infra-run/ansible/roles/cis-aix7-hardening/tasks/sudo.yml

---
- name: Check sudoers file availability
  ansible.builtin.stat:
    path: "{{ cis_sudoers_path }}"
  register: cis_aix_sudoers

- name: Check visudo availability
  ansible.builtin.shell: "command -v visudo >/dev/null 2>&1 || whence visudo >/dev/null 2>&1"
  args:
    executable: /bin/ksh
  changed_when: false
  failed_when: false
  check_mode: false
  register: cis_aix_visudo_available

- name: Manage sudo use_pty default when supported
  ansible.builtin.lineinfile:
    path: "{{ cis_sudoers_path }}"
    regexp: '^Defaults\s+use_pty\b'
    line: "Defaults use_pty"
    validate: "visudo -cf %s"
  when:
    - cis_sudo_use_pty | bool
    - cis_aix_sudoers.stat.exists
    - cis_aix_visudo_available.rc == 0

- name: Manage sudo logfile default
  ansible.builtin.lineinfile:
    path: "{{ cis_sudoers_path }}"
    regexp: '^Defaults\s+logfile='
    line: 'Defaults logfile="{{ cis_sudo_logfile }}"'
    validate: "visudo -cf %s"
  when:
    - cis_aix_sudoers.stat.exists
    - cis_aix_visudo_available.rc == 0

- name: Validate sudoers syntax
  ansible.builtin.command: "visudo -cf {{ cis_sudoers_path }}"
  changed_when: false
  when:
    - cis_aix_sudoers.stat.exists
    - cis_aix_visudo_available.rc == 0

- name: Report sudo hardening status
  ansible.builtin.debug:
    msg:
      - >-
        {{ 'OK: sudoers exists and visudo validation is available.'
           if cis_aix_sudoers.stat.exists and cis_aix_visudo_available.rc == 0
           else 'WARNING: sudo or visudo was not found; sudo controls were skipped.' }}
Add IBM AIX 7 CIS-inspired hardening playbook 2026-05-06 09:21:15 +00:00			`---`
			`- name: Check sudoers file availability`
			`ansible.builtin.stat:`
			`path: "{{ cis_sudoers_path }}"`
			`register: cis_aix_sudoers`

			`- name: Check visudo availability`
			`ansible.builtin.shell: "command -v visudo >/dev/null 2>&1 \|\| whence visudo >/dev/null 2>&1"`
			`args:`
			`executable: /bin/ksh`
			`changed_when: false`
			`failed_when: false`
			`check_mode: false`
			`register: cis_aix_visudo_available`

			`- name: Manage sudo use_pty default when supported`
			`ansible.builtin.lineinfile:`
			`path: "{{ cis_sudoers_path }}"`
			`regexp: '^Defaults\s+use_pty\b'`
			`line: "Defaults use_pty"`
			`validate: "visudo -cf %s"`
			`when:`
			`- cis_sudo_use_pty \| bool`
			`- cis_aix_sudoers.stat.exists`
			`- cis_aix_visudo_available.rc == 0`

			`- name: Manage sudo logfile default`
			`ansible.builtin.lineinfile:`
			`path: "{{ cis_sudoers_path }}"`
			`regexp: '^Defaults\s+logfile='`
			`line: 'Defaults logfile="{{ cis_sudo_logfile }}"'`
			`validate: "visudo -cf %s"`
			`when:`
			`- cis_aix_sudoers.stat.exists`
			`- cis_aix_visudo_available.rc == 0`

			`- name: Validate sudoers syntax`
			`ansible.builtin.command: "visudo -cf {{ cis_sudoers_path }}"`
			`changed_when: false`
			`when:`
			`- cis_aix_sudoers.stat.exists`
			`- cis_aix_visudo_available.rc == 0`

			`- name: Report sudo hardening status`
			`ansible.builtin.debug:`
			`msg:`
			`- >-`
			`{{ 'OK: sudoers exists and visudo validation is available.'`
			`if cis_aix_sudoers.stat.exists and cis_aix_visudo_available.rc == 0`
			`else 'WARNING: sudo or visudo was not found; sudo controls were skipped.' }}`