guestagent: start iptables audit watcher when auditing already enabled

Fixes a logic gap where, if auditing was already enabled at startup, the
code only set worthCheckingIPTables=true and did not launch
setWorthCheckingIPTablesRoutine. Without the routine the flag never
changes (never set false after idle, never toggled by NETFILTER_CFG
events), so the cached a.latestIPTables path is never used and behavior
differs from the “auditing just enabled” case.

Change:
- After confirming auditing is (or becomes) enabled, always set
  worthCheckingIPTables=true for the initial scan and always start
  setWorthCheckingIPTablesRoutine.
- Leave the non‑auditing fallback path unchanged.

This makes flag state transitions consistent regardless of initial
auditStatus.Enabled.

Signed-off-by: ashwat287 <[email protected]>

Author: ashwat287

pkg/guestagent/guestagent_linux.go

@@ -67,11 +67,11 @@ func New(ctx context.Context, newTicker func() (<-chan time.Time, func()), iptab
 				return nil, err
 			}
 		}
-
-		go a.setWorthCheckingIPTablesRoutine(auditClient, iptablesIdle)
-	} else {
-		a.worthCheckingIPTables = true
 	}
+
+	a.worthCheckingIPTables = true // allow initial iptables scan
+	go a.setWorthCheckingIPTablesRoutine(auditClient, iptablesIdle)
+
 	logrus.Infof("Auditing enabled (%d)", auditStatus.Enabled)
 	return startGuestAgentRoutines(ctx, a, true), nil
 }
@@ -111,7 +111,8 @@ type agent struct {
 // when no NETFILTER_CFG audit message was received for the iptablesIdle time.
 func (a *agent) setWorthCheckingIPTablesRoutine(auditClient *libaudit.AuditClient, iptablesIdle time.Duration) {
 	logrus.Info("setWorthCheckingIPTablesRoutine(): monitoring netfilter audit events")
-	var latestTrue time.Time
+	// Initialize to now so the first sleeper loop does not immediately mark it false.
+	latestTrue := time.Now()
 	go func() {
 		for {
 			time.Sleep(iptablesIdle)