[westurner]

From https://news.ycombinator.com/item?id=37442312 re why not ptrace for tracing all exec() syscalls:

> The Falco docs list 3 syscall event drivers: Kernel module, Classic eBPF probe, and Modern eBPF probe: https://falco.org/docs/event-sources/kernel/