Right now the UI runs on Windows, macOS, and Linux but you can only capture system calls on Linux via Falco libs[1]. Expanding local capture to include macOS and Windows is definitely something we'd love to do!
For macOS you all should look into integrating with the Endpoint Security API. It also provides larger subset of events than just syscalls. You can see them all with `eslogger --list-events`.
Awesome! Thanks for your work on this and everything else.
Once you add capture on macOS with something like dtrace, could you concievably capture a system call inside Docker on macOS and watch it trickle down through the linux hypervisor and then to the host darwin kernel and back?
How does it conceptually track the handoff of system calls between hypervisors/VMs/containers/etc?
In this case you would presumably have a capture file that contained syscall events at both the macOS boundary and at the Linux VM boundary. At the present time it would be like capturing traffic on either side of a firewall and loading it into Wireshark (which is something people do!) You'd have to correlate the events visually/manually but adding an automatic correlation feature is well within the realm of possibility.
Yeah I was imagining something like the TLS session tracing feature in Wireshark that lets you see all the packets related to a single TLS connection.
I currently struggle debugging opaque containers and VMs that run lots of concurrent async jobs, having some kind of tool to trace and group syscalls through the stack would be amazing.