auditing syscalls made 'by' an inode?

Is there anyway to audit syscalls made by a particular, not yet running, application? For example, if I'm interested in seeing all exec's by google-chrome, can I do something like the following? auditctl -a exit,always -F arch=b64 -S execve -F success=1 -F inode=inode-of-chrome experimenting seems to indicate that will only tell me when inode-of-chrome is exec'd, basically a watch rule. The sort of inverse of this rule that got me thinking about this initially was auditing a syscall and seeing if it was/wasn't called by a particular program. For example, audting all bind() calls which *aren't* made by chrome (a silly rule to be sure, but just thrown out as a hypothetical) If it's not possible to do this now, is there interest in adding this feature? Cheers, peter -- Peter Moody      Google    1.650.253.7306 Security Engineer  pgp:0xC3410038