# cis-aix7-hardening Operational IBM AIX 7.x hardening role inspired by CIS Benchmark 1.2.0 and common Unix security practices. Reference: https://www.cisecurity.org/benchmark/aix This role is intended for infrastructure and security operations teams that manage AIX estates. It favors readable, conservative controls over broad benchmark coverage. ## Supported OS - IBM AIX 7.x ## Implemented Areas - Platform prechecks for AIX 7.x, SRC, SSH, audit tooling, required commands, disk safety, and baseline security state. - SSH daemon hardening in `/etc/ssh/sshd_config` with validation through `sshd -t`. - Account and password controls through AIX-native `lssec`, `chsec`, and `pwdadm`. - Network tunable validation and optional hardening through `no`, with optional `nfso` support. - SRC-aware service checks and safe inetd legacy service disablement. - Filesystem review for JFS2, world-writable directories, and invalid owners or groups. - Syslog and audit validation, with audit enablement disabled by default. - Cron and at permission hardening under `/var/adm/cron`. - Sudo defaults with validation through `visudo -cf` when sudo is present. - Postcheck reporting for SSH, services, network values, and password policy. ## AIX Operational Notes AIX is not Linux. This role does not assume systemd, sysctl, Linux package managers, or Linux service paths. Service operations use SRC commands such as `lssrc`, `startsrc`, `stopsrc`, and `refresh`. AIX environments vary heavily between environments. Filesystem layout, OpenSSH source, sudo packaging, audit classes, NFS tuning, and security policy ownership should be validated before managed rollout. ## Safety Philosophy - Defaults are conservative. - Audit enablement is opt-in with `cis_enable_audit`. - Filesystem mount option management is opt-in with `cis_manage_mount_options`. - SSH password authentication is not disabled by default. - Native AIX security files are updated with targeted `chsec` calls instead of wholesale replacement. - Check mode is supported where practical, though AIX command modules may still need read-only probes for validation. ## Check Mode Examples ```bash ansible-playbook playbooks/cis-aix7-hardening.yml --check ``` ```bash ansible-playbook playbooks/cis-aix7-hardening.yml --check --tags precheck,ssh,postcheck ``` ## Tag Examples ```bash ansible-playbook playbooks/cis-aix7-hardening.yml --tags precheck ``` ```bash ansible-playbook playbooks/cis-aix7-hardening.yml --tags ssh,password_policy,network ``` ```bash ansible-playbook playbooks/cis-aix7-hardening.yml --tags audit -e cis_enable_audit=true ``` ## Important Warning This is not a full compliance certification implementation and does not implement the entire CIS AIX benchmark. It is a practical baseline example that should be reviewed by infrastructure, security, and application owners before managed enforcement.