mateusz/portfolio
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add IBM AIX 7 CIS-inspired hardening playbook

Browse Source
This commit is contained in:
Mateusz Suski
2026-05-06 09:21:15 +00:00
parent 2fd9c0b5ef
commit 02a51f72f9
18 changed files with 1009 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
infra-run/ansible/roles/cis-aix7-hardening/tasks/postcheck.yml
+58
View File
@@ -0,0 +1,58 @@
---
- name: Validate sshd configuration after hardening
ansible.builtin.command: "{{ cis_sshd_test_command }}"
changed_when: false
failed_when: false
check_mode: false
register: cis_aix_post_sshd
- name: Show selected AIX network security values
ansible.builtin.command: "no -o {{ item.key }}"
changed_when: false
failed_when: false
check_mode: false
loop: "{{ cis_network_no_settings | dict2items }}"
register: cis_aix_post_network
- name: Show key SRC service states
ansible.builtin.command: "lssrc -s {{ item }}"
changed_when: false
failed_when: false
check_mode: false
loop:
- sshd
- syslogd
- audit
register: cis_aix_post_services
- name: Show password policy summary
ansible.builtin.command: lssec -f /etc/security/user -s default -a minlen histsize maxage minage minalpha minother loginretries
changed_when: false
failed_when: false
check_mode: false
register: cis_aix_post_password
- name: Build AIX hardening validation summary
ansible.builtin.set_fact:
cis_aix_validation_summary:
oslevel: "{{ cis_aix_oslevel.stdout | default('unavailable') }}"
sshd_config_valid: "{{ cis_aix_post_sshd.rc == 0 }}"
sshd_validation_output: "{{ cis_aix_post_sshd.stderr | default(cis_aix_post_sshd.stdout | default('')) }}"
network_values: "{{ cis_aix_post_network.results | map(attribute='stdout') | list }}"
service_states: "{{ cis_aix_post_services.results | map(attribute='stdout') | list }}"
password_policy: "{{ cis_aix_post_password.stdout | default('unavailable') }}"
recommendations:
- "Validate SSH access from a second privileged session before enforcing passwordless-only access."
- "Review audit classes and events with security operations before setting cis_enable_audit=true."
- "Keep cis_manage_mount_options=false until filesystem owners approve remount or chfs behavior."
- name: Print AIX operational postcheck recommendations
ansible.builtin.debug:
msg:
- >-
{{ 'OK: sshd configuration validates.'
if cis_aix_post_sshd.rc == 0 else 'CRITICAL: sshd validation failed; review SSH config before restarting sessions.' }}
- "OK: Service states: {{ cis_aix_validation_summary.service_states }}"
- "OK: Password policy summary: {{ cis_aix_validation_summary.password_policy }}"
- "WARNING: This role is CIS-inspired and does not represent a complete CIS certification implementation."
- "{{ cis_aix_validation_summary.recommendations }}"