portfolio/infra-run/ansible/roles/cis-aix7-hardening/tasks/postcheck.yml

---
- name: Validate sshd configuration after hardening
  ansible.builtin.command: "{{ cis_sshd_test_command }}"
  changed_when: false
  failed_when: false
  check_mode: false
  register: cis_aix_post_sshd

- name: Show selected AIX network security values
  ansible.builtin.command: "no -o {{ item.key }}"
  changed_when: false
  failed_when: false
  check_mode: false
  loop: "{{ cis_network_no_settings | dict2items }}"
  register: cis_aix_post_network

- name: Show key SRC service states
  ansible.builtin.command: "lssrc -s {{ item }}"
  changed_when: false
  failed_when: false
  check_mode: false
  loop:
    - sshd
    - syslogd
    - audit
  register: cis_aix_post_services

- name: Show password policy summary
  ansible.builtin.command: lssec -f /etc/security/user -s default -a minlen histsize maxage minage minalpha minother loginretries
  changed_when: false
  failed_when: false
  check_mode: false
  register: cis_aix_post_password

- name: Build AIX hardening validation summary
  ansible.builtin.set_fact:
    cis_aix_validation_summary:
      oslevel: "{{ cis_aix_oslevel.stdout | default('unavailable') }}"
      sshd_config_valid: "{{ cis_aix_post_sshd.rc == 0 }}"
      sshd_validation_output: "{{ cis_aix_post_sshd.stderr | default(cis_aix_post_sshd.stdout | default('')) }}"
      network_values: "{{ cis_aix_post_network.results | map(attribute='stdout') | list }}"
      service_states: "{{ cis_aix_post_services.results | map(attribute='stdout') | list }}"
      password_policy: "{{ cis_aix_post_password.stdout | default('unavailable') }}"
      recommendations:
        - "Validate SSH access from a second privileged session before enforcing passwordless-only access."
        - "Review audit classes and events with security operations before setting cis_enable_audit=true."
        - "Keep cis_manage_mount_options=false until filesystem owners approve remount or chfs behavior."

- name: Print AIX operational postcheck recommendations
  ansible.builtin.debug:
    msg:
      - >-
        {{ 'OK: sshd configuration validates.'
           if cis_aix_post_sshd.rc == 0 else 'CRITICAL: sshd validation failed; review SSH config before restarting sessions.' }}
      - "OK: Service states: {{ cis_aix_validation_summary.service_states }}"
      - "OK: Password policy summary: {{ cis_aix_validation_summary.password_policy }}"
      - "WARNING: This role is selected baseline and does not represent a complete compliance certification implementation."
      - "{{ cis_aix_validation_summary.recommendations }}"