SELECT
  p.pid,
  p.name,
  p.path,
  p.euid,
  p.gid,
  f.ctime,
  f.directory AS dirname,
  p.cmdline,
  mnt_namespace,
  hash.sha256,
  pp.name AS parent_name,
  pp.cmdline AS parent_cmdline
FROM
  processes p
  LEFT JOIN file f ON p.path = f.path
  LEFT JOIN process_namespaces ON p.pid = process_namespaces.pid
  LEFT JOIN hash ON p.path = hash.path
  LEFT JOIN processes pp ON p.parent = pp.pid
WHERE
  p.uid = 0
  AND (strftime('%s', 'now') - p.start_time) > 15 -- use osquery as the reference mount namespace
  AND mnt_namespace IN (
    SELECT DISTINCT
      (mnt_namespace)
    FROM
      process_namespaces
      JOIN processes ON processes.pid = process_namespaces.pid
    WHERE
      processes.name IN ("osqueryi", "osqueryd")
  )
  AND p.path NOT IN (
    "",
    -- Not a file-based process
    "/sbin/apcupsd",
    "/snap/snapd/17029/usr/lib/snapd/snapd",
    "/usr/bin/abrt-dump-journal-core",
    "/usr/bin/abrt-dump-journal-oops",
    "/usr/bin/abrt-dump-journal-xorg",
    "/usr/bin/pacman",
    "/usr/bin/fish",
    "/usr/bin/anacron",
    "/usr/bin/apcupsd",
    "/usr/bin/containerd-shim-runc-v2",
    "/usr/bin/containerd",
    "/usr/bin/crond",
    "/usr/bin/docker-proxy",
    "/usr/bin/dockerd",
    "/usr/bin/gdm",
    "/usr/bin/gpg-agent",
    "/usr/bin/journalctl",
    "/usr/bin/lightdm",
    "/usr/bin/osqueryd",
    "/usr/bin/sshd",
    "/usr/bin/tailscaled",
    "/usr/bin/wpa_supplicant",
    "/usr/lib/gdm-session-worker",
    "/usr/lib/software-properties/software-properties-dbus",
    "/usr/lib/systemd/systemd-homed",
    "/usr/lib/systemd/systemd-journald",
    "/usr/lib/systemd/systemd-machined",
    "/usr/lib/systemd/systemd",
    "/usr/lib/udisks2/udisksd",
    "/usr/lib/Xorg",
    "/usr/libexec/accounts-daemon",
    "/usr/libexec/docker/docker-proxy",
    "/usr/libexec/flatpak-system-helper",
    "/usr/lib/flatpak-system-helper",
    "/usr/libexec/gdm-session-worker",
    "/usr/libexec/packagekitd",
    "/usr/libexec/polkitd",
    "/usr/libexec/scdaemon",
    "/usr/libexec/snapd/snapd",
    "/usr/libexec/sssd/sssd_kcm",
    "/usr/libexec/udisks2/udisksd",
    "/usr/sbin/abrt-dbus",
    "/usr/sbin/abrtd",
    "/usr/sbin/acpid",
    "/usr/sbin/alsactl",
    "/usr/sbin/anacron",
    "/usr/sbin/cron",
    "/usr/sbin/cups-browsed",
    "/usr/sbin/cupsd",
    "/usr/sbin/gdm",
    "/usr/sbin/gdm3",
    "/usr/sbin/gssproxy",
    "/usr/sbin/pcscd",
    "/usr/sbin/tailscaled",
    "/usr/sbin/wpa_supplicant",
    "/usr/sbin/zed"
  ) -- Because I don't want to whitelist all of Python3
  AND p.cmdline NOT IN (
    "/usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid",
    "/usr/bin/python /usr/bin/firewalld --nofork --nopid",
    "/usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal",
    "/usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers"
  )
  AND p.path NOT LIKE "/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd"
  AND p.path NOT LIKE "/usr/local/kolide-k2/bin/launcher-updates/%/launcher"
  AND p.path NOT LIKE "/nix/store/%/bin/%"
  AND p.path NOT LIKE "/nix/store/%-systemd-%/lib/systemd/systemd%"
  AND p.path NOT LIKE "/nix/store/%/libexec/%"
  AND p.path NOT LIKE "/snap/snapd/%/usr/lib/snapd/snapd"