{"description": "AppArmor profiles define what resources applications are able to access.\nTo set all profiles to enforce mode run the following command:\n<pre>$ sudo aa-enforce /etc/apparmor.d/*</pre>\nTo list unconfined processes run the following command:\n\n<pre>$ sudo apparmor_status | grep processes</pre>\n\nAny unconfined processes may need to have a profile created or activated\nfor them and then be restarted.", "rationale": "Security configuration requirements vary from site to site. Some sites may\nmandate a policy that is stricter than the default policy, which is perfectly\nacceptable. This recommendation is intended to ensure that any policies that\nexist on the system are activated.", "severity": "medium", "references": {"anssi": ["R45"], "cis": ["1.3.1.4"]}, "control_references": {"anssi": ["R45"], "cis": ["1.3.1.4"]}, "components": [], "identifiers": {}, "ocil_clause": null, "ocil": null, "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "machine and package[apparmor]", "platforms": ["machine and package[apparmor]"], "sce_metadata": {"platform": ["multi_platform_debian", "multi_platform_sle", "multi_platform_ubuntu"], "check-import": "stdout", "environment": "any", "filename": "all_apparmor_profiles_enforced.sh", "relative_path": "ubuntu2204/checks/sce/all_apparmor_profiles_enforced.sh"}, "inherited_platforms": ["machine"], "cpe_platform_names": ["machine_and_package_apparmor"], "inherited_cpe_platform_names": ["machine"], "bash_conditional": null, "fixes": {}, "title": "Enforce all AppArmor Profiles", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/apparmor/all_apparmor_profiles_enforced/rule.yml", "template": null}