vql/linux/audit: register PID when auditd is not running

[xTeixeira]

If the audit daemon PID is not set, register our own PID as audit daemon.

Fixes syslog getting flooded with audit events when auditd is not running.

[djoreilly]

the mock client needs the method too

$ go test -v ./vql/linux/audit
# www.velocidex.com/golang/velociraptor/vql/linux/audit [www.velocidex.com/golang/velociraptor/vql/linux/audit.test]
vql/linux/audit/audit_service_test.go:136:77: cannot use self.client (variable of type *mockCommandClient) as commandClient value in argument to newAuditService: *mockCommandClient does not implement commandClient (missing method SetPID)
FAIL	www.velocidex.com/golang/velociraptor/vql/linux/audit [build failed]
FAIL

[jeffmahoney]

There’s more going on here. If you claim the audit pid, you own the unicast socket, which is preferable to the multicast socket. The unicast socket, in the kernel, has all the logic to queue and report dropped events. The multicast socket is lossy.

You need to switch to the unicast socket if it’s available, switch back if it’s not, catch reconfiguration events to detect these changes. It may need architectural changes.

That’s why it was a reach goal. It’s not as simple as claiming to be the audit pid.