From 8d4d67eb929ff47c3c58da978e0ca7a9e17e1116 Mon Sep 17 00:00:00 2001
From: Antonio Teixeira <antoniolrt@gmail.com>
Date: Mon, 15 Jan 2024 10:55:13 -0300
Subject: [PATCH] vql/linux/audit: register PID when auditd is not running

If the audit daemon PID is not set, register our own PID as audit daemon.
---
 vql/linux/audit/audit_client.go  |  7 +++++++
 vql/linux/audit/audit_service.go | 11 +++++++++++
 2 files changed, 18 insertions(+)

diff --git a/vql/linux/audit/audit_client.go b/vql/linux/audit/audit_client.go
index 2e014f5d0..859c395f8 100644
--- a/vql/linux/audit/audit_client.go
+++ b/vql/linux/audit/audit_client.go
@@ -53,6 +53,13 @@ func (self *realCommandClient) GetStatus() (*libaudit.AuditStatus, error) {
 	return self.client.GetStatus()
 }
 
+func (self *realCommandClient) SetPID(wm libaudit.WaitMode) error {
+	if self.client == nil {
+		return clientNotOpenErr
+	}
+	return self.client.SetPID(wm)
+}
+
 func (self *realCommandClient) SetEnabled(enabled bool, wm libaudit.WaitMode) error {
 	if self.client == nil {
 		return clientNotOpenErr
diff --git a/vql/linux/audit/audit_service.go b/vql/linux/audit/audit_service.go
index 3376663fe..1c1e8f620 100644
--- a/vql/linux/audit/audit_service.go
+++ b/vql/linux/audit/audit_service.go
@@ -90,6 +90,7 @@ type commandClient interface {
 	DeleteRule(rule []byte) error
 	GetRules() ([][]byte, error)
 	GetStatus() (*libaudit.AuditStatus, error)
+	SetPID(wm libaudit.WaitMode) error
 	SetEnabled(enabled bool, wm libaudit.WaitMode) error
 	Close() error
 }
@@ -243,6 +244,16 @@ func (self *auditService) runService() error {
 		self.logger.Info("audit: enabled kernel audit subsystem")
 	}
 
+	if status.PID == 0 {
+		err = self.commandClient.SetPID(libaudit.WaitForReply)
+		if err != nil {
+			cancel()
+			self.commandClient.Close()
+			self.listener.Close()
+			return fmt.Errorf("failed to set audit PID: %w", err)
+		}
+	}
+
 	// Can only fail if self is nil
 	reassembler, _ := libaudit.NewReassembler(5, 500*time.Millisecond, self)