@alessandrogario do you have some time Monday that we could meet with @Artemis Tosini and talk about joining in on the eBPF work? Our schedules are fairly open. Perhaps 5PM your time?

The initial PoC table is really simple, as I was focusing on the library code first. Immediate tasks that I can think of that are useful: 1. Probe-related * The current process events is really simple, and only few fields are supported. Things that are missing are for example user and group IDs. Having access to the task_struct means we can be creative and add many more things. 2. Publisher-related * The container detection logic only supports podman, we should add more backends. Some of them may or may not require additional code in the probe 3. Toolchain-related * The current osquery-toolchain is based on LLVM/Clang 9 and it does not contain some of the intrinsics that could be used for more advanced usage. I know @Stefano Bonicatti had an update for it but was considered alpha (it lacked aarch64 support and some headers needed upgrading). In practice, it means we can't emit some opcodes (such as a proper fetch and add that returns the pre-increment value) 4. Libraries * Add support for the newer BPF ring buffer. This lets us have total order (it's a single channel vs cpu_count ones) and waste less memory on systems with high processor count * Build a set of BTF vmlinux files so that we can test that the library correctly handles different scenarios well when generating the header 5. New work, probe related * Network events

It works for me but @zwass is busy then. Anything that works for him should work for me though

I don't mind doing this late in the evening, if you know that Zach is free we can move it!

We can try 7PM your time when the osquery office hours normally are

That works for me! 🙂

Thank you! Sent out an invite (Alessandro I only had your personal email, please lmk if there's a work email you'd like me to use).

That works! 🙂