AFAIK, capsule8 has ebpf input on linux so probably more efficient and larger coverage than osquery but with more hands-on work. they had nice blog posts about spectre/meltdown discussion based on cache miss

i don’t think “ebpf input” == “larger coverage”.. ebpf is just one source, osquery has dozens of non-ebpf sources (as well as ebpf in development)