Thanks. But I guess it should be 'processes' table instead of 'system_info' ?

system_info

is used to return a single row of data for any device which does not have the desired process running. You could just as easily write:

SELECT 1
WHERE
  NOT EXISTS (SELECT * FROM processes WHERE name LIKE 'auditd%');

If you instead wrote

select * from processes

it would just return a giant list of the running processes for every device not running auditd, which doesn't sound like the goal you stated initially.

Ohh thanks, didn't know that.