Just for the record, the latest edition of falco provide a "modern" ebpf probe in the kernel that is provied inside the binary and no longer require a kernel module. This allow the binary to work independent of kernel version, as long as the kernel is new enough. Not sure how new, but the feature set required has been present in the the Linux kernel for some years now.
This make it a lot easier to deploy falco on many hosts. -- Happy hacking Petter Reinholdtsen
