Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

I have a task to monitor outbound connections from production environments. One item that keeps showing up is `sudo ls /proc/12345/fd` where 12345 is a process ID. Why is this command considered an outbound connection?

`SELECT user.username, proc.name, hash.md5, socket.pid, proc.path, proc.cmdline, socket.local_port, socket.remote_port, socket.remote_address FROM process_open_sockets as socket, processes as proc, users as user, hash as hash where socket.local_port not in (select port from listening_ports) and socket.local_port != 0 and socket.pid = proc.pid and user.uid = proc.uid and hash.path = proc.path;`

It would not surprise me if sudo did something that looked like a socket. That table is more than just network sockets. 

If things change fast, you'll see a race condition for pid reuse. 

Is there a qualifier in the process_open_sockets table that indicates whether it is a network socket? I don't have access to the box to manually query it.

Both `process_open_sockets` and `listening_ports` have columns for family. The meaning there is os dependent.