https://github.com/osquery/osquery logo
#core
Title
# core
d

defensivedepth

11/25/2019, 9:12 PM
hey all - am wondering what was the outcome of this? https://osquery.slack.com/archives/C08VA3XQU/p1513560222000037
๐Ÿ‘€ 1
@theopolis I know you've slept since then, but do you recall what the decision was? :)
t

theopolis

12/04/2019, 5:39 PM
Not sure, I could go read the code and see that the current implementation is. Mind if I ask for more context? I donโ€™t there there were strong opinions either way so if we want to brainstorm an ideal flow we can work together to implement.
d

defensivedepth

12/04/2019, 6:02 PM
Thanks much! I am working on a Perf Testing & Monitoring module for my osquery training, and am wanting to make sure I understand how blacklisting currently works. I have seen some of my queries blacklisted in production, but never went back to determine how many times they were executed before they were blacklisted. I can certainly test this to figure it out if need be....
@theopolis Based on my testing this morning, the query is blacklisted the first time it violates the watchdog constraints. Also learned something else - the blacklist mechanism does not apply to non-scheduled queries. Running an aggressive adhoc query via Fleet I see the watchdog killing the process & restarting it, but it picks right back up and continues to execute the aggressive query - watched it do this 10+ times. Had to restart the osquery service for it to stop executing the query.
๐Ÿ‘ 1
t

theopolis

12/09/2019, 10:19 PM
Good find, we should capture/discuss that in a GitHub issue or at office hours
๐Ÿ‘ 1
d

defensivedepth

12/10/2019, 11:18 AM
7 Views