There is a tool named fs_usage that can be used to trace all filesystem events on Mac. Since we cannot yet run eBPF on Mac, we can use this tool to capture related events from a macOS filesystem.
steps:
[x] #50
[x] We should canonicalize these data for further processing
[x] We need a state machine for tracking these changes
There is a tool named
fs_usagethat can be used to trace all filesystem events on Mac. Since we cannot yet runeBPFon Mac, we can use this tool to capture related events from a macOS filesystem.steps: