mateusz/portfolio
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add IBM AIX 7 CIS-inspired hardening playbook

Browse Source
This commit is contained in:
Mateusz Suski
2026-05-06 09:21:15 +00:00
parent 2fd9c0b5ef
commit 02a51f72f9
18 changed files with 1009 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
infra-run/ansible/roles/cis-aix7-hardening/tasks/filesystem.yml
+60
View File
@@ -0,0 +1,60 @@
---
- name: Build mounted filesystem list from gathered facts
ansible.builtin.set_fact:
cis_aix_mount_points: "{{ ansible_mounts | map(attribute='mount') | list }}"
- name: Validate JFS2 filesystems
ansible.builtin.shell: |
set -o pipefail
lsfs -q | awk '/vfs[[:space:]]*=[[:space:]]*jfs2/{print prev} {prev=$0}'
args:
executable: /bin/ksh
changed_when: false
failed_when: false
check_mode: false
register: cis_aix_jfs2_filesystems
- name: Review configured mount option targets
ansible.builtin.debug:
msg: >-
OK: Mount option management is disabled by default.
Review target {{ item.path }} for options {{ item.options | join(', ') }} before production rollout.
loop: "{{ cis_mount_option_targets }}"
when: not cis_manage_mount_options | bool
- name: Apply configured mount options only when explicitly enabled
ansible.builtin.command: "chfs -a options={{ item.options | join(',') }} {{ item.path }}"
changed_when: true
loop: "{{ cis_mount_option_targets }}"
when:
- cis_manage_mount_options | bool
- item.path in cis_aix_mount_points
- name: Identify world-writable directories on local filesystems
ansible.builtin.shell: |
set -o pipefail
find / -xdev -type d -perm -0002 -print 2>/dev/null | head -200
args:
executable: /bin/ksh
changed_when: false
failed_when: false
check_mode: false
register: cis_aix_world_writable_dirs
- name: Identify files without valid owner or group on local filesystems
ansible.builtin.shell: |
set -o pipefail
find / -xdev \( -nouser -o -nogroup \) -print 2>/dev/null | head -200
args:
executable: /bin/ksh
changed_when: false
failed_when: false
check_mode: false
register: cis_aix_unowned_files
- name: Report filesystem review findings
ansible.builtin.debug:
msg:
- "OK: JFS2 filesystem review completed."
- "WARNING: World-writable directories found: {{ cis_aix_world_writable_dirs.stdout_lines | default([]) }}"
- "WARNING: Files without valid owner/group found: {{ cis_aix_unowned_files.stdout_lines | default([]) }}"