Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

```
SELECT * from system_info
WHERE 
    NOT EXISTS (SELECT *
        FROM processes
        WHERE  name LIKE "%auditd%");
```

Thanks. But I guess it should be 'processes' table instead of 'system_info' ?

`system_info` is used to return a single row of data for any device which does not have the desired process running. You could just as easily write:

```
SELECT 1
WHERE
  NOT EXISTS (SELECT * FROM processes WHERE name LIKE 'auditd%');
```
If you instead wrote `select * from processes` it would just return a giant list of the running processes for every device not running auditd, which doesn't sound like the goal you stated initially.