it is entirely possible that there are changes in

Question

< pvirani> it is entirely possible that there are changes in filesystem for files like ` etc passwd` and ` etc sudoers` It depends on the system and the settings but atime can change frequently in response to activity of other programs such as sudo

pvirani · Answer

aah very interesting Thanks for that

8p8c · Answer

you should get the outputs for the queries that you re getting alerts on and see what changed I can t know for sure why the alert triggered since it depends on the specifics but looking into the reasons is worth it

pvirani · Answer

yeah for sure

pvirani · Answer

since you seem to know a thing or two would you know the best way to set alerting on changes to $PATH

8p8c · Answer

`SELECT pe key AS variable name pe value AS variable value p name AS process name p path AS process binary p uid AS user id u username AS user name FROM process envs AS pe JOIN processes AS p ON p pid=pe pid JOIN users AS u ON p uid=u uid WHERE pe key= PATH ` but i am unsure of the value you d get from this if a new process arrives with a different path string it would probably make a different output from the last time the query ran perhaps you have a known good list of paths the PATH variable should include or known a pattern of dangerous ones