This rule detects attempts to access the Linux AppArmor policy control interfaces by monitoring reads, writes, or deletions to the kernel policy files under /sys/kernel/security/apparmor/ (.load, .replace, .remove). These files are used to load, modify, or remove AppArmor profiles, and are typically touched only during policy administration. Access to these interfaces can indicate legitimate security configuration changes but may also reflect defense evasion, unauthorized policy tampering, or attacker-controlled profile installation. The rule uses the auditd_manager integration and requires explicit audit rules to trigger: -w /sys/kernel/security/apparmor/.load -p rw -k apparmor_policy_change, -w /sys/kernel/security/apparmor/.replace -p rw -k apparmor_policy_change, -w /sys/kernel/security/apparmor/.remove -p rw -k apparmor_policy_change. It fires on Linux hosts when event.action is opened-file, wrote-to-file, or deleted, and the file.path matches the target files. The detection is particularly valuable where AppArmor policy changes are uncommon or tightly controlled. It maps to MITRE ATT&CK Defense Evasion (T1562, with subtechnique T1562.001: Disable or Modify Tools). A low-severity but high-signal control for policy tampering, it prompts targeted triage and remediation to confirm legitimate administrative activity and to identify potential persistence or post-exploitation steps.