infra-run/ansible/roles/cis-aix7-hardening/tasks/filesystem.yml

---
- name: Build mounted filesystem list from gathered facts
  ansible.builtin.set_fact:
    cis_aix_mount_points: "{{ ansible_mounts | map(attribute='mount') | list }}"

- name: Validate JFS2 filesystems
  ansible.builtin.shell: |
    set -o pipefail
    lsfs -q | awk '/vfs[[:space:]]*=[[:space:]]*jfs2/{print prev} {prev=$0}'
  args:
    executable: /bin/ksh
  changed_when: false
  failed_when: false
  check_mode: false
  register: cis_aix_jfs2_filesystems

- name: Review configured mount option targets
  ansible.builtin.debug:
    msg: >-
      OK: Mount option management is disabled by default.
      Review target {{ item.path }} for options {{ item.options | join(', ') }} before managed rollout.
  loop: "{{ cis_mount_option_targets }}"
  when: not cis_manage_mount_options | bool

- name: Apply configured mount options only when explicitly enabled
  ansible.builtin.command: "chfs -a options={{ item.options | join(',') }} {{ item.path }}"
  changed_when: true
  loop: "{{ cis_mount_option_targets }}"
  when:
    - cis_manage_mount_options | bool
    - item.path in cis_aix_mount_points

- name: Identify world-writable directories on local filesystems
  ansible.builtin.shell: |
    set -o pipefail
    find / -xdev -type d -perm -0002 -print 2>/dev/null | head -200
  args:
    executable: /bin/ksh
  changed_when: false
  failed_when: false
  check_mode: false
  register: cis_aix_world_writable_dirs

- name: Identify files without valid owner or group on local filesystems
  ansible.builtin.shell: |
    set -o pipefail
    find / -xdev \( -nouser -o -nogroup \) -print 2>/dev/null | head -200
  args:
    executable: /bin/ksh
  changed_when: false
  failed_when: false
  check_mode: false
  register: cis_aix_unowned_files

- name: Report filesystem review findings
  ansible.builtin.debug:
    msg:
      - "OK: JFS2 filesystem review completed."
      - "WARNING: World-writable directories found: {{ cis_aix_world_writable_dirs.stdout_lines | default([]) }}"
      - "WARNING: Files without valid owner/group found: {{ cis_aix_unowned_files.stdout_lines | default([]) }}"
Add IBM AIX 7 CIS-inspired hardening playbook 2026-05-06 09:21:15 +00:00			`---`
			`- name: Build mounted filesystem list from gathered facts`
			`ansible.builtin.set_fact:`
			`cis_aix_mount_points: "{{ ansible_mounts \| map(attribute='mount') \| list }}"`

			`- name: Validate JFS2 filesystems`
			`ansible.builtin.shell: \|`
			`set -o pipefail`
			`lsfs -q \| awk '/vfs[[:space:]]=[[:space:]]jfs2/{print prev} {prev=$0}'`
			`args:`
			`executable: /bin/ksh`
			`changed_when: false`
			`failed_when: false`
			`check_mode: false`
			`register: cis_aix_jfs2_filesystems`

			`- name: Review configured mount option targets`
			`ansible.builtin.debug:`
			`msg: >-`
			`OK: Mount option management is disabled by default.`
Improve infra-run portfolio credibility 2026-05-08 21:18:22 +00:00			`Review target {{ item.path }} for options {{ item.options \| join(', ') }} before managed rollout.`
Add IBM AIX 7 CIS-inspired hardening playbook 2026-05-06 09:21:15 +00:00			`loop: "{{ cis_mount_option_targets }}"`
			`when: not cis_manage_mount_options \| bool`

			`- name: Apply configured mount options only when explicitly enabled`
			`ansible.builtin.command: "chfs -a options={{ item.options \| join(',') }} {{ item.path }}"`
			`changed_when: true`
			`loop: "{{ cis_mount_option_targets }}"`
			`when:`
			`- cis_manage_mount_options \| bool`
			`- item.path in cis_aix_mount_points`

			`- name: Identify world-writable directories on local filesystems`
			`ansible.builtin.shell: \|`
			`set -o pipefail`
			`find / -xdev -type d -perm -0002 -print 2>/dev/null \| head -200`
			`args:`
			`executable: /bin/ksh`
			`changed_when: false`
			`failed_when: false`
			`check_mode: false`
			`register: cis_aix_world_writable_dirs`

			`- name: Identify files without valid owner or group on local filesystems`
			`ansible.builtin.shell: \|`
			`set -o pipefail`
			`find / -xdev \( -nouser -o -nogroup \) -print 2>/dev/null \| head -200`
			`args:`
			`executable: /bin/ksh`
			`changed_when: false`
			`failed_when: false`
			`check_mode: false`
			`register: cis_aix_unowned_files`

			`- name: Report filesystem review findings`
			`ansible.builtin.debug:`
			`msg:`
			`- "OK: JFS2 filesystem review completed."`
			`- "WARNING: World-writable directories found: {{ cis_aix_world_writable_dirs.stdout_lines \| default([]) }}"`
			`- "WARNING: Files without valid owner/group found: {{ cis_aix_unowned_files.stdout_lines \| default([]) }}"`