Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

<@U1BQB1KR6> it is entirely possible that there are changes in filesystem for files like `/etc/passwd` and `/etc/sudoers`. It depends on the system and the settings, but _atime_ can change frequently in response to activity of other programs (such as sudo).

you should get the outputs for the queries that you're getting alerts on and see what changed.
I can't know for sure why the alert triggered since it depends on the specifics, but looking into the reasons is worth it.

since you seem to know a thing or two, would you know the best way to set alerting on changes to $PATH?

`SELECT pe.key AS variable_name, pe.value AS variable_value, p.name AS process_name, p.path AS process_binary, p.uid AS user_id, u.username AS user_name FROM process_envs AS pe JOIN processes AS p ON p.pid=pe.pid JOIN users AS u ON p.uid=u.uid WHERE pe.key='PATH';` but i am unsure of the value you'd get from this.
if a new process arrives with a different path string, it would probably make a different output from the last time the query ran.
perhaps you have a known good list of paths the PATH variable should include, or known a pattern of dangerous ones?