On Wed, May 07, 2014 at 01:35:06PM +0100, David Woodhouse wrote:
> On Fri, 2014-05-02 at 14:03 -0700, Mark Brown wrote:

> > That works for specific processes but I don't immediately see a
> > straightforward way to do it system wide (I guess a wrapper that straces
> > init and children might do the trick but it's not particularly nice).
> > Part of the trick for getting the general security win is to lower the
> > barrier to entry.`

> You can do it relatively easily with auditing, surely? Set up an audit
> rule for each syscall you aren't already sure is in use. Disable the
> rule when you see it used, and it shouldn't even have much of an
> overhead over and above what it takes to have auditing enabled in the
> first place (which we tried to keep to a minimum).

I suspect that's got too high a barrier to entry for a lot of users,
especially since AFAICT it requires userspace tools on the target
system.  It should work though.