---
- name: Check sudoers file availability
  ansible.builtin.stat:
    path: "{{ cis_sudoers_path }}"
  register: cis_aix_sudoers

- name: Check visudo availability
  ansible.builtin.shell: "command -v visudo >/dev/null 2>&1 || whence visudo >/dev/null 2>&1"
  args:
    executable: /bin/ksh
  changed_when: false
  failed_when: false
  check_mode: false
  register: cis_aix_visudo_available

- name: Manage sudo use_pty default when supported
  ansible.builtin.lineinfile:
    path: "{{ cis_sudoers_path }}"
    regexp: '^Defaults\s+use_pty\b'
    line: "Defaults use_pty"
    validate: "visudo -cf %s"
  when:
    - cis_sudo_use_pty | bool
    - cis_aix_sudoers.stat.exists
    - cis_aix_visudo_available.rc == 0

- name: Manage sudo logfile default
  ansible.builtin.lineinfile:
    path: "{{ cis_sudoers_path }}"
    regexp: '^Defaults\s+logfile='
    line: 'Defaults logfile="{{ cis_sudo_logfile }}"'
    validate: "visudo -cf %s"
  when:
    - cis_aix_sudoers.stat.exists
    - cis_aix_visudo_available.rc == 0

- name: Validate sudoers syntax
  ansible.builtin.command: "visudo -cf {{ cis_sudoers_path }}"
  changed_when: false
  when:
    - cis_aix_sudoers.stat.exists
    - cis_aix_visudo_available.rc == 0

- name: Report sudo hardening status
  ansible.builtin.debug:
    msg:
      - >-
        {{ 'OK: sudoers exists and visudo validation is available.'
           if cis_aix_sudoers.stat.exists and cis_aix_visudo_available.rc == 0
           else 'WARNING: sudo or visudo was not found; sudo controls were skipped.' }}