@theopolis I know you've slept since then, but do you recall what the decision was? :)
12/04/2019, 5:39 PM
Not sure, I could go read the code and see that the current implementation is. Mind if I ask for more context? I don’t there there were strong opinions either way so if we want to brainstorm an ideal flow we can work together to implement.
12/04/2019, 6:02 PM
Thanks much! I am working on a Perf Testing & Monitoring module for my osquery training, and am wanting to make sure I understand how blacklisting currently works. I have seen some of my queries blacklisted in production, but never went back to determine how many times they were executed before they were blacklisted. I can certainly test this to figure it out if need be....
@theopolis Based on my testing this morning, the query is blacklisted the first time it violates the watchdog constraints. Also learned something else - the blacklist mechanism does not apply to non-scheduled queries. Running an aggressive adhoc query via Fleet I see the watchdog killing the process & restarting it, but it picks right back up and continues to execute the aggressive query - watched it do this 10+ times. Had to restart the osquery service for it to stop executing the query.
12/09/2019, 10:19 PM
Good find, we should capture/discuss that in a GitHub issue or at office hours