Add IBM AIX 7 CIS-inspired hardening playbook

2026-05-06 09:21:15 +00:00
parent 2fd9c0b5ef
commit 02a51f72f9
18 changed files with 1009 additions and 0 deletions
@@ -0,0 +1,65 @@
+---
+- name: Collect current AIX network tunables
+  ansible.builtin.command: no -a
+  changed_when: false
+  failed_when: false
+  check_mode: false
+  register: cis_aix_no_current
+
+- name: Query configured AIX network tunables
+  ansible.builtin.command: "no -o {{ item.key }}"
+  changed_when: false
+  failed_when: false
+  check_mode: false
+  loop: "{{ cis_network_no_settings | dict2items }}"
+  register: cis_aix_no_query
+
+- name: Apply configured AIX network tunables
+  ansible.builtin.command: "no -p -o {{ item.item.key }}={{ item.item.value }}"
+  changed_when: true
+  loop: "{{ cis_aix_no_query.results }}"
+  when:
+    - item.rc == 0
+    - item.stdout is not search('=\\s*' ~ (item.item.value | string) ~ '\\b')
+
+- name: Warn about unsupported AIX network tunables
+  ansible.builtin.debug:
+    msg: "WARNING: AIX network tunable {{ item.item.key }} is not supported on this host."
+  loop: "{{ cis_aix_no_query.results }}"
+  when: item.rc != 0
+
+- name: Check nfso availability
+  ansible.builtin.shell: "command -v nfso >/dev/null 2>&1 || whence nfso >/dev/null 2>&1"
+  args:
+    executable: /bin/ksh
+  changed_when: false
+  failed_when: false
+  check_mode: false
+  register: cis_aix_nfso_available
+
+- name: Query configured AIX NFS tunables
+  ansible.builtin.command: "nfso -o {{ item.key }}"
+  changed_when: false
+  failed_when: false
+  check_mode: false
+  loop: "{{ cis_network_nfso_settings | dict2items }}"
+  register: cis_aix_nfso_query
+  when:
+    - cis_aix_nfso_available.rc == 0
+    - cis_network_nfso_settings | length > 0
+
+- name: Apply configured AIX NFS tunables
+  ansible.builtin.command: "nfso -p -o {{ item.item.key }}={{ item.item.value }}"
+  changed_when: true
+  loop: "{{ cis_aix_nfso_query.results | default([]) }}"
+  when:
+    - item.rc == 0
+    - item.stdout is not search('=\\s*' ~ (item.item.value | string) ~ '\\b')
+
+- name: Report network hardening status
+  ansible.builtin.debug:
+    msg:
+      - "OK: AIX network tunables were validated before changes."
+      - >-
+        {{ 'OK: nfso is available for optional NFS network tunables.'
+           if cis_aix_nfso_available.rc == 0 else 'WARNING: nfso was not found; NFS tunables were skipped.' }}