What I believe to be a stock build and deb install on ubuntu 22.04 of the orbit and osqueryd has ~100 zombie sudo processes as children of the orbit process. I'm wondering what the cause of this is?

Some basic Unix debugging… What, if any, info do you have about the process? Can you check sudo logs to see what it's running? Regardless, orbit is a #fleet project, and you should check there. Osquery does not exec or call sudo

all defunct(zombie) processes are labeled in pstree as "sudo". All defunct processes are children of orbit. defunct processes are created once every 45 seconds. Running as root strace -f -p $orbit_pid doesn't show any fork/execs in the syscall trace, but that could be an artifact of strace as root attached to a pid. The strace also doesn't show any wait systemcalls, just some successful epoll_wait. strace -f the osqueryd process shows it just plugging along gathering data. /var/log/orbit exists as an empty directory