Add IBM AIX 7 CIS-inspired hardening playbook

infra-run/ansible/roles/cis-aix7-hardening/tasks/sudo.yml

@@ -0,0 +1,50 @@
+---
+- name: Check sudoers file availability
+  ansible.builtin.stat:
+    path: "{{ cis_sudoers_path }}"
+  register: cis_aix_sudoers
+
+- name: Check visudo availability
+  ansible.builtin.shell: "command -v visudo >/dev/null 2>&1 || whence visudo >/dev/null 2>&1"
+  args:
+    executable: /bin/ksh
+  changed_when: false
+  failed_when: false
+  check_mode: false
+  register: cis_aix_visudo_available
+
+- name: Manage sudo use_pty default when supported
+  ansible.builtin.lineinfile:
+    path: "{{ cis_sudoers_path }}"
+    regexp: '^Defaults\s+use_pty\b'
+    line: "Defaults use_pty"
+    validate: "visudo -cf %s"
+  when:
+    - cis_sudo_use_pty | bool
+    - cis_aix_sudoers.stat.exists
+    - cis_aix_visudo_available.rc == 0
+
+- name: Manage sudo logfile default
+  ansible.builtin.lineinfile:
+    path: "{{ cis_sudoers_path }}"
+    regexp: '^Defaults\s+logfile='
+    line: 'Defaults logfile="{{ cis_sudo_logfile }}"'
+    validate: "visudo -cf %s"
+  when:
+    - cis_aix_sudoers.stat.exists
+    - cis_aix_visudo_available.rc == 0
+
+- name: Validate sudoers syntax
+  ansible.builtin.command: "visudo -cf {{ cis_sudoers_path }}"
+  changed_when: false
+  when:
+    - cis_aix_sudoers.stat.exists
+    - cis_aix_visudo_available.rc == 0
+
+- name: Report sudo hardening status
+  ansible.builtin.debug:
+    msg:
+      - >-
+        {{ 'OK: sudoers exists and visudo validation is available.'
+           if cis_aix_sudoers.stat.exists and cis_aix_visudo_available.rc == 0
+           else 'WARNING: sudo or visudo was not found; sudo controls were skipped.' }}