mateusz/portfolio
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1843796e922e5c55df645a0ca43c60a96ff9efd3
portfolio/infra-run/ansible/roles/cis-aix7-hardening/README.md
T
Mateusz Suski ca5a876d03
lint / shell-yaml-ansible (push) Failing after 21s
Details
Improve infra-run portfolio credibility
2026-05-08 21:18:22 +00:00

68 lines
2.8 KiB
Markdown
Raw Blame History

# cis-aix7-hardening
Operational IBM AIX 7.x hardening role inspired by CIS Benchmark 1.2.0 and common Unix security practices.
Reference: https://www.cisecurity.org/benchmark/aix
This role is intended for infrastructure and security operations teams that manage AIX estates. It favors readable, conservative controls over broad benchmark coverage.
## Supported OS
- IBM AIX 7.x
## Implemented Areas
- Platform prechecks for AIX 7.x, SRC, SSH, audit tooling, required commands, disk safety, and baseline security state.
- SSH daemon hardening in `/etc/ssh/sshd_config` with validation through `sshd -t`.
- Account and password controls through AIX-native `lssec`, `chsec`, and `pwdadm`.
- Network tunable validation and optional hardening through `no`, with optional `nfso` support.
- SRC-aware service checks and safe inetd legacy service disablement.
- Filesystem review for JFS2, world-writable directories, and invalid owners or groups.
- Syslog and audit validation, with audit enablement disabled by default.
- Cron and at permission hardening under `/var/adm/cron`.
- Sudo defaults with validation through `visudo -cf` when sudo is present.
- Postcheck reporting for SSH, services, network values, and password policy.
## AIX Operational Notes
AIX is not Linux. This role does not assume systemd, sysctl, Linux package managers, or Linux service paths. Service operations use SRC commands such as `lssrc`, `startsrc`, `stopsrc`, and `refresh`.
AIX environments vary heavily between environments. Filesystem layout, OpenSSH source, sudo packaging, audit classes, NFS tuning, and security policy ownership should be validated before managed rollout.
## Safety Philosophy
- Defaults are conservative.
- Audit enablement is opt-in with `cis_enable_audit`.
- Filesystem mount option management is opt-in with `cis_manage_mount_options`.
- SSH password authentication is not disabled by default.
- Native AIX security files are updated with targeted `chsec` calls instead of wholesale replacement.
- Check mode is supported where practical, though AIX command modules may still need read-only probes for validation.
## Check Mode Examples
```bash
ansible-playbook playbooks/cis-aix7-hardening.yml --check
```
```bash
ansible-playbook playbooks/cis-aix7-hardening.yml --check --tags precheck,ssh,postcheck
```
## Tag Examples
```bash
ansible-playbook playbooks/cis-aix7-hardening.yml --tags precheck
```
```bash
ansible-playbook playbooks/cis-aix7-hardening.yml --tags ssh,password_policy,network
```
```bash
ansible-playbook playbooks/cis-aix7-hardening.yml --tags audit -e cis_enable_audit=true
```
## Important Warning
This is not a full compliance certification implementation and does not implement the entire CIS AIX benchmark. It is a practical baseline example that should be reviewed by infrastructure, security, and application owners before managed enforcement.
Reference in New Issue View Git Blame Copy Permalink