			`loop: "{{ cis_network_no_settings \| dict2items }}"`
			`register: cis_aix_post_network`

			`- name: Show key SRC service states`
			`ansible.builtin.command: "lssrc -s {{ item }}"`
			`changed_when: false`
			`failed_when: false`
			`check_mode: false`
			`loop:`
			`- sshd`
			`- syslogd`
			`- audit`
			`register: cis_aix_post_services`

			`- name: Show password policy summary`
			`ansible.builtin.command: lssec -f /etc/security/user -s default -a minlen histsize maxage minage minalpha minother loginretries`
			`changed_when: false`
			`failed_when: false`
			`check_mode: false`
			`register: cis_aix_post_password`

			`- name: Build AIX hardening validation summary`
			`ansible.builtin.set_fact:`
			`cis_aix_validation_summary:`
			`oslevel: "{{ cis_aix_oslevel.stdout \| default('unavailable') }}"`
			`sshd_config_valid: "{{ cis_aix_post_sshd.rc == 0 }}"`
			`sshd_validation_output: "{{ cis_aix_post_sshd.stderr \| default(cis_aix_post_sshd.stdout \| default('')) }}"`
			`network_values: "{{ cis_aix_post_network.results \| map(attribute='stdout') \| list }}"`
			`service_states: "{{ cis_aix_post_services.results \| map(attribute='stdout') \| list }}"`
			`password_policy: "{{ cis_aix_post_password.stdout \| default('unavailable') }}"`
			`recommendations:`
			`- "Validate SSH access from a second privileged session before enforcing passwordless-only access."`
			`- "Review audit classes and events with security operations before setting cis_enable_audit=true."`
			`- "Keep cis_manage_mount_options=false until filesystem owners approve remount or chfs behavior."`

			`- name: Print AIX operational postcheck recommendations`
			`ansible.builtin.debug:`
			`msg:`
			`- >-`
			`{{ 'OK: sshd configuration validates.'`
			`if cis_aix_post_sshd.rc == 0 else 'CRITICAL: sshd validation failed; review SSH config before restarting sessions.' }}`
			`- "OK: Service states: {{ cis_aix_validation_summary.service_states }}"`
			`- "OK: Password policy summary: {{ cis_aix_validation_summary.password_policy }}"`
Improve infra-run portfolio credibility 2026-05-08 21:18:22 +00:00			`- "WARNING: This role is selected baseline and does not represent a complete compliance certification implementation."`
Add IBM AIX 7 CIS-inspired hardening playbook 2026-05-06 09:21:15 +00:00			`- "{{ cis_aix_validation_summary.recommendations }}"`