Saluki · January 28, 2019 10:44
diff --git a/container-osquery_root.sql b/container-osquery_root.sql
 -- Detect contains with process that run with the root user
 SELECT containers.name, processes.pid, processes.name, cmdline, user 
 FROM docker_container_processes processes 
 JOIN docker_containers containers ON containers.id=processes.id  
 WHERE processes.id IN (
 	SELECT id FROM docker_containers
 ) AND user="root";
	-- Detect contains with process that run with the root user
	SELECT containers.name, processes.pid, processes.name, cmdline, user
	FROM docker_container_processes processes
	JOIN docker_containers containers ON containers.id=processes.id
	WHERE processes.id IN (
	SELECT id FROM docker_containers
	) AND user="root";