Auditbeat: Warn if Auditbeat and auditd are running

[andrewkroh]

When using a unicast netlink socket you can have only one userspace process registered to receive data from the kernel audit framework. If two are running only one will receive data and the other will get nothing and no errors.

Auditbeat could be enhanced to make it more user friendly by detecting this condition and warning the user by logging a message and sending an error event to ES.

Detection could be accomplished by:

• Periodically checking if the Auditbeat PID is registered as the recipient of Audit data in the kernel. We can check the audit status and if our PID isn't present warn and try to fix the issue.
• Dump the process table and look for "auditd".

[adriansr]

Have a POC for the periodical check but after testing I found out that a process cannot evict a running audit process. I mean, once a process sets the PID it can only be changed by this same process, or until it terminates, so the periodical check makes no sense.

In this case, the solution is easier, you get an EEXISTS when setting the PID. This branch has a working sample (updating go-libaudit from the vendor folder directly). I have submitted the first patch to go-libaudit.