Add IBM AIX 7 CIS-inspired hardening playbook

infra-run/ansible/roles/cis-aix7-hardening/tasks/ssh.yml

@@ -0,0 +1,42 @@
+---
+- name: Ensure sshd configuration exists
+  ansible.builtin.stat:
+    path: "{{ cis_ssh_config_path }}"
+  register: cis_aix_sshd_config
+
+- name: Fail when sshd configuration is missing
+  ansible.builtin.assert:
+    that:
+      - cis_aix_sshd_config.stat.exists
+    fail_msg: "CRITICAL: {{ cis_ssh_config_path }} was not found; refusing to manage SSH hardening."
+    success_msg: "OK: {{ cis_ssh_config_path }} exists."
+
+- name: Set sshd validation command from detected binary
+  ansible.builtin.set_fact:
+    cis_sshd_test_command: "{{ cis_aix_sshd_path }} -t"
+  when: cis_aix_sshd_path is defined and cis_aix_sshd_path | length > 0
+
+- name: Apply managed AIX sshd hardening block
+  ansible.builtin.blockinfile:
+    path: "{{ cis_ssh_config_path }}"
+    marker: "# {mark} ANSIBLE MANAGED BLOCK cis-aix7-hardening"
+    owner: root
+    group: system
+    mode: "0600"
+    backup: true
+    validate: "{{ cis_sshd_test_command }} -f %s"
+    block: |
+      PermitRootLogin {{ 'no' if cis_disable_root_login | bool else 'prohibit-password' }}
+      PermitEmptyPasswords no
+      PasswordAuthentication {{ 'no' if cis_disable_password_auth | bool else 'yes' }}
+      MaxAuthTries {{ cis_ssh_max_auth_tries }}
+      LoginGraceTime {{ cis_ssh_login_grace_time }}
+      ClientAliveInterval {{ cis_ssh_client_alive_interval }}
+      ClientAliveCountMax {{ cis_ssh_client_alive_count_max }}
+  notify:
+    - validate sshd
+    - restart sshd
+
+- name: Validate effective sshd configuration
+  ansible.builtin.command: "{{ cis_sshd_test_command }}"
+  changed_when: false