Right now the UI runs on Windows, macOS, and Linux but you can only capture system calls on Linux via Falco libs[1]. Expanding local capture to include macOS and Windows is definitely something we'd love to do!
For macOS you all should look into integrating with the Endpoint Security API. It also provides larger subset of events than just syscalls. You can see them all with `eslogger --list-events`.
Awesome! Thanks for your work on this and everything else.
Once you add capture on macOS with something like dtrace, could you concievably capture a system call inside Docker on macOS and watch it trickle down through the linux hypervisor and then to the host darwin kernel and back?
How does it conceptually track the handoff of system calls between hypervisors/VMs/containers/etc?
geraldcombs|1 year ago
[1]https://github.com/falcosecurity/libs
SmellyPotato22|1 year ago
https://developer.apple.com/documentation/endpointsecurity
nikisweeting|1 year ago
Once you add capture on macOS with something like dtrace, could you concievably capture a system call inside Docker on macOS and watch it trickle down through the linux hypervisor and then to the host darwin kernel and back?
How does it conceptually track the handoff of system calls between hypervisors/VMs/containers/etc?
unknown|1 year ago
[deleted]