43 lines
1.4 KiB
YAML
43 lines
1.4 KiB
YAML
---
|
|
# AppArmor Configuration (CIS 1.3.x)
|
|
|
|
- name: Install AppArmor packages (CIS 1.3.1)
|
|
ansible.builtin.apt:
|
|
name:
|
|
- apparmor
|
|
- apparmor-utils
|
|
state: present
|
|
update_cache: yes
|
|
|
|
- name: Enable AppArmor service (CIS 1.3.2)
|
|
ansible.builtin.service:
|
|
name: apparmor
|
|
state: started
|
|
enabled: yes
|
|
|
|
- name: Check AppArmor status
|
|
ansible.builtin.command: aa-status --json
|
|
register: apparmor_status
|
|
changed_when: false
|
|
failed_when: false
|
|
|
|
- name: Parse AppArmor status
|
|
ansible.builtin.set_fact:
|
|
apparmor_json: "{{ apparmor_status.stdout | from_json }}"
|
|
when: apparmor_status.rc == 0
|
|
|
|
- name: Set all AppArmor profiles to enforce mode (CIS 1.3.3)
|
|
ansible.builtin.command: aa-enforce /etc/apparmor.d/*
|
|
register: apparmor_enforce
|
|
changed_when: "'Setting' in apparmor_enforce.stdout"
|
|
failed_when: false
|
|
when: apparmor_enforce_all | default(true)
|
|
|
|
- name: Display AppArmor status
|
|
ansible.builtin.debug:
|
|
msg:
|
|
- "AppArmor status: {{ apparmor_json.apparmor if apparmor_json is defined else 'unknown' }}"
|
|
- "Profiles loaded: {{ apparmor_json.profiles | length if apparmor_json is defined and apparmor_json.profiles is defined else 0 }}"
|
|
- "Profiles in enforce mode: {{ apparmor_json.profiles | selectattr('mode', 'equalto', 'enforce') | list | length if apparmor_json is defined and apparmor_json.profiles is defined else 0 }}"
|
|
when: apparmor_json is defined
|