diff --git a/components/apparmor.yml b/components/apparmor.yml
index 9f2e000260e9..1555f4ad7504 100644
--- a/components/apparmor.yml
+++ b/components/apparmor.yml
@@ -12,3 +12,4 @@ rules:
 - package_apparmor_installed
 - package_apparmor-utils_installed
 - package_pam_apparmor_installed
+
diff --git a/components/kernel.yml b/components/kernel.yml
index ef50ac95e91e..08aeeb0c1d2e 100644
--- a/components/kernel.yml
+++ b/components/kernel.yml
@@ -132,6 +132,7 @@ rules:
 - sysctl_fs_protected_regular
 - sysctl_fs_protected_symlinks
 - sysctl_fs_suid_dumpable
+- sysctl_kernel_apparmor_restrict_unprivileged_unconfined
 - sysctl_kernel_core_pattern
 - sysctl_kernel_core_pattern_empty_string
 - sysctl_kernel_core_uses_pid
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_apparmor_restrict_unprivileged_unconfined/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_apparmor_restrict_unprivileged_unconfined/rule.yml
new file mode 100644
index 000000000000..8a9a50f70d4c
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_apparmor_restrict_unprivileged_unconfined/rule.yml
@@ -0,0 +1,27 @@
+documentation_complete: true
+
+title: 'Enable kernel.apparmor_restrict_unprivileged_unconfined'
+
+description: '{{{ describe_sysctl_option_value(sysctl="kernel.apparmor_restrict_unprivileged_unconfined", value="1") }}}'
+
+rationale: |-
+    Restricting unprivileged unconfined processes with AppArmor reduces the
+    attack surface available to local users and helps enforce additional
+    kernel-level hardening.
+
+severity: medium
+
+{{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.apparmor_restrict_unprivileged_unconfined", value="1") }}}
+
+fixtext: |-
+    Configure {{{ full_name }}} to enable AppArmor restrictions for
+    unprivileged unconfined processes.
+    {{{ fixtext_sysctl("kernel.apparmor_restrict_unprivileged_unconfined", "1") | indent(4) }}}
+
+platform: system_with_kernel
+
+template:
+    name: sysctl
+    vars:
+        sysctlvar: kernel.apparmor_restrict_unprivileged_unconfined
+        datatype: int
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_apparmor_restrict_unprivileged_unconfined_value.var b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_apparmor_restrict_unprivileged_unconfined_value.var
new file mode 100644
index 000000000000..3a26de30e60a
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_apparmor_restrict_unprivileged_unconfined_value.var
@@ -0,0 +1,17 @@
+documentation_complete: true
+
+title: kernel.apparmor_restrict_unprivileged_unconfined
+
+description: |-
+    Prevent unprivileged and unconfined processes.
+
+type: number
+
+operator: equals
+
+interactive: false
+
+options:
+    default: 1
+    0: "0"
+    1: "1"