eBPF for Process and File Auditing: Extending to macOS with uBPF

[hadisinaee]

Hi,

I'm working on a research project where I want to use eBPF for auditing purposes, specifically for the following objectives:

• Monitoring the creation and termination of each process.
• Tracking file accesses for specific processes, such as creation and modification.

We already have a project addressing similar tasks for Linux, but we want to extend this capability to macOS as well. In my search, I came across the uBPF project and I'm curious if it could be used for the above goals.

Thank you!