ComplianceAsCode · israel-villar · Jun 5, 2026 · Jun 8, 2026 · Jun 9, 2026
diff --git a/components/apparmor.yml b/components/apparmor.yml
@@ -1,14 +1,15 @@
 groups:
 - apparmor
 name: apparmor
 packages:
 - apparmor
 - apparmor-parser
 rules:
 - all_apparmor_profiles_enforced
 - all_apparmor_profiles_in_enforce_complain_mode
 - apparmor_configured
 - grub2_enable_apparmor
 - package_apparmor_installed
 - package_apparmor-utils_installed
 - package_pam_apparmor_installed
+
diff --git a/components/kernel.yml b/components/kernel.yml
@@ -1,13 +1,13 @@
 groups:
 - gcc_plugin
 - kernel_build_config
 - network-ipv6
 - network-kernel
 name: kernel
 packages:
 - kernel
 rules:
 - audit_rules_kernel_module_loading
 - audit_rules_kernel_module_loading_create
 - audit_rules_kernel_module_loading_delete
 - audit_rules_kernel_module_loading_finit
@@ -132,6 +132,7 @@
 - sysctl_fs_protected_regular
 - sysctl_fs_protected_symlinks
 - sysctl_fs_suid_dumpable
+- sysctl_kernel_apparmor_restrict_unprivileged_unconfined
 - sysctl_kernel_core_pattern
 - sysctl_kernel_core_pattern_empty_string
 - sysctl_kernel_core_uses_pid
@@ -205,6 +206,6 @@
 - sysctl_user_max_user_namespaces_no_remediation
 - sysctl_vm_mmap_min_addr
 templates:
 - kernel_build_config
 - kernel_module_disabled
 - sysctl
diff --git a/...permissions/restrictions/sysctl_kernel_apparmor_restrict_unprivileged_unconfined/rule.yml b/...permissions/restrictions/sysctl_kernel_apparmor_restrict_unprivileged_unconfined/rule.yml
@@ -0,0 +1,27 @@
+documentation_complete: true
+
+title: 'Enable kernel.apparmor_restrict_unprivileged_unconfined'
+
+description: '{{{ describe_sysctl_option_value(sysctl="kernel.apparmor_restrict_unprivileged_unconfined", value="1") }}}'
+
+rationale: |-
+    Restricting unprivileged unconfined processes with AppArmor reduces the
+    attack surface available to local users and helps enforce additional
+    kernel-level hardening.
+
+severity: medium
+
+{{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.apparmor_restrict_unprivileged_unconfined", value="1") }}}
+
+fixtext: |-
+    Configure {{{ full_name }}} to enable AppArmor restrictions for
+    unprivileged unconfined processes.
+    {{{ fixtext_sysctl("kernel.apparmor_restrict_unprivileged_unconfined", "1") | indent(4) }}}
+
+platform: system_with_kernel
+
+template:
+    name: sysctl
+    vars:
+        sysctlvar: kernel.apparmor_restrict_unprivileged_unconfined
+        datatype: int
diff --git a/...ermissions/restrictions/sysctl_kernel_apparmor_restrict_unprivileged_unconfined_value.var b/...ermissions/restrictions/sysctl_kernel_apparmor_restrict_unprivileged_unconfined_value.var
@@ -0,0 +1,17 @@
+documentation_complete: true
+
+title: kernel.apparmor_restrict_unprivileged_unconfined
+
+description: |-
+    Prevent unprivileged and unconfined processes.
+
+type: number
+
+operator: equals
+
+interactive: false
+
+options:
+    default: 1
+    0: "0"
+    1: "1"