--- - name: Build mounted filesystem list from gathered facts ansible.builtin.set_fact: cis_aix_mount_points: "{{ ansible_mounts | map(attribute='mount') | list }}" - name: Validate JFS2 filesystems ansible.builtin.shell: | set -o pipefail lsfs -q | awk '/vfs[[:space:]]*=[[:space:]]*jfs2/{print prev} {prev=$0}' args: executable: /bin/ksh changed_when: false failed_when: false check_mode: false register: cis_aix_jfs2_filesystems - name: Review configured mount option targets ansible.builtin.debug: msg: >- OK: Mount option management is disabled by default. Review target {{ item.path }} for options {{ item.options | join(', ') }} before managed rollout. loop: "{{ cis_mount_option_targets }}" when: not cis_manage_mount_options | bool - name: Apply configured mount options only when explicitly enabled ansible.builtin.command: "chfs -a options={{ item.options | join(',') }} {{ item.path }}" changed_when: true loop: "{{ cis_mount_option_targets }}" when: - cis_manage_mount_options | bool - item.path in cis_aix_mount_points - name: Identify world-writable directories on local filesystems ansible.builtin.shell: | set -o pipefail find / -xdev -type d -perm -0002 -print 2>/dev/null | head -200 args: executable: /bin/ksh changed_when: false failed_when: false check_mode: false register: cis_aix_world_writable_dirs - name: Identify files without valid owner or group on local filesystems ansible.builtin.shell: | set -o pipefail find / -xdev \( -nouser -o -nogroup \) -print 2>/dev/null | head -200 args: executable: /bin/ksh changed_when: false failed_when: false check_mode: false register: cis_aix_unowned_files - name: Report filesystem review findings ansible.builtin.debug: msg: - "OK: JFS2 filesystem review completed." - "WARNING: World-writable directories found: {{ cis_aix_world_writable_dirs.stdout_lines | default([]) }}" - "WARNING: Files without valid owner/group found: {{ cis_aix_unowned_files.stdout_lines | default([]) }}"