mateusz/portfolio
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1636f46f81a803b63583d02cd67e5c4d260e0df2
portfolio/infra-run/ansible/roles/cis-aix7-hardening/tasks/filesystem.yml
T
Mateusz Suski ca5a876d03
lint / shell-yaml-ansible (push) Failing after 21s
Details
Improve infra-run portfolio credibility
2026-05-08 21:18:22 +00:00

61 lines
2.0 KiB
YAML
Raw Blame History

---
- name: Build mounted filesystem list from gathered facts
ansible.builtin.set_fact:
cis_aix_mount_points: "{{ ansible_mounts | map(attribute='mount') | list }}"
- name: Validate JFS2 filesystems
ansible.builtin.shell: |
set -o pipefail
lsfs -q | awk '/vfs[[:space:]]*=[[:space:]]*jfs2/{print prev} {prev=$0}'
args:
executable: /bin/ksh
changed_when: false
failed_when: false
check_mode: false
register: cis_aix_jfs2_filesystems
- name: Review configured mount option targets
ansible.builtin.debug:
msg: >-
OK: Mount option management is disabled by default.
Review target {{ item.path }} for options {{ item.options | join(', ') }} before managed rollout.
loop: "{{ cis_mount_option_targets }}"
when: not cis_manage_mount_options | bool
- name: Apply configured mount options only when explicitly enabled
ansible.builtin.command: "chfs -a options={{ item.options | join(',') }} {{ item.path }}"
changed_when: true
loop: "{{ cis_mount_option_targets }}"
when:
- cis_manage_mount_options | bool
- item.path in cis_aix_mount_points
- name: Identify world-writable directories on local filesystems
ansible.builtin.shell: |
set -o pipefail
find / -xdev -type d -perm -0002 -print 2>/dev/null | head -200
args:
executable: /bin/ksh
changed_when: false
failed_when: false
check_mode: false
register: cis_aix_world_writable_dirs
- name: Identify files without valid owner or group on local filesystems
ansible.builtin.shell: |
set -o pipefail
find / -xdev \( -nouser -o -nogroup \) -print 2>/dev/null | head -200
args:
executable: /bin/ksh
changed_when: false
failed_when: false
check_mode: false
register: cis_aix_unowned_files
- name: Report filesystem review findings
ansible.builtin.debug:
msg:
- "OK: JFS2 filesystem review completed."
- "WARNING: World-writable directories found: {{ cis_aix_world_writable_dirs.stdout_lines | default([]) }}"
- "WARNING: Files without valid owner/group found: {{ cis_aix_unowned_files.stdout_lines | default([]) }}"
Reference in New Issue View Git Blame Copy Permalink