{"description": "AppArmor profiles define what resources applications are able to access.\nTo set all profiles to either <tt>enforce</tt> or <tt>complain</tt>  mode\nrun the following command to set all profiles to <tt>enforce</tt> mode:\n<pre>$ sudo aa-enforce /etc/apparmor.d/*</pre>\nrun the following command to set all profiles to <tt>complain</tt> mode:\n<pre>$ sudo aa-complain /etc/apparmor.d/*</pre>\nTo list unconfined processes run the following command:\n\n<pre>$ sudo apparmor_status | grep processes</pre>\n\nAny unconfined processes may need to have a profile created or activated\nfor them and then be restarted.", "rationale": "Security configuration requirements vary from site to site. Some sites may\nmandate a policy that is stricter than the default policy, which is perfectly\nacceptable. This recommendation is intended to ensure that any policies that\nexist on the system are activated.", "severity": "medium", "references": {"cis": ["1.3.1.3"]}, "control_references": {"cis": ["1.3.1.3"]}, "components": [], "identifiers": {}, "ocil_clause": null, "ocil": null, "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "machine and package[apparmor]", "platforms": ["machine and package[apparmor]"], "sce_metadata": {"platform": ["multi_platform_ubuntu"], "check-import": "stdout", "environment": "any", "filename": "all_apparmor_profiles_in_enforce_complain_mode.sh", "relative_path": "ubuntu2204/checks/sce/all_apparmor_profiles_in_enforce_complain_mode.sh"}, "inherited_platforms": ["machine"], "cpe_platform_names": ["machine_and_package_apparmor"], "inherited_cpe_platform_names": ["machine"], "bash_conditional": null, "fixes": {}, "title": "All AppArmor Profiles are in enforce or complain mode", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/apparmor/all_apparmor_profiles_in_enforce_complain_mode/rule.yml", "template": null}