2022-01-14 19:46:59 +01:00
|
|
|
---
|
2022-04-17 13:52:06 +02:00
|
|
|
- name: apparmor | Install apparmor and default profiles
|
2022-02-27 17:00:01 +01:00
|
|
|
apk:
|
|
|
|
name: apparmor, apparmor-profiles
|
|
|
|
state: present
|
|
|
|
|
2022-01-14 19:46:59 +01:00
|
|
|
- name: apparmor | Enable writing cache and faster DFA transition table compression
|
|
|
|
lineinfile:
|
|
|
|
path: /etc/apparmor/parser.conf
|
|
|
|
state: present
|
|
|
|
search_string: '{{ item }}'
|
|
|
|
line: '{{ item }}'
|
|
|
|
owner: root
|
|
|
|
group: root
|
|
|
|
mode: 0644
|
|
|
|
loop:
|
|
|
|
- write-cache
|
|
|
|
- Optimize=compress-fast
|
|
|
|
|
2022-02-11 18:39:35 +01:00
|
|
|
# Don't start it yet, as it requires the kernel parameters
|
2022-01-14 19:46:59 +01:00
|
|
|
- name: apparmor | Add apparmor service to runlevel 'boot'
|
|
|
|
service:
|
|
|
|
name: apparmor
|
|
|
|
runlevel: boot
|
|
|
|
enabled: yes
|
|
|
|
|
2022-06-19 20:27:32 +02:00
|
|
|
- name: apparmor | Check whether apparmor kernel parameters is presented
|
2022-01-14 19:46:59 +01:00
|
|
|
lineinfile:
|
|
|
|
backup: yes
|
|
|
|
path: /etc/default/grub
|
2022-06-19 20:27:32 +02:00
|
|
|
regexp: '^GRUB_CMDLINE_LINUX_DEFAULT=".*apparmor=.*'
|
2022-01-14 19:46:59 +01:00
|
|
|
state: absent
|
|
|
|
check_mode: yes
|
2022-06-19 20:27:32 +02:00
|
|
|
register: apparmor_cmdline_check
|
2022-01-14 19:46:59 +01:00
|
|
|
changed_when: no
|
|
|
|
|
|
|
|
- name: apparmor | Add apparmor to grub boot command if missing
|
|
|
|
lineinfile:
|
|
|
|
backrefs: yes
|
|
|
|
path: /etc/default/grub
|
|
|
|
regexp: '^(GRUB_CMDLINE_LINUX_DEFAULT=".*)"$'
|
2022-06-19 20:27:32 +02:00
|
|
|
line: '\1 apparmor=1 security=apparmor"'
|
2022-01-14 19:46:59 +01:00
|
|
|
owner: root
|
|
|
|
group: root
|
|
|
|
mode: 0644
|
2022-06-19 20:27:32 +02:00
|
|
|
when: apparmor_cmdline_check.found == 0
|
2022-01-14 19:46:59 +01:00
|
|
|
notify: Update grub config
|