fix missing threads in system mode

aquasecurity · Apr 6, 2020 · 541ae53 · 541ae53
1 parent 35202dc
commit 541ae53
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 1 deletion.
diff --git a/tracee/consts.go b/tracee/consts.go
@@ -407,6 +407,9 @@ func init() {
 // the boolean value is used to indicate if the event were also requested to be traced by the user
 var essentialEvents = map[int32]bool{
 	335: false, // do_exit
+	56:  false, // clone
+	57:  false, // fork
+	58:  false, // vfork
 	59:  false, // execve
 	322: false, // execveat
 }

diff --git a/tracee/tracer.py b/tracee/tracer.py
@@ -230,7 +230,8 @@ class SupportedAF(object):
 
 # We always need kprobes for execve[at] so that we capture the new PID namespace, 
 # and do_exit so we clean up  
-essential_syscalls = ["execve", "execveat"]
+# In system mode, we also need fork syscall so we can trace new threads
+essential_syscalls = ["execve", "execveat", "fork", "vfork", "clone"]
 essential_sysevents = ["do_exit"]
 
 # event_id numbers should match event_id enum in ebpf file code