portfolio/infra-run/ansible/roles/cis-aix7-hardening/tasks/password_policy.yml

---
- name: Collect current default password policy
  ansible.builtin.command: lssec -f /etc/security/user -s default -a minlen histsize maxage minage minalpha minother maxrepeats loginretries
  changed_when: false
  failed_when: false
  check_mode: false
  register: cis_aix_password_policy_current

- name: Collect current default login policy
  ansible.builtin.command: lssec -f /etc/security/login.cfg -s usw -a logindisable logininterval loginreenable
  changed_when: false
  failed_when: false
  check_mode: false
  register: cis_aix_login_policy_current

- name: Manage default password security attributes
  ansible.builtin.command: "chsec -f /etc/security/user -s default -a {{ item.key }}={{ item.value }}"
  changed_when: true
  loop:
    - key: minlen
      value: "{{ cis_password_minlen }}"
    - key: histsize
      value: "{{ cis_password_histsize }}"
    - key: maxage
      value: "{{ cis_password_maxage_weeks }}"
    - key: minage
      value: "{{ cis_password_minage_weeks }}"
    - key: minalpha
      value: "{{ cis_password_minalpha }}"
    - key: minother
      value: "{{ cis_password_minother }}"
    - key: maxrepeats
      value: "{{ cis_password_maxrepeats }}"
    - key: loginretries
      value: "{{ cis_login_retries }}"
  when: >-
    (item.key ~ '=' ~ (item.value | string))
    not in (cis_aix_password_policy_current.stdout | default(''))

- name: Manage login lockout interval
  ansible.builtin.command: "chsec -f /etc/security/login.cfg -s usw -a loginreenable={{ cis_login_lockout }}"
  changed_when: true
  when: >-
    ('loginreenable=' ~ (cis_login_lockout | string))
    not in (cis_aix_login_policy_current.stdout | default(''))

- name: Collect updated default password policy
  ansible.builtin.command: lssec -f /etc/security/user -s default -a minlen histsize maxage minage minalpha minother maxrepeats loginretries
  changed_when: false
  failed_when: false
  check_mode: false
  register: cis_aix_password_policy_updated

- name: Validate password database state
  ansible.builtin.command: pwdadm -q root
  changed_when: false
  failed_when: false
  check_mode: false
  register: cis_aix_pwdadm_root

- name: Report password policy status
  ansible.builtin.debug:
    msg:
      - "OK: Password policy managed through AIX chsec defaults, without replacing security files."
      - "OK: Current default policy: {{ cis_aix_password_policy_updated.stdout | default('unavailable') }}"
      - "OK: pwdadm root status: {{ cis_aix_pwdadm_root.stdout | default('unavailable') }}"