Deal better with proceess ID recycling

[hillu]

Laurel keeps information in the shadow process table around for processes that are still alive or that are ancestors of processeses that are alive. Currently, it only keeps only information for one process per PID around.

Let's consider the following scenario:

• Process A (pid=100) spawns process B (pid=101)
• Everything that is observed about process B by auditd+laurel will contain SYSCALL.ppid=100, thus information from process A is added in SYSCALL.PPID.
• Process A exits
• A new process C is spawned and is assigned pid=100 by the kernel. Laurel updates its shadow process table.
• From now on, everything that is observed about process B will still contain SYSCALL.ppid=100, but the information that is added by laurel will be from C, even though C is not B's parent.

This could be fixed by adding timing information (=start of process) to the shadow process table.

[hillu]

A variant:

• Process E (pid=200) is recorded by auditd+laurel, terminates
• Process F comes into existence; it is assigned pid=200, but it is not recorded. (likely reason: fork without exec or explicit exclusions)
• Process F spawns process G
• Every event generated by process G gets wrong parent information.

[hillu]

168 demonstrates another issue spotted in production.