---
# AppArmor Configuration (CIS 1.3.x)

- name: Install AppArmor packages (CIS 1.3.1)
  ansible.builtin.apt:
    name:
      - apparmor
      - apparmor-utils
    state: present
    update_cache: yes

- name: Enable AppArmor service (CIS 1.3.2)
  ansible.builtin.service:
    name: apparmor
    state: started
    enabled: yes

- name: Check AppArmor status
  ansible.builtin.command: aa-status --json
  register: apparmor_status
  changed_when: false
  failed_when: false

- name: Parse AppArmor status
  ansible.builtin.set_fact:
    apparmor_json: "{{ apparmor_status.stdout | from_json }}"
  when: apparmor_status.rc == 0

- name: Set all AppArmor profiles to enforce mode (CIS 1.3.3)
  ansible.builtin.command: aa-enforce /etc/apparmor.d/*
  register: apparmor_enforce
  changed_when: "'Setting' in apparmor_enforce.stdout"
  failed_when: false
  when: apparmor_enforce_all | default(true)

- name: Display AppArmor status
  ansible.builtin.debug:
    msg:
      - "AppArmor status: {{ apparmor_json.apparmor if apparmor_json is defined else 'unknown' }}"
      - "Profiles loaded: {{ apparmor_json.profiles | length if apparmor_json is defined and apparmor_json.profiles is defined else 0 }}"
      - "Profiles in enforce mode: {{ apparmor_json.profiles | selectattr('mode', 'equalto', 'enforce') | list | length if apparmor_json is defined and apparmor_json.profiles is defined else 0 }}"
  when: apparmor_json is defined