50 lines
1.2 KiB
YAML
50 lines
1.2 KiB
YAML
|
---
|
||
|
|
- name: Ensure cron and at control files exist with safe ownership
|
||
|
|
ansible.builtin.file:
|
||
|
|
path: "{{ item }}"
|
||
|
|
state: touch
|
||
|
|
owner: root
|
||
|
|
group: cron
|
||
|
|
mode: "0600"
|
||
|
|
modification_time: preserve
|
||
|
|
access_time: preserve
|
||
|
|
loop:
|
||
|
|
- "{{ cis_cron_allow_path }}"
|
||
|
|
- "{{ cis_at_allow_path }}"
|
||
|
|
|
||
|
|
- name: Ensure deny files are not world readable when present
|
||
|
|
ansible.builtin.file:
|
||
|
|
path: "{{ item }}"
|
||
|
|
owner: root
|
||
|
|
group: cron
|
||
|
|
mode: "0600"
|
||
|
|
loop:
|
||
|
|
- "{{ cis_cron_deny_path }}"
|
||
|
|
- "{{ cis_at_deny_path }}"
|
||
|
|
failed_when: false
|
||
|
|
|
||
|
|
- name: Secure cron directories when present
|
||
|
|
ansible.builtin.file:
|
||
|
|
path: "{{ item }}"
|
||
|
|
state: directory
|
||
|
|
owner: root
|
||
|
|
group: cron
|
||
|
|
mode: "0750"
|
||
|
|
loop: "{{ cis_cron_directories }}"
|
||
|
|
failed_when: false
|
||
|
|
|
||
|
|
- name: Validate cron SRC state
|
||
|
|
ansible.builtin.command: lssrc -s cron
|
||
|
|
changed_when: false
|
||
|
|
failed_when: false
|
||
|
|
check_mode: false
|
||
|
|
register: cis_aix_cron_state
|
||
|
|
|
||
|
|
- name: Report cron and at hardening status
|
||
|
|
ansible.builtin.debug:
|
||
|
|
msg:
|
||
|
|
- "OK: cron.allow and at.allow ownership and permissions are managed."
|
||
|
|
- >-
|
||
|
|
{{ 'OK: cron SRC subsystem exists.'
|
||
|
|
if cis_aix_cron_state.rc == 0 else 'WARNING: cron SRC subsystem was not found.' }}
|