create another probe point family, to represent the kernel audit subsystem's existing hooks
Exploiting the audit code already in the kernel would allow systemtap scripts to do all these and more: http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html
http://sourceware.org/ml/systemtap/2007-q4/msg00212.html
This is unnecessary now, with kprobe access into kernel/audit* as needed, and several other probe technologies tracking system calls.