• improvements to executable detection reliability (so that extremely short-lived ones are less likely to evade hashing)
  • get dev + inode of running executable directly using bpf program (then confirm it matches the file descriptor once opened)
  • open file descriptors to every running executable as soon as they're seen instead of waiting for connections
  • if the executable itself still manages to evade being hashed (unlikely), it is logged as the child of its parent
• add warning if running on system with btrfs and ignore dev since it behaves strangely with btrfs, relying on just inode (which also has the problem of not always being unique, with btrfs)