mateusz/portfolio
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
portfolio/infra-run/ansible/roles/cis-aix7-hardening/tasks/network.yml
T
Mateusz Suski 02a51f72f9 Add IBM AIX 7 CIS-inspired hardening playbook
2026-05-06 09:21:15 +00:00

66 lines
2.1 KiB
YAML
Raw Permalink Blame History

---
- name: Collect current AIX network tunables
ansible.builtin.command: no -a
changed_when: false
failed_when: false
check_mode: false
register: cis_aix_no_current
- name: Query configured AIX network tunables
ansible.builtin.command: "no -o {{ item.key }}"
changed_when: false
failed_when: false
check_mode: false
loop: "{{ cis_network_no_settings | dict2items }}"
register: cis_aix_no_query
- name: Apply configured AIX network tunables
ansible.builtin.command: "no -p -o {{ item.item.key }}={{ item.item.value }}"
changed_when: true
loop: "{{ cis_aix_no_query.results }}"
when:
- item.rc == 0
- item.stdout is not search('=\\s*' ~ (item.item.value | string) ~ '\\b')
- name: Warn about unsupported AIX network tunables
ansible.builtin.debug:
msg: "WARNING: AIX network tunable {{ item.item.key }} is not supported on this host."
loop: "{{ cis_aix_no_query.results }}"
when: item.rc != 0
- name: Check nfso availability
ansible.builtin.shell: "command -v nfso >/dev/null 2>&1 || whence nfso >/dev/null 2>&1"
args:
executable: /bin/ksh
changed_when: false
failed_when: false
check_mode: false
register: cis_aix_nfso_available
- name: Query configured AIX NFS tunables
ansible.builtin.command: "nfso -o {{ item.key }}"
changed_when: false
failed_when: false
check_mode: false
loop: "{{ cis_network_nfso_settings | dict2items }}"
register: cis_aix_nfso_query
when:
- cis_aix_nfso_available.rc == 0
- cis_network_nfso_settings | length > 0
- name: Apply configured AIX NFS tunables
ansible.builtin.command: "nfso -p -o {{ item.item.key }}={{ item.item.value }}"
changed_when: true
loop: "{{ cis_aix_nfso_query.results | default([]) }}"
when:
- item.rc == 0
- item.stdout is not search('=\\s*' ~ (item.item.value | string) ~ '\\b')
- name: Report network hardening status
ansible.builtin.debug:
msg:
- "OK: AIX network tunables were validated before changes."
- >-
{{ 'OK: nfso is available for optional NFS network tunables.'
if cis_aix_nfso_available.rc == 0 else 'WARNING: nfso was not found; NFS tunables were skipped.' }}
Reference in New Issue View Git Blame Copy Permalink