I ran into a problem earlier today running this qu...
# general
I ran into a problem earlier today running this query from akamai https://www.akamai.com/blog/security-research/openssl-vulnerability-how-to-effectively-prepare#:~:text=vendors%20as%20we[…]ow%3F,-While%20there%20is to find vulnerable openssl versions on osquery 4.8.0 causing all of the servers queried to use large amounts of memory that was not released till the server was restarted. I'm trying to figure out if the osquery watchdog process is enabled by default and if it just failed to terminate the process? Or is watchdog something that has to be enabled. Also i think this yara bug was fixed in 5.4.0 which I need to upgrade to. Mainly just trying to figure out the root cause.
The watchdog is enabled by default, you will have to use the flag
to disable completely, although it is recommended to just set the level to
with the flag
You can see more information about those flags and in general the watchdog in https://osquery.readthedocs.io/en/stable/installation/cli-flags/#flagfile
If I were you, I would upgrade osquery to
and try again, yara rules can take up a lot of resources, but I will only start disabling the watchdog after I tried with a newer version of osquery. Good luck!
@javuto I wanted the watchdog to kill the process. It failed to do that which caused out of memory issues on the servers osquery was running on =/ I will upgrade the clients though.