Fix resource leak bug in auditbeat/socket

[fearful-symmetry]

Proposed commit message

This appears to be a long-running resource leak in auditbeat that happens under the following conditions:

1. We get a fork kretprobe event
2. auditbeat doesn't know if the return value from the kretprobe the TID for a new thread, or a PID/TID for a new process, but assumes it's a PID/TID that represents a new process.
3. Auditbeat gets an exit kprobe event when the process/thread exits
4. only if pid == tid for the given exiting process, it will clean up the process hashmap entry
5. A thread where pid != tid never gets cleaned up

This slightly alters the logic so if pid != tid && s.processExists(tid), we also clean up the entry for the TID on exit.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

[mergify]

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @fearful-symmetry? 🙏.
For such, you'll need to label your PR with:

• The upcoming major version of the Elastic Stack
• The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-8./d is the label to automatically backport to the 8./d branch. /d is the digit

[mergify]

backport-8.x has been added to help with the transition to the new branch 8.x.
If you don't need it please use backport-skip label and remove the backport-8.x label.

[elasticmachine]

Pinging @elastic/sec-linux-platform (Team:Security-Linux Platform)

[haesbaert]

Thanks for fixing this!