Will the proposed kauth framework permit logging any access control decision,
or at least the denied access control requests?  That would automatically
make any intrusion-preventative mechanisms into intrusion-detection
mechanisms as well.

Someone suggested doing this on application-level bugs, but I suspect that
detecting an exploitation atttempt to be sufficiently tricky that it might
cause enough vulnerabilities to offset the advantage of detection.  For example,
with the CRC compensation attack detector in SSH that was written by
CORE (IIRC).
-- 
"If you're not part of the solution, you're part of the precipitate."
Unix "guru" for rent or hire -><- http://www.lightconsulting.com/~travis/
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484