Check apparmor_status output

This patch adds a check for the output of `apparmor_status` to
get a more accurate state of AppArmor's status. This should fix
idempotency issues that are plaguing the gate jobs.

Closes-Bug: 1715223
Change-Id: I10bb3212a3cc26ed27aa38cdc2e42ece722a6497

tasks/rhel7stig/lsm.yml

@@ -13,11 +13,12 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-- name: Check if AppArmor is disabled at boot time
+- name: Check apparmor_status output
-  shell: "dmesg | grep -i apparmor || true"
+  command: apparmor_status
-  register: dmesg_apparmor_output
+  register: apparmor_status_output
-  changed_when: False
   check_mode: no
+  changed_when: false
+  failed_when: false
   when:
     - ansible_pkg_mgr in ['apt', 'zypper']
   tags:
@@ -48,8 +49,6 @@
   when:
     - ansible_pkg_mgr in ['apt', 'zypper']
     - security_rhel7_enable_linux_security_module | bool
-    - not check_mode
-    - '"AppArmor disabled by boot time parameter" not in dmesg_apparmor_output.stdout'
   tags:
     - high
     - V-71989
@@ -67,7 +66,7 @@
     - ansible_pkg_mgr in ['apt', 'zypper']
     - security_rhel7_enable_linux_security_module | bool
     - not check_mode
-    - '"AppArmor disabled by boot time parameter" not in dmesg_apparmor_output.stdout'
+    - '"apparmor filesystem is not mounted" not in apparmor_status_output.stderr'
   tags:
     - high
     - V-71989