Holy crap, auditd wasn´t running. Fixed now, AA works. Great. I love it, AA is so simple to set up. But, some questions left: q1) Some apps want to access /proc/ and the directory that corresponds to the process ID. How do you handle that? E.g. vlc wants to access /proc/4672/status where 4672 is the current process ID. I do not want to give read access to the complete /proc tree, what AA just did. How do you determine the current process ID? Is there a variable generated automatically? Like $HOME? q2) How do you automatically detect suspicous behaviour? In other words, do you look at the logs for DENIED messages every 10 minutes? I consider to have some script that gives me a desktop popup notification if a DENIED message occured. I think to detect suspicious things you need automatic notifications. q3) If you confine, say a webbrowser all plugins become child proceses, right? Thus the flash plugin becomes a child process inheriting the profile rules, right? Thus, the same applies to malicious code an attacker tries to inject? If an attacker injects $BADSTUFF it becomes a child process, inheriting the profile rules, right? Thus, wouldn´t observing for new child processes contribute to detect attacks? I hope it´s okay to pour this many questions here ;-) You mentioned something about much time you have, or so.... ;-)