message type dictionary clarifications

Hi, In the process of updating the audit message type dictionary, I came across a couple of differences I wanted to clear up. The descriptions in the userspace header file don't obviously line up with another source. Can I get a clarification on these two messages: AUDIT_USER_ACCT 1101 User system access authorization Alt: User account modification AUDIT_USER_MGMT 1102 User account attribute change Alt: Userspace management data Similarly, these weren't clear to me as to whether they were active or passive reports. Do these records say that the RESPonse happenned, or that the RESPonse should happen? AUDIT_RESP_ALERT 2201 Alert email was sent AUDIT_RESP_ANOMALY 2200 Anomaly not reacted to AUDIT_RESP_EXEC 2210 Execute a script AUDIT_RESP_HALT 2212 take the system down AUDIT_RESP_KILL_PROC 2202 Kill program AUDIT_RESP_SEBOOL 2209 Set an SELinux boolean AUDIT_RESP_SINGLE 2211 Go to single user mode AUDIT_RESP_TERM_ACCESS 2203 Terminate session AUDIT_RESP_TERM_LOCK 2208 Terminal was locked In particular, does AUDIT_RESP_EXEC mean something as simple as a script was executed in response to some detected event, or intrusion detection program responds to a threat originating from the execution of a program? I suspect they are all active and this EXEC one means a script was executed in response. Thanks! - RGB -- Richard Guy Briggs <rbriggs(a)redhat.com&gt; Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545