Mateusz Suski
52 lines
1.8 KiB
YAML
52 lines
1.8 KiB
YAML
---
|
|
- name: Collect root account security attributes
|
|
ansible.builtin.command: lssec -f /etc/security/user -s root -a account_locked login rlogin su sugroups
|
|
changed_when: false
|
|
failed_when: false
|
|
check_mode: false
|
|
register: cis_aix_root_security
|
|
|
|
- name: Collect accounts with administrative UID
|
|
ansible.builtin.shell: "awk -F: '$3 == 0 {print $1}' /etc/passwd"
|
|
args:
|
|
executable: /bin/ksh
|
|
changed_when: false
|
|
failed_when: false
|
|
check_mode: false
|
|
register: cis_aix_uid_zero_accounts
|
|
|
|
- name: Report administrative account review
|
|
ansible.builtin.debug:
|
|
msg:
|
|
- >-
|
|
{{ 'OK: Only root has UID 0.'
|
|
if cis_aix_uid_zero_accounts.stdout_lines | default([]) | length == 1
|
|
else 'WARNING: Multiple UID 0 accounts detected: ' ~ (cis_aix_uid_zero_accounts.stdout_lines | default([]) | join(', ')) }}
|
|
- "OK: Root security attributes: {{ cis_aix_root_security.stdout | default('unavailable') }}"
|
|
|
|
- name: Ensure root remote login is disabled when requested
|
|
ansible.builtin.command: chsec -f /etc/security/user -s root -a rlogin=false
|
|
changed_when: true
|
|
when:
|
|
- cis_disable_root_login | bool
|
|
- "'rlogin=false' not in (cis_aix_root_security.stdout | default(''))"
|
|
|
|
- name: Collect locked or administratively disabled accounts
|
|
ansible.builtin.shell: |
|
|
set -o pipefail
|
|
awk -F: '{print $1}' /etc/passwd | while read user; do
|
|
lsuser -a account_locked "$user" 2>/dev/null
|
|
done
|
|
args:
|
|
executable: /bin/ksh
|
|
changed_when: false
|
|
failed_when: false
|
|
check_mode: false
|
|
register: cis_aix_account_lock_summary
|
|
|
|
- name: Report account lock summary
|
|
ansible.builtin.debug:
|
|
msg:
|
|
- "OK: Collected account lock status for local users."
|
|
- "{{ cis_aix_account_lock_summary.stdout_lines | default([]) }}"
|