---
- name: Collect root account security attributes
  ansible.builtin.command: lssec -f /etc/security/user -s root -a account_locked login rlogin su sugroups
  changed_when: false
  failed_when: false
  check_mode: false
  register: cis_aix_root_security

- name: Collect accounts with administrative UID
  ansible.builtin.shell: "awk -F: '$3 == 0 {print $1}' /etc/passwd"
  args:
    executable: /bin/ksh
  changed_when: false
  failed_when: false
  check_mode: false
  register: cis_aix_uid_zero_accounts

- name: Report administrative account review
  ansible.builtin.debug:
    msg:
      - >-
        {{ 'OK: Only root has UID 0.'
           if cis_aix_uid_zero_accounts.stdout_lines | default([]) | length == 1
           else 'WARNING: Multiple UID 0 accounts detected: ' ~ (cis_aix_uid_zero_accounts.stdout_lines | default([]) | join(', ')) }}
      - "OK: Root security attributes: {{ cis_aix_root_security.stdout | default('unavailable') }}"

- name: Ensure root remote login is disabled when requested
  ansible.builtin.command: chsec -f /etc/security/user -s root -a rlogin=false
  changed_when: true
  when:
    - cis_disable_root_login | bool
    - "'rlogin=false' not in (cis_aix_root_security.stdout | default(''))"

- name: Collect locked or administratively disabled accounts
  ansible.builtin.shell: |
    set -o pipefail
    awk -F: '{print $1}' /etc/passwd | while read user; do
      lsuser -a account_locked "$user" 2>/dev/null
    done
  args:
    executable: /bin/ksh
  changed_when: false
  failed_when: false
  check_mode: false
  register: cis_aix_account_lock_summary

- name: Report account lock summary
  ansible.builtin.debug:
    msg:
      - "OK: Collected account lock status for local users."
      - "{{ cis_aix_account_lock_summary.stdout_lines | default([]) }}"