Add IBM AIX 7 CIS-inspired hardening playbook

infra-run/ansible/roles/cis-aix7-hardening/tasks/precheck.yml

@@ -0,0 +1,147 @@
+---
+- name: Determine root filesystem free space
+  ansible.builtin.set_fact:
+    cis_aix_root_mount: "{{ ansible_mounts | selectattr('mount', 'equalto', '/') | list | first | default({}) }}"
+
+- name: Calculate root filesystem free space in MB
+  ansible.builtin.set_fact:
+    cis_aix_root_free_mb: "{{ ((cis_aix_root_mount.size_available | default(0) | int) / 1024 / 1024) | round(0, 'floor') | int }}"
+
+- name: Collect AIX maintenance level
+  ansible.builtin.command: oslevel -s
+  changed_when: false
+  failed_when: false
+  check_mode: false
+  register: cis_aix_oslevel
+
+- name: Check required AIX commands
+  ansible.builtin.shell: "command -v {{ item | quote }} >/dev/null 2>&1 || whence {{ item | quote }} >/dev/null 2>&1"
+  args:
+    executable: /bin/ksh
+  changed_when: false
+  failed_when: false
+  check_mode: false
+  loop: "{{ cis_required_commands }}"
+  register: cis_aix_required_command_checks
+
+- name: Build missing required command list
+  ansible.builtin.set_fact:
+    cis_aix_missing_required_commands: >-
+      {{
+        cis_aix_required_command_checks.results
+        | selectattr('rc', 'ne', 0)
+        | map(attribute='item')
+        | list
+      }}
+
+- name: Locate sshd binary
+  ansible.builtin.stat:
+    path: "{{ item }}"
+  loop: "{{ cis_ssh_candidate_paths }}"
+  register: cis_aix_sshd_path_checks
+
+- name: Store detected sshd binary
+  ansible.builtin.set_fact:
+    cis_aix_sshd_path: >-
+      {{
+        (
+          cis_aix_sshd_path_checks.results
+          | selectattr('stat.exists')
+          | map(attribute='item')
+          | list
+          | first
+        )
+        | default('')
+      }}
+
+- name: Validate SRC subsystem availability
+  ansible.builtin.command: lssrc -a
+  changed_when: false
+  failed_when: false
+  check_mode: false
+  register: cis_aix_src_summary
+
+- name: Validate audit subsystem availability
+  ansible.builtin.command: audit query
+  changed_when: false
+  failed_when: false
+  check_mode: false
+  register: cis_aix_audit_query
+
+- name: Collect LPAR summary when available
+  ansible.builtin.shell: "command -v lparstat >/dev/null 2>&1 && lparstat -i || true"
+  args:
+    executable: /bin/ksh
+  changed_when: false
+  failed_when: false
+  check_mode: false
+  register: cis_aix_lparstat
+
+- name: Collect current network tunable summary
+  ansible.builtin.command: no -a
+  changed_when: false
+  failed_when: false
+  check_mode: false
+  register: cis_aix_network_summary
+
+- name: Collect default AIX user security summary
+  ansible.builtin.command: lssec -f /etc/security/user -s default -a ALL
+  changed_when: false
+  failed_when: false
+  check_mode: false
+  register: cis_aix_security_user_summary
+
+- name: Report AIX precheck status
+  ansible.builtin.debug:
+    msg:
+      - >-
+        OK: Facts gathered for {{ ansible_distribution | default(ansible_system | default('unknown')) }}
+        {{ ansible_distribution_version | default(ansible_kernel | default('unknown')) }}.
+      - "OK: oslevel -s reports {{ cis_aix_oslevel.stdout | default('unavailable') }}."
+      - "OK: Root filesystem free space is {{ cis_aix_root_free_mb }} MB."
+      - >-
+        {{ 'OK: sshd binary detected at ' ~ cis_aix_sshd_path
+           if cis_aix_sshd_path | length > 0 else 'CRITICAL: sshd binary was not found in expected AIX paths.' }}
+      - >-
+        {{ 'OK: SRC subsystem commands are functional.'
+           if cis_aix_src_summary.rc == 0 else 'CRITICAL: lssrc failed; SRC is unavailable or not usable.' }}
+      - >-
+        {{ 'OK: AIX audit subsystem responded to audit query.'
+           if cis_aix_audit_query.rc == 0 else 'WARNING: audit query did not complete; audit may be disabled or unconfigured.' }}
+      - >-
+        {{ 'OK: Required commands are present.'
+           if cis_aix_missing_required_commands | length == 0
+           else 'CRITICAL: Missing required commands: ' ~ (cis_aix_missing_required_commands | join(', ')) }}
+
+- name: Fail when operating system is unsupported
+  ansible.builtin.assert:
+    that:
+      - ansible_system | default(ansible_distribution | default('')) == 'AIX'
+      - ansible_distribution_version | default('') is match('^7\\.')
+    fail_msg: >-
+      CRITICAL: This role supports IBM AIX 7.x only.
+      Detected {{ ansible_distribution | default(ansible_system | default('unknown')) }}
+      {{ ansible_distribution_version | default('unknown') }}.
+    success_msg: "OK: Supported IBM AIX 7.x platform detected."
+
+- name: Fail when root filesystem free space is below safety threshold
+  ansible.builtin.assert:
+    that:
+      - cis_aix_root_free_mb | int >= cis_min_root_free_mb | int
+    fail_msg: >-
+      CRITICAL: Root filesystem has {{ cis_aix_root_free_mb }} MB free.
+      Minimum required free space is {{ cis_min_root_free_mb }} MB.
+    success_msg: "OK: Root filesystem free space meets the safety threshold."
+
+- name: Fail when critical AIX commands are missing
+  ansible.builtin.assert:
+    that:
+      - cis_aix_missing_required_commands | length == 0
+      - cis_aix_src_summary.rc == 0
+      - cis_aix_sshd_path | length > 0
+    fail_msg: >-
+      CRITICAL: Required AIX hardening prerequisites are missing.
+      Missing commands={{ cis_aix_missing_required_commands | join(', ') | default('none', true) }},
+      SRC rc={{ cis_aix_src_summary.rc }},
+      sshd={{ cis_aix_sshd_path | default('not found', true) }}.
+    success_msg: "OK: Critical AIX hardening prerequisites are available."