I ran into a problem earlier today running this query from a osquery #general

I ran into a problem earlier today running this qu...

Jason Roberts

11/02/2022, 12:26 AM

I ran into a problem earlier today running this query from akamai https://www.akamai.com/blog/security-research/openssl-vulnerability-how-to-effectively-prepare#:~:text=vendors%20as%20we[…]ow%3F,-While%20there%20is to find vulnerable openssl versions on osquery 4.8.0 causing all of the servers queried to use large amounts of memory that was not released till the server was restarted. I'm trying to figure out if the osquery watchdog process is enabled by default and if it just failed to terminate the process? Or is watchdog something that has to be enabled. Also i think this yara bug was fixed in 5.4.0 which I need to upgrade to. Mainly just trying to figure out the root cause.

javuto

11/02/2022, 2:11 PM

The watchdog is enabled by default, you will have to use the flag

--disable_watchdog=true

to disable completely, although it is recommended to just set the level to

-1

with the flag

--watchdog_level=-1

javuto

11/02/2022, 2:12 PM

You can see more information about those flags and in general the watchdog in https://osquery.readthedocs.io/en/stable/installation/cli-flags/#flagfile

javuto

11/02/2022, 2:13 PM

If I were you, I would upgrade osquery to

5.5.1

and try again, yara rules can take up a lot of resources, but I will only start disabling the watchdog after I tried with a newer version of osquery. Good luck!

Jason Roberts

11/02/2022, 4:00 PM

@javuto I wanted the watchdog to kill the process. It failed to do that which caused out of memory issues on the servers osquery was running on =/ I will upgrade the clients though.

4 Views

Open in Slack

Previous Next