fleetdm
See denylisted queries/policies on the Host details page
Goal
| User story |
|---|
| As an endpoint operator on the Host details page, |
| I want to see when a query/policy is denylisted by the osquery watchdog |
| so that I know that I won't get updated host vitals until I debug the query/policy. |
Context
When a policy is denylisted, the UI shows as if the policy never ran. It is not obvious that there is an issue.
In addition, when osquery is killed due to 1 or more queries/policies, it is not obvious which query/policy is the culprit. Perhaps we need a debug flow that runs each policy one at a time. Or maybe run the policy standalone on a device if it is a new policy. Or, when admin goes to host details and views policies, they can run just 1 policy (and not all policies) and get the performance for that run.
W0325 09:09:18.191121 1797648384 watcher.cpp:424] osqueryd worker (43241) stopping: Memory limits exceeded: 791101440 bytes (limit is 200MB)
This issue came out of debugging a performance-intensive policy: https://github.com/fleetdm/fleet/issues/17827
Changes
Product
- [ ] UI changes: TODO
- [ ] CLI usage changes: TODO
- [ ] REST API changes: TODO
- [ ] Permissions changes: TODO
- [ ] Outdated documentation changes: TODO
- [ ] Changes to paid features or tiers: TODO
Engineering
- [ ] Database schema migrations: TODO
- [ ] Load testing: TODO
ℹ️ Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".
QA
Risk assessment
- Requires load testing: TODO
- Risk level: Low / High TODO
- Risk description: TODO
Manual testing steps
- Step 1
- Step 2
- Step 3
Testing notes
Confirmation
- [ ] Engineer (@____): Added comment to user story confirming successful completion of QA.
- [ ] QA (@____): Added comment to user story confirming successful completion of QA.
