Hi, I am validating the watchdog, properly kill th...
# fleeta
AT
02/15/2025, 12:12 AMHi, I am validating the watchdog, properly kill the process when there is a resource exceeds the watchdog level, Can anyone share me a sample queries used to validate watchdog or is there any reference document to verfiy ?
r
Rebecca Cowart
02/17/2025, 3:18 PM@AT Here is some documentation about osquery watchdog.
This article also discusses watchdog in more depth.
f
FG
02/18/2025, 2:49 PManything joined to a hash table is generally considered risky in my experience. unless you constrain the scope of files, one user may have something like this run completely fine, and another will blow up if they have a ton of files or large archives in a target dir. ymmv
Copy code
SELECT hash.md5,hash.sha256,file.path,file.directory,file.filename,file.mode,file.size,file.mtime,file.ctime,file.btime,file.symlink,file.type FROM file LEFT JOIN hash ON (file.path = hash.path) WHERE file.type='regular' AND (file.path like "/Users/%/Downloads/%" OR file.path like "/Users/%/Desktop/%" OR file.path like "C:\\users\\%\\Downloads\\%" OR file.path like "C:\\users\\%\\Desktop\\%");FG
02/18/2025, 2:52 PMagain, in my experience, wild carding along with file based queries can blow up. In my environment, we store results in a data lake, you can analyze your historical scheduler performance with a base query like this. adding some metrics it will be easy to stack rank your current troublemakers
Copy code
SELECT * FROM `your_dataset.osquery_schedule` where denylisted = 1 LIMIT 1000FG
02/18/2025, 2:53 PMto answer your actual question, afaik, there is no "eicar" type query that is guaranteed to trip the watchdog as each deployment can have different settings. Maybe a dev can answer more authoritatively on that.
k
Kathy Satterlee
02/18/2025, 11:27 PMI'd expect something like
SELECT * FROM hash WHERE path LIKE '/%%'a
AT
02/19/2025, 12:13 AMThanks @Kathy Satterlee, I will run it now.