mateusz/portfolio
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
02a51f72f9be49511091e7140422ebf34bd8ad4a
portfolio/infra-run/ansible/roles/cis-aix7-hardening/README.md
T
Mateusz Suski 02a51f72f9 Add IBM AIX 7 CIS-inspired hardening playbook
2026-05-06 09:21:15 +00:00

2.9 KiB
Raw Blame History

cis-aix7-hardening

Operational IBM AIX 7.x hardening role inspired by CIS Benchmark 1.2.0 and common enterprise Unix security practices.

Reference: https://www.cisecurity.org/benchmark/aix

This role is intended for infrastructure and security operations teams that manage production AIX estates. It favors readable, conservative controls over broad benchmark coverage.

Supported OS

  • IBM AIX 7.x

Implemented Areas

  • Platform prechecks for AIX 7.x, SRC, SSH, audit tooling, required commands, disk safety, and baseline security state.
  • SSH daemon hardening in /etc/ssh/sshd_config with validation through sshd -t.
  • Account and password controls through AIX-native lssec, chsec, and pwdadm.
  • Network tunable validation and optional hardening through no, with optional nfso support.
  • SRC-aware service checks and safe inetd legacy service disablement.
  • Filesystem review for JFS2, world-writable directories, and invalid owners or groups.
  • Syslog and audit validation, with audit enablement disabled by default.
  • Cron and at permission hardening under /var/adm/cron.
  • Sudo defaults with validation through visudo -cf when sudo is present.
  • Postcheck reporting for SSH, services, network values, and password policy.

AIX Operational Notes

AIX is not Linux. This role does not assume systemd, sysctl, Linux package managers, or Linux service paths. Service operations use SRC commands such as lssrc, startsrc, stopsrc, and refresh.

AIX environments vary heavily between enterprises. Filesystem layout, OpenSSH source, sudo packaging, audit classes, NFS tuning, and security policy ownership should be validated before production rollout.

Safety Philosophy

  • Defaults are conservative.
  • Audit enablement is opt-in with cis_enable_audit.
  • Filesystem mount option management is opt-in with cis_manage_mount_options.
  • SSH password authentication is not disabled by default.
  • Native AIX security files are updated with targeted chsec calls instead of wholesale replacement.
  • Check mode is supported where practical, though AIX command modules may still need read-only probes for validation.

Check Mode Examples

ansible-playbook playbooks/cis-aix7-hardening.yml --check

ansible-playbook playbooks/cis-aix7-hardening.yml --check --tags precheck,ssh,postcheck

Tag Examples

ansible-playbook playbooks/cis-aix7-hardening.yml --tags precheck

ansible-playbook playbooks/cis-aix7-hardening.yml --tags ssh,password_policy,network

ansible-playbook playbooks/cis-aix7-hardening.yml --tags audit -e cis_enable_audit=true

Important Warning

This is not a full CIS certification implementation and does not implement the entire CIS AIX benchmark. It is a practical CIS-inspired baseline that should be reviewed by infrastructure, security, and application owners before production enforcement.

Reference in New Issue View Git Blame Copy Permalink