vql/linux/audit: register PID when auditd is not running

vql/linux/audit/audit_client.go

@@ -53,6 +53,13 @@ func (self *realCommandClient) GetStatus() (*libaudit.AuditStatus, error) {
 	return self.client.GetStatus()
 }
 
+func (self *realCommandClient) SetPID(wm libaudit.WaitMode) error {
+	if self.client == nil {
+		return clientNotOpenErr
+	}
+	return self.client.SetPID(wm)
+}
+
 func (self *realCommandClient) SetEnabled(enabled bool, wm libaudit.WaitMode) error {
 	if self.client == nil {
 		return clientNotOpenErr

vql/linux/audit/audit_service.go

@@ -90,6 +90,7 @@ type commandClient interface {
 	DeleteRule(rule []byte) error
 	GetRules() ([][]byte, error)
 	GetStatus() (*libaudit.AuditStatus, error)
+	SetPID(wm libaudit.WaitMode) error
 	SetEnabled(enabled bool, wm libaudit.WaitMode) error
 	Close() error
 }
@@ -243,6 +244,16 @@ func (self *auditService) runService() error {
 		self.logger.Info("audit: enabled kernel audit subsystem")
 	}
 
+	if status.PID == 0 {
+		err = self.commandClient.SetPID(libaudit.WaitForReply)
+		if err != nil {
+			cancel()
+			self.commandClient.Close()
+			self.listener.Close()
+			return fmt.Errorf("failed to set audit PID: %w", err)
+		}
+	}
+
 	// Can only fail if self is nil
 	reassembler, _ := libaudit.NewReassembler(5, 500*time.Millisecond, self)