Is this part of a larger effort, and is it going to be followed up by additional pull requests?

Same PR modification is Ok or need new additional PR.

But if there are more complex features planned for this table or future tables, it would need to be discussed in a blueprint issue first

The inotify approach performs a lot better than BPF in this specific case, since it does not need to trace many system calls

Through the inotify watchers, it is possible to know when a file or folder is changed in a compact way

With the current implementation of BPF (through the ebpfpub library, using system calls) it is not possible to trace write events without causing performance issues

So it would not be possible to trace much more than just the simple open() (and variants). This means that file_events is still a better choice

The cgroup id (cid field) is not very useful to determine which container is doing what. it's also not possible to understand whether it's a nested container or not

The PR is also not compatible with containers, since the configuration function will enumerate files on disk using the host mount namespace

Containers however are using their own mount namespace, which is not readily accessible to the host (depending on whether the container was started before or after osquery, and on what kind of technology the container runtime is using)

We do have a better way to approach this (see https://github.com/osquery/osquery/pull/7773), but it's still being worked on (also, it only supports kernels >= 5.4)

There's a chance the kernel requirement could be lowered using external BTF files but that is something we have yet to explore