Title
#kolide
8p8c

8p8c

10/17/2018, 4:43 AM
@pvirani it is entirely possible that there are changes in filesystem for files like
/etc/passwd
and
/etc/sudoers
. It depends on the system and the settings, but atime can change frequently in response to activity of other programs (such as sudo).
pvirani

pvirani

10/17/2018, 9:42 PM
aah very interesting! Thanks for that
8p8c

8p8c

10/17/2018, 9:48 PM
you should get the outputs for the queries that you're getting alerts on and see what changed. I can't know for sure why the alert triggered since it depends on the specifics, but looking into the reasons is worth it.
pvirani

pvirani

10/17/2018, 10:10 PM
yeah for sure
10:10 PM
since you seem to know a thing or two, would you know the best way to set alerting on changes to $PATH?
8p8c

8p8c

10/19/2018, 10:31 PM
SELECT pe.key AS variable_name, pe.value AS variable_value, p.name AS process_name, p.path AS process_binary, p.uid AS user_id, u.username AS user_name FROM process_envs AS pe JOIN processes AS p ON p.pid=pe.pid JOIN users AS u ON p.uid=u.uid WHERE pe.key='PATH';
but i am unsure of the value you'd get from this. if a new process arrives with a different path string, it would probably make a different output from the last time the query ran. perhaps you have a known good list of paths the PATH variable should include, or known a pattern of dangerous ones?