Linux Agent Recursive Self-Spawn
Detects AI agent Python or Node processes where both the parent and child process are the same interpreter binary, indicating recursive self-spawning that can rapidly exhaust process table limits and trigger cascading system failures.
Updated Jan 10, 2025 · OCI AI Security Team
Problem Statement
Recursive self-spawning creates a fork-bomb pattern that can rapidly exhaust the operating system's process table, rendering the OCI instance completely unresponsive. This may be triggered by a misspecified agent goal, a recursive tool call chain, or an adversarial prompt designed to cause denial of service.
Sample Logs
{"timestamp":"2025-01-10T13:30:00Z","computer_name":"oci-worker-37","user":"agent_svc","image":"/usr/bin/python3","command_line":"python3 /opt/agent/run.py","parent_image":"/usr/bin/python3","parent_command_line":"python3 /opt/agent/run.py"}Required Fields
False Positives
- ·Test harnesses that spawn Python subprocesses to run individual tests in isolation
- ·Multiprocessing.Process() usage where Python spawns Python subprocesses for CPU-bound parallelism
Tuning Guidance
Focus on cases where the child command-line matches the parent command-line exactly, suggesting true recursive self-replication rather than legitimate subprocess usage with different arguments.