Add IBM AIX 7 CIS-inspired hardening playbook

infra-run/ansible/roles/cis-aix7-hardening/tasks/cron.yml

@@ -0,0 +1,49 @@
+---
+- name: Ensure cron and at control files exist with safe ownership
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: touch
+    owner: root
+    group: cron
+    mode: "0600"
+    modification_time: preserve
+    access_time: preserve
+  loop:
+    - "{{ cis_cron_allow_path }}"
+    - "{{ cis_at_allow_path }}"
+
+- name: Ensure deny files are not world readable when present
+  ansible.builtin.file:
+    path: "{{ item }}"
+    owner: root
+    group: cron
+    mode: "0600"
+  loop:
+    - "{{ cis_cron_deny_path }}"
+    - "{{ cis_at_deny_path }}"
+  failed_when: false
+
+- name: Secure cron directories when present
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    owner: root
+    group: cron
+    mode: "0750"
+  loop: "{{ cis_cron_directories }}"
+  failed_when: false
+
+- name: Validate cron SRC state
+  ansible.builtin.command: lssrc -s cron
+  changed_when: false
+  failed_when: false
+  check_mode: false
+  register: cis_aix_cron_state
+
+- name: Report cron and at hardening status
+  ansible.builtin.debug:
+    msg:
+      - "OK: cron.allow and at.allow ownership and permissions are managed."
+      - >-
+        {{ 'OK: cron SRC subsystem exists.'
+           if cis_aix_cron_state.rc == 0 else 'WARNING: cron SRC subsystem was not found.' }}