Add IBM AIX 7 CIS-inspired hardening playbook
This commit is contained in:
Mateusz Suski
@@ -0,0 +1,67 @@
|
||||
# cis-aix7-hardening
|
||||
|
||||
Operational IBM AIX 7.x hardening role inspired by CIS Benchmark 1.2.0 and common enterprise Unix security practices.
|
||||
|
||||
Reference: https://www.cisecurity.org/benchmark/aix
|
||||
|
||||
This role is intended for infrastructure and security operations teams that manage production AIX estates. It favors readable, conservative controls over broad benchmark coverage.
|
||||
|
||||
## Supported OS
|
||||
|
||||
- IBM AIX 7.x
|
||||
|
||||
## Implemented Areas
|
||||
|
||||
- Platform prechecks for AIX 7.x, SRC, SSH, audit tooling, required commands, disk safety, and baseline security state.
|
||||
- SSH daemon hardening in `/etc/ssh/sshd_config` with validation through `sshd -t`.
|
||||
- Account and password controls through AIX-native `lssec`, `chsec`, and `pwdadm`.
|
||||
- Network tunable validation and optional hardening through `no`, with optional `nfso` support.
|
||||
- SRC-aware service checks and safe inetd legacy service disablement.
|
||||
- Filesystem review for JFS2, world-writable directories, and invalid owners or groups.
|
||||
- Syslog and audit validation, with audit enablement disabled by default.
|
||||
- Cron and at permission hardening under `/var/adm/cron`.
|
||||
- Sudo defaults with validation through `visudo -cf` when sudo is present.
|
||||
- Postcheck reporting for SSH, services, network values, and password policy.
|
||||
|
||||
## AIX Operational Notes
|
||||
|
||||
AIX is not Linux. This role does not assume systemd, sysctl, Linux package managers, or Linux service paths. Service operations use SRC commands such as `lssrc`, `startsrc`, `stopsrc`, and `refresh`.
|
||||
|
||||
AIX environments vary heavily between enterprises. Filesystem layout, OpenSSH source, sudo packaging, audit classes, NFS tuning, and security policy ownership should be validated before production rollout.
|
||||
|
||||
## Safety Philosophy
|
||||
|
||||
- Defaults are conservative.
|
||||
- Audit enablement is opt-in with `cis_enable_audit`.
|
||||
- Filesystem mount option management is opt-in with `cis_manage_mount_options`.
|
||||
- SSH password authentication is not disabled by default.
|
||||
- Native AIX security files are updated with targeted `chsec` calls instead of wholesale replacement.
|
||||
- Check mode is supported where practical, though AIX command modules may still need read-only probes for validation.
|
||||
|
||||
## Check Mode Examples
|
||||
|
||||
```bash
|
||||
ansible-playbook playbooks/cis-aix7-hardening.yml --check
|
||||
```
|
||||
|
||||
```bash
|
||||
ansible-playbook playbooks/cis-aix7-hardening.yml --check --tags precheck,ssh,postcheck
|
||||
```
|
||||
|
||||
## Tag Examples
|
||||
|
||||
```bash
|
||||
ansible-playbook playbooks/cis-aix7-hardening.yml --tags precheck
|
||||
```
|
||||
|
||||
```bash
|
||||
ansible-playbook playbooks/cis-aix7-hardening.yml --tags ssh,password_policy,network
|
||||
```
|
||||
|
||||
```bash
|
||||
ansible-playbook playbooks/cis-aix7-hardening.yml --tags audit -e cis_enable_audit=true
|
||||
```
|
||||
|
||||
## Important Warning
|
||||
|
||||
This is not a full CIS certification implementation and does not implement the entire CIS AIX benchmark. It is a practical CIS-inspired baseline that should be reviewed by infrastructure, security, and application owners before production enforcement.
|
||||
Reference in New Issue
Block a user