From ec27cefbefae5c6a546a1d19cae5c48689b4c860 Mon Sep 17 00:00:00 2001
From: Major Hayden <major@mhtx.net>
Date: Fri, 9 Oct 2015 16:20:08 -0500
Subject: [PATCH] V-51337: Use an LSM at boot

Change-Id: Ifbda2eddcd26beec49f00f8617ae6d3cd79bc1ef
---
 doc/source/developer-notes/V-51337.rst | 10 ++++++++++
 tasks/misc.yml                         | 16 ++++++++++++++++
 2 files changed, 26 insertions(+)
 create mode 100644 doc/source/developer-notes/V-51337.rst

diff --git a/doc/source/developer-notes/V-51337.rst b/doc/source/developer-notes/V-51337.rst
new file mode 100644
index 00000000..0922dcf4
--- /dev/null
+++ b/doc/source/developer-notes/V-51337.rst
@@ -0,0 +1,10 @@
+Ubuntu loads the AppArmor module by default starting with version 8.04. For
+more information, review the `AppArmor documentation`_ on Ubuntu's site.
+In addition, the openstack-ansible project configures AppArmor policies
+for the LXC containers which run the OpenStack infrastructure.
+
+The tasks for this STIG will verify that AppArmor is enabled via the
+``apparmor_status``. The playbook will fail if AppArmor is found to be
+disabled on the host.
+
+.. _AppArmor documentation: https://help.ubuntu.com/community/AppArmor
diff --git a/tasks/misc.yml b/tasks/misc.yml
index a4593ffb..2d02f5b2 100644
--- a/tasks/misc.yml
+++ b/tasks/misc.yml
@@ -199,3 +199,19 @@
   tags:
     - cat2
     - V-38674
+
+- name: Check if AppArmor is running (for V-51337)
+  shell: "apparmor_status 2>&1 | head -n 1"
+  register: v51337_result
+  changed_when: False
+  tags:
+    - cat2
+    - V-51337
+
+- name: V-51337 - The system must use a Linux Security Module at boot time
+  fail:
+    msg: "FAILED: AppArmor isn't enabled"
+  when: "'apparmor module is loaded' not in v51337_result.stdout"
+  tags:
+    - cat2
+    - V-51337