Features in falco

Laurent Simon


I have some basic questions about the features supported by falco. Namely, 

1. Does it support custom syscall hook rules? Example: we want to hook into **mprotect** syscall, can we do that? Can you point me to a link?

2. How do we monitor userspace code? Example: we want to catch reads of environment variables, how can we achieve that? Do you have a link with an example?

3. Does falco support record-and-replay?

Thanks in advance!