From: "Juraj Hlista" <juro.fit(a)gmail.com&gt; I'm working on implementation of reactive rules into the audit. I've come up with a new type of rule (AUDIT_ALWAYS_REACT) which is almost the same as AUDIT_ALWAYS. The only difference is that the kernel generates one more message of type REACT_RULE when this rule is used. For instance, let's suppose that the reactive rule was added into the rule set with auditctl: auditctl -a exit,react -F path=/tmp/file -F perm=r then "cat /tmp/file" generates the following audit message: type=REACT_RULE msg=audit(1259164875.572:4): type=SYSCALL msg=audit(1259164875.572:4): arch=c000003e syscall=2 success=yes exit=3 a0=7fffdf4389cb a1=0 a2=2 a3=0 items=1 ppid=1148 pid=1165 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0fsgid=0 tty=pts1 ses=4294967295 comm="cat" exe="/bin/cat" key=(null) type=CWD msg=audit(1259164875.572:4): cwd="/root" type=PATH msg=audit(1259164875.572:4): item=0 name="/tmp/file" inode=27872 dev=03:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 Also, I'm working on a plugin which watches for the messages of type REACT_RULE and makes decisions accordingly. This plugin has a configuration file which could look like this: variable = 0; "action1" { exec "program1" add/delete rule if (variable == 0) { exec "program2" } } The problem is that the plugin needs to recognize what reactive rules have been reacted to. The kernel just generates messages without any identifier. In order to solve it, auditctl has to add an identifier to the reactive rule somehow, for example, using -k parameter: auditctl -a exit,react -k "action1" -F path=/tmp/file -F perm=r Another solution would be creating a new parameter, for example, -k_react. Any suggestions? ----------