---
- name: Collect SRC subsystem states
  ansible.builtin.command: "lssrc -s {{ item }}"
  changed_when: false
  failed_when: false
  check_mode: false
  loop: "{{ cis_src_subsystems }}"
  register: cis_aix_src_service_states

- name: Validate inetd configuration exists
  ansible.builtin.stat:
    path: /etc/inetd.conf
  register: cis_aix_inetd_config

- name: Read inetd configuration
  ansible.builtin.slurp:
    src: /etc/inetd.conf
  register: cis_aix_inetd_conf_content
  when: cis_aix_inetd_config.stat.exists

- name: Disable insecure inetd services when present
  ansible.builtin.lineinfile:
    path: /etc/inetd.conf
    regexp: '^(?!#)({{ item }})\s+'
    line: '# \1 disabled by cis-aix7-hardening'
    backrefs: true
    backup: true
  loop: "{{ cis_legacy_inetd_services }}"
  when: cis_aix_inetd_config.stat.exists
  notify: refresh inetd

- name: Report inetd configuration status
  ansible.builtin.debug:
    msg:
      - >-
        {{ 'OK: /etc/inetd.conf exists and legacy entries were reviewed.'
           if cis_aix_inetd_config.stat.exists else 'WARNING: /etc/inetd.conf was not found; inetd review skipped.' }}
      - "OK: SRC states collected for {{ cis_src_subsystems | join(', ') }}."

- name: Stop inactive legacy SRC subsystems when present
  ansible.builtin.command: "stopsrc -s {{ item }}"
  changed_when: true
  failed_when: false
  loop:
    - routed
    - gated
    - named
  when: >-
    cis_aix_src_summary.stdout is defined
    and item in cis_aix_src_summary.stdout
    and 'active' in cis_aix_src_summary.stdout