System/socket: Support kernel_clone() replacement for _do_fork

adriansr · adriansr · commit 2f93be6430cd · 2022-01-07T17:05:31.000+01:00
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -91,6 +91,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - system/package: Fix an error that can occur while trying to persist package metadata. {issue}18536[18536] {pull}18887[18887]
 - system/socket: Fix bugs leading to wrong process being attributed to flows. {pull}29166[29166] {issue}17165[17165]
 - system/socket: Fix process name and arg truncation for long names, paths and args lists. {issue}24667[24667] {pull}29410[29410]
+- system/socket: Fix startup errors on newer 5.x kernels that dropped _do_fork in favor of kernel_clone. {issue}29607[29607] {pull}29743[29743]
 
 *Filebeat*
 
diff --git a/x-pack/auditbeat/module/system/socket/template.go b/x-pack/auditbeat/module/system/socket/template.go
@@ -41,7 +41,7 @@ var functionAlternatives = map[string][]string{
 	"SYS_EXECVE":        syscallAlternatives("execve"),
 	"SYS_GETTIMEOFDAY":  syscallAlternatives("gettimeofday"),
 	"SYS_UNAME":         syscallAlternatives("newuname"),
-	"DO_FORK":           {"_do_fork", "do_fork"},
+	"DO_FORK":           {"_do_fork", "do_fork", "kernel_clone"},
 }
 
 func syscallAlternatives(syscall string) []string {

Original file line number	Diff line number	Diff line change
`@@ -41,7 +41,7 @@ var functionAlternatives = map[string][]string{`
`41`	`41`	`"SYS_EXECVE": syscallAlternatives("execve"),`
`42`	`42`	`"SYS_GETTIMEOFDAY": syscallAlternatives("gettimeofday"),`
`43`	`43`	`"SYS_UNAME": syscallAlternatives("newuname"),`
`44`		`- "DO_FORK": {"_do_fork", "do_fork"},`
	`44`	`+ "DO_FORK": {"_do_fork", "do_fork", "kernel_clone"},`
`45`	`45`	`}`
`46`	`46`
`47`	`47`	`func syscallAlternatives(syscall string) []string {`