---
- name: Check for AppArmor or SELinux denials
  hosts: germany
  become: yes
  tasks:
    - name: Search journalctl for AppArmor/SELinux messages
      shell: 'journalctl -k | grep -i -e apparmor -e selinux -e "avc: denied"'
      register: security_logs
      changed_when: false
      failed_when: false

    - name: Display security logs
      debug:
        var: security_logs.stdout_lines