On Fri, May 02, 2014 at 05:08:51PM -0400, Dave Jones wrote:
> On Fri, May 02, 2014 at 02:03:40PM -0700, Mark Brown wrote:

>  > That works for specific processes but I don't immediately see a
>  > straightforward way to do it system wide (I guess a wrapper that straces
>  > init and children might do the trick but it's not particularly nice).
>  > Part of the trick for getting the general security win is to lower the
>  > barrier to entry.`

> Sounds like something you could use tracepoints for maybe ?
> Failing that, kprobes ?

Tracepoints do run the risk of overflowing the buffer if run for too
long but if it's the only thing running and/or is monitored that should
be OK, it's more managable than strace.  kprobes should definitely work
I think if there's a suitably canned way of setting it up.