Initial Debian 8 support

This patch sets up the security role so that it applies cleanly
to systems running Debian 8.

Change-Id: I15f003b8f57922b354143a86ccb34df77759e723

tasks/rhel7stig/lsm.yml

@@ -13,6 +13,17 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+- name: Check if AppArmor is disabled at boot time
+  shell: "dmesg | grep -i apparmor"
+  register: dmesg_apparmor_output
+  changed_when: False
+  check_mode: no
+  when:
+    - ansible_os_family == "Debian"
+  tags:
+    - high
+    - V-71989
+
 - name: Ensure AppArmor is running
   service:
     name: apparmor
@@ -22,6 +33,7 @@
     - ansible_os_family == "Debian"
     - security_rhel7_enable_linux_security_module | bool
     - not check_mode
+    - '"AppArmor disabled by boot time parameter" not in dmesg_apparmor_output.stdout'
   tags:
     - high
     - V-71989

tasks/rhel7stig/packages.yml

@@ -91,7 +91,7 @@
     src: 20auto-upgrades
     dest: /etc/apt/apt.conf.d/20auto-upgrades
   when:
-    - ansible_os_family | lower == 'ubuntu'
+    - ansible_os_family | lower == 'debian'
     - security_rhel7_automatic_package_updates | bool
   tags:
     - packages

vars/debian.yml

@@ -13,9 +13,10 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-## Variables for Ubuntu 14.04 (trusty) and Ubuntu 16.04 (xenial)
-# The following variables apply only to Ubuntu 14.04 (trusty) and Ubuntu 16.04
-# (xenial) and deployers should not override them.
+## Variables for Ubuntu and Debian
+# The following variables apply only to Ubuntu 14.04 (trusty), Ubuntu 16.04
+# (xenial), and Debian 8 (jessie). Deployers should not need to override these
+# variables.
 #
 # For more details, see 'vars/main.yml'.