auditd design decision

Hello, I've been mucking around with libaudit.c and auditctl.c to add the ability to insert watch points into the filesystem via the auditctl command line interface. But last night in a dream, a giant donut told me that I should just create a file, watch.list, which auditd will read when its started and insert any/all new watches into the filesystem. This way, when we mount over /etc, and we're watching /etc/passwd, then when we restart auditd, /etc it will insert a watch for /etc/passwd on the new device. We do it this way so we minimize our impact on kernel code (not sure we want to go screwing around with mount()) This might be a little cumbersome to do when we wish to remove watch points, because in theory, we'd want to detect the absence of /etc/passwd on a restart to know that we must remove its watch point from the file system. Does this sound reasonable or do we need a greater degree of flexibility with the ability to insert/remove watch points without restarting auditd like we do with rules? -- - Timothy R. Chavez