audit: search for a process using the ppid

auditd events provides the parent pid of a process which has created
a connection. If we don't find the socket inode under the pid of the
process, use the ppid.

This is normally the case when systemd-* spawns a new process which
creates a new connection.

daemon/procmon/parse.go

@@ -23,9 +23,24 @@ func getPIDFromAuditEvents(inode int, inodeKey string, expect string) (int, int)
 			return pid, n
 		}
 	}
+	for n := 0; n < len(auditEvents); n++ {
+		ppid := auditEvents[n].PPid
+		if inodeFound("/proc/", expect, inodeKey, inode, ppid) {
+			return ppid, n
+		}
+	}
 	return -1, -1
 }
 
+// GetPIDFromINode tries to get the PID from a socket inode follwing these steps:
+// 1. Get the PID from the cache of Inodes.
+// 2. Get the PID from the cache of PIDs.
+// 3. Look for the PID using one of these methods:
+//    - ftrace: listening processes execs/exits from /sys/kernel/debug/tracing/
+//    - audit:  listening for socket creation from auditd.
+//    - proc:   search /proc
+//
+// If the PID is not found by one of the 2 first methods, it'll try it using /proc.
 func GetPIDFromINode(inode int, inodeKey string) int {
 	found := -1
 	if inode <= 0 {
@@ -35,7 +50,7 @@ func GetPIDFromINode(inode int, inodeKey string) int {
 	cleanUpCaches()
 
 	expect := fmt.Sprintf("socket:[%d]", inode)
-	if cachedPidInode := GetPidByInodeFromCache(inodeKey); cachedPidInode != -1 {
+	if cachedPidInode := getPidByInodeFromCache(inodeKey); cachedPidInode != -1 {
 		log.Debug("Inode found in cache", time.Since(start), inodesCache[inodeKey], inode, inodeKey)
 		return cachedPidInode
 	}
@@ -101,6 +116,9 @@ func parseEnv(proc *Process) {
 	}
 }
 
+// FindProcess checks if a process exists given a PID.
+// If it exists in /proc, a new Process{} object is returned with  the details
+// to identify a process (cmdline, name, environment variables, etc).
 func FindProcess(pid int, interceptUnknown bool) *Process {
 	if interceptUnknown && pid < 0 {
 		return NewProcess(0, "")