Hi all! I'm trying to compare

/proc/<PID>/cmdline

to

/proc/<PID>/status

for this to work we need to read cmdline and status content, is this even possible with osquery ? To clarify, by comparison I mean just ensuring that both of them contain same

name

keyword

By design, osquery generally does not have simple file read abilities. You could review the process table to see if it does what you need. Or try for creative things with the audit subsystem. Or write a table