Add IBM AIX 7 CIS-inspired hardening playbook
This commit is contained in:
@@ -0,0 +1,51 @@
|
||||
---
|
||||
- name: Collect root account security attributes
|
||||
ansible.builtin.command: lssec -f /etc/security/user -s root -a account_locked login rlogin su sugroups
|
||||
changed_when: false
|
||||
failed_when: false
|
||||
check_mode: false
|
||||
register: cis_aix_root_security
|
||||
|
||||
- name: Collect accounts with administrative UID
|
||||
ansible.builtin.shell: "awk -F: '$3 == 0 {print $1}' /etc/passwd"
|
||||
args:
|
||||
executable: /bin/ksh
|
||||
changed_when: false
|
||||
failed_when: false
|
||||
check_mode: false
|
||||
register: cis_aix_uid_zero_accounts
|
||||
|
||||
- name: Report administrative account review
|
||||
ansible.builtin.debug:
|
||||
msg:
|
||||
- >-
|
||||
{{ 'OK: Only root has UID 0.'
|
||||
if cis_aix_uid_zero_accounts.stdout_lines | default([]) | length == 1
|
||||
else 'WARNING: Multiple UID 0 accounts detected: ' ~ (cis_aix_uid_zero_accounts.stdout_lines | default([]) | join(', ')) }}
|
||||
- "OK: Root security attributes: {{ cis_aix_root_security.stdout | default('unavailable') }}"
|
||||
|
||||
- name: Ensure root remote login is disabled when requested
|
||||
ansible.builtin.command: chsec -f /etc/security/user -s root -a rlogin=false
|
||||
changed_when: true
|
||||
when:
|
||||
- cis_disable_root_login | bool
|
||||
- "'rlogin=false' not in (cis_aix_root_security.stdout | default(''))"
|
||||
|
||||
- name: Collect locked or administratively disabled accounts
|
||||
ansible.builtin.shell: |
|
||||
set -o pipefail
|
||||
awk -F: '{print $1}' /etc/passwd | while read user; do
|
||||
lsuser -a account_locked "$user" 2>/dev/null
|
||||
done
|
||||
args:
|
||||
executable: /bin/ksh
|
||||
changed_when: false
|
||||
failed_when: false
|
||||
check_mode: false
|
||||
register: cis_aix_account_lock_summary
|
||||
|
||||
- name: Report account lock summary
|
||||
ansible.builtin.debug:
|
||||
msg:
|
||||
- "OK: Collected account lock status for local users."
|
||||
- "{{ cis_aix_account_lock_summary.stdout_lines | default([]) }}"
|
||||
Reference in New Issue
Block a user