This commit is contained in:
Mateusz Suski
@@ -1,10 +1,10 @@
|
||||
# cis-aix7-hardening
|
||||
|
||||
Operational IBM AIX 7.x hardening role inspired by CIS Benchmark 1.2.0 and common enterprise Unix security practices.
|
||||
Operational IBM AIX 7.x hardening role inspired by CIS Benchmark 1.2.0 and common Unix security practices.
|
||||
|
||||
Reference: https://www.cisecurity.org/benchmark/aix
|
||||
|
||||
This role is intended for infrastructure and security operations teams that manage production AIX estates. It favors readable, conservative controls over broad benchmark coverage.
|
||||
This role is intended for infrastructure and security operations teams that manage AIX estates. It favors readable, conservative controls over broad benchmark coverage.
|
||||
|
||||
## Supported OS
|
||||
|
||||
@@ -27,7 +27,7 @@ This role is intended for infrastructure and security operations teams that mana
|
||||
|
||||
AIX is not Linux. This role does not assume systemd, sysctl, Linux package managers, or Linux service paths. Service operations use SRC commands such as `lssrc`, `startsrc`, `stopsrc`, and `refresh`.
|
||||
|
||||
AIX environments vary heavily between enterprises. Filesystem layout, OpenSSH source, sudo packaging, audit classes, NFS tuning, and security policy ownership should be validated before production rollout.
|
||||
AIX environments vary heavily between environments. Filesystem layout, OpenSSH source, sudo packaging, audit classes, NFS tuning, and security policy ownership should be validated before managed rollout.
|
||||
|
||||
## Safety Philosophy
|
||||
|
||||
@@ -64,4 +64,4 @@ ansible-playbook playbooks/cis-aix7-hardening.yml --tags audit -e cis_enable_aud
|
||||
|
||||
## Important Warning
|
||||
|
||||
This is not a full CIS certification implementation and does not implement the entire CIS AIX benchmark. It is a practical CIS-inspired baseline that should be reviewed by infrastructure, security, and application owners before production enforcement.
|
||||
This is not a full compliance certification implementation and does not implement the entire CIS AIX benchmark. It is a practical baseline example that should be reviewed by infrastructure, security, and application owners before managed enforcement.
|
||||
|
||||
@@ -18,7 +18,7 @@
|
||||
ansible.builtin.debug:
|
||||
msg: >-
|
||||
OK: Mount option management is disabled by default.
|
||||
Review target {{ item.path }} for options {{ item.options | join(', ') }} before production rollout.
|
||||
Review target {{ item.path }} for options {{ item.options | join(', ') }} before managed rollout.
|
||||
loop: "{{ cis_mount_option_targets }}"
|
||||
when: not cis_manage_mount_options | bool
|
||||
|
||||
|
||||
@@ -54,5 +54,5 @@
|
||||
if cis_aix_post_sshd.rc == 0 else 'CRITICAL: sshd validation failed; review SSH config before restarting sessions.' }}
|
||||
- "OK: Service states: {{ cis_aix_validation_summary.service_states }}"
|
||||
- "OK: Password policy summary: {{ cis_aix_validation_summary.password_policy }}"
|
||||
- "WARNING: This role is CIS-inspired and does not represent a complete CIS certification implementation."
|
||||
- "WARNING: This role is selected baseline and does not represent a complete compliance certification implementation."
|
||||
- "{{ cis_aix_validation_summary.recommendations }}"
|
||||
|
||||
Reference in New Issue
Block a user