io_uring Reads Your Files and Opens Sockets Without Calling the Syscalls Your auditd Rules Watch
A process on a Linux host where io_uring is enabled can read files, connect out, and write to disk without issuing any of the file and network syscalls your auditd rules and EDR hooks watch. Here is the creation-time syscall that still fires, what to alert on, and why the real fix is a sysctl (already the default on RHEL 9).