Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
p
Premkumar R
03/26/2020, 1:14 PMWe are facing issue on MAC with OSQuery agent 4.x, It is not returning any values for cmdline.
I saw a open issue for windows, where windows agent is not able to grasp cmdline from PPL. Is this issue exists in MAC agent too? could please let me know the root cause of this issue
Is there any workaround to fix this issue?
osquery> select pid, name, start_time, cmdline from processes Limit 15;
+-----+----------------+------------+---------+
| pid | name | start_time | cmdline |
+-----+----------------+------------+---------+
| 0 | kernel_task | 1584971117 | |
| 1 | launchd | 1584971117 | |
| 42 | syslogd | 1584971127 | |
| 43 | UserEventAgent | 1584971127 | |
| 45 | sh | 1584971127 | |
| 47 | uninstalled | 1584971127 | |
| 48 | kextd | 1584971127 | |
| 49 | fseventsd | 1584971127 | |
| 51 | jamf | 1584971127 | |
| 52 | vpnagentd | 1584971127 | |
| 57 | appleeventsd | 1584971127 | |
| 58 | systemstats | 1584971127 | |
| 60 | configd | 1584971127 | |
| 62 | ciscod | 1584971127 | |
| 63 | powerd | 1584971127 | |
+-----+----------------+------------+---------+s
seph
03/26/2020, 3:30 PMThis example seems weird — most of these don’t have cmdline, they have paths.
Try something like
select count(cmdline) from processes where cmdline != "" ;Also notable is that there’s a difference in what yuou can see if you run as a user vs root.
Or
select cmdline from processes where name like "osquery%";As said in main thread, there’ clearly a behavior change