audit more syscalls during boot before auditd starts?

[Giang Nguyen]

> But even if you successfully load rules early...you need a daemon to collect
> the results before the internal kernel buffer overflows and forever lose the
> events. So, this means getting the audit daemon running earlier and its main
> requirement is the MAC policy already be loaded and the disk system mounted
> (perhaps networking running if you use remote logging).

Thanks, Steve.