apparmor

function f_aa_enforce {
  if [[ $LXC == "1" ]]; then
    return
  fi

  echo "[$SCRIPT_COUNT] Enforce apparmor profiles"

  if ! grep 'session.*pam_apparmor.so order=user,group,default' /etc/pam.d/*; then
    echo 'session optional pam_apparmor.so order=user,group,default' > /etc/pam.d/apparmor
  fi

  if ! grep -q 'apparmor=1' /proc/cmdline; then
    echo "GRUB_CMDLINE_LINUX=\"\$GRUB_CMDLINE_LINUX apparmor=1 security=apparmor\"" > "$DEFAULTGRUB/99-hardening-apparmor.cfg"
  fi

  systemctl enable apparmor.service
  systemctl restart apparmor.service

  find /etc/apparmor.d/ -maxdepth 1 -type f -exec aa-enforce {} \;

  if [[ $VERBOSE == "Y" ]]; then
    systemctl status apparmor.service --no-pager
    echo
  fi

  ((SCRIPT_COUNT++))
}