Title
#core
defensivedepth

defensivedepth

11/25/2019, 9:12 PM
hey all - am wondering what was the outcome of this? https://osquery.slack.com/archives/C08VA3XQU/p1513560222000037
5:24 PM
@theopolis I know you've slept since then, but do you recall what the decision was? πŸ˜ƒ
theopolis

theopolis

12/04/2019, 5:39 PM
Not sure, I could go read the code and see that the current implementation is. Mind if I ask for more context? I don’t there there were strong opinions either way so if we want to brainstorm an ideal flow we can work together to implement.
defensivedepth

defensivedepth

12/04/2019, 6:02 PM
Thanks much! I am working on a Perf Testing & Monitoring module for my osquery training, and am wanting to make sure I understand how blacklisting currently works. I have seen some of my queries blacklisted in production, but never went back to determine how many times they were executed before they were blacklisted. I can certainly test this to figure it out if need be....
6:03 PM
@theopolis Based on my testing this morning, the query is blacklisted the first time it violates the watchdog constraints. Also learned something else - the blacklist mechanism does not apply to non-scheduled queries. Running an aggressive adhoc query via Fleet I see the watchdog killing the process & restarting it, but it picks right back up and continues to execute the aggressive query - watched it do this 10+ times. Had to restart the osquery service for it to stop executing the query.
theopolis

theopolis

12/09/2019, 10:19 PM
Good find, we should capture/discuss that in a GitHub issue or at office hours
defensivedepth

defensivedepth

12/10/2019, 11:18 AM