From 488d1aac9658276012f03c2f1b8802af7733c94d Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Fri, 14 Oct 2022 09:36:28 -0400
Subject: [PATCH] Show process euid instead of uid.

---
 detection/evasion/missing-from-disk-linux.sql  | 3 ++-
 detection/evasion/parent-missing-from-disk.sql | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/detection/evasion/missing-from-disk-linux.sql b/detection/evasion/missing-from-disk-linux.sql
index 9b9eea7..56c5325 100644
--- a/detection/evasion/missing-from-disk-linux.sql
+++ b/detection/evasion/missing-from-disk-linux.sql
@@ -1,9 +1,10 @@
 -- Processes that do not exist on disk
 --
 -- tags: periodic daemon
+-- platform: linux
 SELECT
   p.pid,
-  p.uid,
+  p.euid,
   p.cmdline,
   p.path,
   mnt_namespace,
diff --git a/detection/evasion/parent-missing-from-disk.sql b/detection/evasion/parent-missing-from-disk.sql
index 20050d7..bdfe154 100644
--- a/detection/evasion/parent-missing-from-disk.sql
+++ b/detection/evasion/parent-missing-from-disk.sql
@@ -8,7 +8,7 @@ SELECT
   p.pid AS child_pid,
   p.path AS child_path,
   p.cmdline AS child_cmd,
-  p.uid AS child_uid,
+  p.euid AS child_euid,
   p.gid AS child_gid,
   hash.path,
   p.on_disk AS child_on_disk,