mateusz/portfolio
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0d3905b8a1c2884aec0723ee3de1916d24fe586a
portfolio/infra-run/ansible/roles/cis-aix7-hardening/tasks/precheck.yml
T

148 lines
5.3 KiB
YAML
Raw Normal View History

Add IBM AIX 7 CIS-inspired hardening playbook
2026-05-06 09:21:15 +00:00
---
- name: Determine root filesystem free space
ansible.builtin.set_fact:
cis_aix_root_mount: "{{ ansible_mounts | selectattr('mount', 'equalto', '/') | list | first | default({}) }}"
- name: Calculate root filesystem free space in MB
ansible.builtin.set_fact:
cis_aix_root_free_mb: "{{ ((cis_aix_root_mount.size_available | default(0) | int) / 1024 / 1024) | round(0, 'floor') | int }}"
- name: Collect AIX maintenance level
ansible.builtin.command: oslevel -s
changed_when: false
failed_when: false
check_mode: false
register: cis_aix_oslevel
- name: Check required AIX commands
ansible.builtin.shell: "command -v {{ item | quote }} >/dev/null 2>&1 || whence {{ item | quote }} >/dev/null 2>&1"
args:
executable: /bin/ksh
changed_when: false
failed_when: false
check_mode: false
loop: "{{ cis_required_commands }}"
register: cis_aix_required_command_checks
- name: Build missing required command list
ansible.builtin.set_fact:
cis_aix_missing_required_commands: >-
{{
cis_aix_required_command_checks.results
| selectattr('rc', 'ne', 0)
| map(attribute='item')
| list
}}
- name: Locate sshd binary
ansible.builtin.stat:
path: "{{ item }}"
loop: "{{ cis_ssh_candidate_paths }}"
register: cis_aix_sshd_path_checks
- name: Store detected sshd binary
ansible.builtin.set_fact:
cis_aix_sshd_path: >-
{{
(
cis_aix_sshd_path_checks.results
| selectattr('stat.exists')
| map(attribute='item')
| list
| first
)
| default('')
}}
- name: Validate SRC subsystem availability
ansible.builtin.command: lssrc -a
changed_when: false
failed_when: false
check_mode: false
register: cis_aix_src_summary
- name: Validate audit subsystem availability
ansible.builtin.command: audit query
changed_when: false
failed_when: false
check_mode: false
register: cis_aix_audit_query
- name: Collect LPAR summary when available
ansible.builtin.shell: "command -v lparstat >/dev/null 2>&1 && lparstat -i || true"
args:
executable: /bin/ksh
changed_when: false
failed_when: false
check_mode: false
register: cis_aix_lparstat
- name: Collect current network tunable summary
ansible.builtin.command: no -a
changed_when: false
failed_when: false
check_mode: false
register: cis_aix_network_summary
- name: Collect default AIX user security summary
ansible.builtin.command: lssec -f /etc/security/user -s default -a ALL
changed_when: false
failed_when: false
check_mode: false
register: cis_aix_security_user_summary
- name: Report AIX precheck status
ansible.builtin.debug:
msg:
- >-
OK: Facts gathered for {{ ansible_distribution | default(ansible_system | default('unknown')) }}
{{ ansible_distribution_version | default(ansible_kernel | default('unknown')) }}.
- "OK: oslevel -s reports {{ cis_aix_oslevel.stdout | default('unavailable') }}."
- "OK: Root filesystem free space is {{ cis_aix_root_free_mb }} MB."
- >-
{{ 'OK: sshd binary detected at ' ~ cis_aix_sshd_path
if cis_aix_sshd_path | length > 0 else 'CRITICAL: sshd binary was not found in expected AIX paths.' }}
- >-
{{ 'OK: SRC subsystem commands are functional.'
if cis_aix_src_summary.rc == 0 else 'CRITICAL: lssrc failed; SRC is unavailable or not usable.' }}
- >-
{{ 'OK: AIX audit subsystem responded to audit query.'
if cis_aix_audit_query.rc == 0 else 'WARNING: audit query did not complete; audit may be disabled or unconfigured.' }}
- >-
{{ 'OK: Required commands are present.'
if cis_aix_missing_required_commands | length == 0
else 'CRITICAL: Missing required commands: ' ~ (cis_aix_missing_required_commands | join(', ')) }}
- name: Fail when operating system is unsupported
ansible.builtin.assert:
that:
- ansible_system | default(ansible_distribution | default('')) == 'AIX'
- ansible_distribution_version | default('') is match('^7\\.')
fail_msg: >-
CRITICAL: This role supports IBM AIX 7.x only.
Detected {{ ansible_distribution | default(ansible_system | default('unknown')) }}
{{ ansible_distribution_version | default('unknown') }}.
success_msg: "OK: Supported IBM AIX 7.x platform detected."
- name: Fail when root filesystem free space is below safety threshold
ansible.builtin.assert:
that:
- cis_aix_root_free_mb | int >= cis_min_root_free_mb | int
fail_msg: >-
CRITICAL: Root filesystem has {{ cis_aix_root_free_mb }} MB free.
Minimum required free space is {{ cis_min_root_free_mb }} MB.
success_msg: "OK: Root filesystem free space meets the safety threshold."
- name: Fail when critical AIX commands are missing
ansible.builtin.assert:
that:
- cis_aix_missing_required_commands | length == 0
- cis_aix_src_summary.rc == 0
- cis_aix_sshd_path | length > 0
fail_msg: >-
CRITICAL: Required AIX hardening prerequisites are missing.
Missing commands={{ cis_aix_missing_required_commands | join(', ') | default('none', true) }},
SRC rc={{ cis_aix_src_summary.rc }},
sshd={{ cis_aix_sshd_path | default('not found', true) }}.
success_msg: "OK: Critical AIX hardening prerequisites are available."
Reference in New Issue Copy Permalink