---
- name: Ensure cron and at control files exist with safe ownership
  ansible.builtin.file:
    path: "{{ item }}"
    state: touch
    owner: root
    group: cron
    mode: "0600"
    modification_time: preserve
    access_time: preserve
  loop:
    - "{{ cis_cron_allow_path }}"
    - "{{ cis_at_allow_path }}"

- name: Ensure deny files are not world readable when present
  ansible.builtin.file:
    path: "{{ item }}"
    owner: root
    group: cron
    mode: "0600"
  loop:
    - "{{ cis_cron_deny_path }}"
    - "{{ cis_at_deny_path }}"
  failed_when: false

- name: Secure cron directories when present
  ansible.builtin.file:
    path: "{{ item }}"
    state: directory
    owner: root
    group: cron
    mode: "0750"
  loop: "{{ cis_cron_directories }}"
  failed_when: false

- name: Validate cron SRC state
  ansible.builtin.command: lssrc -s cron
  changed_when: false
  failed_when: false
  check_mode: false
  register: cis_aix_cron_state

- name: Report cron and at hardening status
  ansible.builtin.debug:
    msg:
      - "OK: cron.allow and at.allow ownership and permissions are managed."
      - >-
        {{ 'OK: cron SRC subsystem exists.'
           if cis_aix_cron_state.rc == 0 else 'WARNING: cron SRC subsystem was not found.' }}