|
|
|
|
|
|
by ryanpetrich
1551 days ago
|
|
|
If best effort is good enough and your use case doesn't require robustness, reading out of host /proc certainly works. Tracking execs with hooks in the kernel's internal exec mechanism with a separate indexing step at startup is worth the extra effort for use cases that do require accurate data, such as security observability. |
|
|