jeffmahoney
commented
6 months ago There’s more going on here. If you claim the audit pid, you own the unicast socket, which is preferable to the multicast socket. The unicast socket, in the kernel, has all the logic to queue and report dropped events. The multicast socket is lossy.
You need to switch to the unicast socket if it’s available, switch back if it’s not, catch reconfiguration events to detect these changes. It may need architectural changes.
That’s why it was a reach goal. It’s not as simple as claiming to be the audit pid.
If the audit daemon PID is not set, register our own PID as audit daemon.
Fixes syslog getting flooded with audit events when auditd is not running.