Add IBM AIX 7 CIS-inspired hardening playbook

infra-run/ansible/roles/cis-aix7-hardening/tasks/services.yml

@@ -0,0 +1,51 @@
+---
+- name: Collect SRC subsystem states
+  ansible.builtin.command: "lssrc -s {{ item }}"
+  changed_when: false
+  failed_when: false
+  check_mode: false
+  loop: "{{ cis_src_subsystems }}"
+  register: cis_aix_src_service_states
+
+- name: Validate inetd configuration exists
+  ansible.builtin.stat:
+    path: /etc/inetd.conf
+  register: cis_aix_inetd_config
+
+- name: Read inetd configuration
+  ansible.builtin.slurp:
+    src: /etc/inetd.conf
+  register: cis_aix_inetd_conf_content
+  when: cis_aix_inetd_config.stat.exists
+
+- name: Disable insecure inetd services when present
+  ansible.builtin.lineinfile:
+    path: /etc/inetd.conf
+    regexp: '^(?!#)({{ item }})\s+'
+    line: '# \1 disabled by cis-aix7-hardening'
+    backrefs: true
+    backup: true
+  loop: "{{ cis_legacy_inetd_services }}"
+  when: cis_aix_inetd_config.stat.exists
+  notify: refresh inetd
+
+- name: Report inetd configuration status
+  ansible.builtin.debug:
+    msg:
+      - >-
+        {{ 'OK: /etc/inetd.conf exists and legacy entries were reviewed.'
+           if cis_aix_inetd_config.stat.exists else 'WARNING: /etc/inetd.conf was not found; inetd review skipped.' }}
+      - "OK: SRC states collected for {{ cis_src_subsystems | join(', ') }}."
+
+- name: Stop inactive legacy SRC subsystems when present
+  ansible.builtin.command: "stopsrc -s {{ item }}"
+  changed_when: true
+  failed_when: false
+  loop:
+    - routed
+    - gated
+    - named
+  when: >-
+    cis_aix_src_summary.stdout is defined
+    and item in cis_aix_src_summary.stdout
+    and 'active' in cis_aix_src_summary.stdout