8p8c
10/17/2018, 4:43 AM/etc/passwd
and /etc/sudoers
. It depends on the system and the settings, but atime can change frequently in response to activity of other programs (such as sudo).pvirani
10/17/2018, 9:42 PM8p8c
10/17/2018, 9:48 PMpvirani
10/17/2018, 10:10 PM8p8c
10/19/2018, 10:31 PMSELECT pe.key AS variable_name, pe.value AS variable_value, p.name AS process_name, p.path AS process_binary, p.uid AS user_id, u.username AS user_name FROM process_envs AS pe JOIN processes AS p ON p.pid=pe.pid JOIN users AS u ON p.uid=u.uid WHERE pe.key='PATH';
but i am unsure of the value you'd get from this.
if a new process arrives with a different path string, it would probably make a different output from the last time the query ran.
perhaps you have a known good list of paths the PATH variable should include, or known a pattern of dangerous ones?