Add IBM AIX 7 CIS-inspired hardening playbook

infra-run/ansible/roles/cis-aix7-hardening/tasks/users.yml

@@ -0,0 +1,51 @@
+---
+- name: Collect root account security attributes
+  ansible.builtin.command: lssec -f /etc/security/user -s root -a account_locked login rlogin su sugroups
+  changed_when: false
+  failed_when: false
+  check_mode: false
+  register: cis_aix_root_security
+
+- name: Collect accounts with administrative UID
+  ansible.builtin.shell: "awk -F: '$3 == 0 {print $1}' /etc/passwd"
+  args:
+    executable: /bin/ksh
+  changed_when: false
+  failed_when: false
+  check_mode: false
+  register: cis_aix_uid_zero_accounts
+
+- name: Report administrative account review
+  ansible.builtin.debug:
+    msg:
+      - >-
+        {{ 'OK: Only root has UID 0.'
+           if cis_aix_uid_zero_accounts.stdout_lines | default([]) | length == 1
+           else 'WARNING: Multiple UID 0 accounts detected: ' ~ (cis_aix_uid_zero_accounts.stdout_lines | default([]) | join(', ')) }}
+      - "OK: Root security attributes: {{ cis_aix_root_security.stdout | default('unavailable') }}"
+
+- name: Ensure root remote login is disabled when requested
+  ansible.builtin.command: chsec -f /etc/security/user -s root -a rlogin=false
+  changed_when: true
+  when:
+    - cis_disable_root_login | bool
+    - "'rlogin=false' not in (cis_aix_root_security.stdout | default(''))"
+
+- name: Collect locked or administratively disabled accounts
+  ansible.builtin.shell: |
+    set -o pipefail
+    awk -F: '{print $1}' /etc/passwd | while read user; do
+      lsuser -a account_locked "$user" 2>/dev/null
+    done
+  args:
+    executable: /bin/ksh
+  changed_when: false
+  failed_when: false
+  check_mode: false
+  register: cis_aix_account_lock_summary
+
+- name: Report account lock summary
+  ansible.builtin.debug:
+    msg:
+      - "OK: Collected account lock status for local users."
+      - "{{ cis_aix_account_lock_summary.stdout_lines | default([]) }}"