---
- name: Validate AIX audit configuration file
  ansible.builtin.stat:
    path: "{{ cis_audit_config_path }}"
  register: cis_aix_audit_config

- name: Collect AIX audit query status
  ansible.builtin.command: audit query
  changed_when: false
  failed_when: false
  check_mode: false
  register: cis_aix_audit_status

- name: Enable AIX audit subsystem when explicitly configured
  ansible.builtin.command: audit start
  changed_when: true
  when:
    - cis_enable_audit | bool
    - cis_aix_audit_config.stat.exists
    - cis_aix_audit_status.rc != 0 or 'auditing off' in (cis_aix_audit_status.stdout | default('') | lower)
  notify: restart audit

- name: Report audit status
  ansible.builtin.debug:
    msg:
      - >-
        {{ 'OK: AIX audit configuration file exists.'
           if cis_aix_audit_config.stat.exists else 'WARNING: AIX audit configuration file was not found.' }}
      - >-
        {{ 'OK: Audit enablement is explicitly allowed by cis_enable_audit.'
           if cis_enable_audit | bool else 'WARNING: Audit enablement is disabled by default; validation only was performed.' }}
      - "OK: audit query rc={{ cis_aix_audit_status.rc }} output={{ cis_aix_audit_status.stdout | default('') }}"