<@U1BQB1KR6> it is entirely possible that there ar...
# kolide
@pvirani it is entirely possible that there are changes in filesystem for files like
. It depends on the system and the settings, but atime can change frequently in response to activity of other programs (such as sudo).
👍🏽 1
aah very interesting! Thanks for that
you should get the outputs for the queries that you're getting alerts on and see what changed. I can't know for sure why the alert triggered since it depends on the specifics, but looking into the reasons is worth it.
yeah for sure
since you seem to know a thing or two, would you know the best way to set alerting on changes to $PATH?
SELECT pe.key AS variable_name, pe.value AS variable_value, p.name AS process_name, p.path AS process_binary, p.uid AS user_id, u.username AS user_name FROM process_envs AS pe JOIN processes AS p ON p.pid=pe.pid JOIN users AS u ON p.uid=u.uid WHERE pe.key='PATH';
but i am unsure of the value you'd get from this. if a new process arrives with a different path string, it would probably make a different output from the last time the query ran. perhaps you have a known good list of paths the PATH variable should include, or known a pattern of dangerous ones?