We are facing issue on MAC with OSQuery agent 4.x,...
# process-auditingp
Premkumar R
03/26/2020, 1:14 PMWe are facing issue on MAC with OSQuery agent 4.x, It is not returning any values for cmdline.
I saw a open issue for windows, where windows agent is not able to grasp cmdline from PPL. Is this issue exists in MAC agent too? could please let me know the root cause of this issue
Is there any workaround to fix this issue?
Copy code
osquery> select pid, name, start_time, cmdline from processes Limit 15;
+-----+----------------+------------+---------+
| pid | name | start_time | cmdline |
+-----+----------------+------------+---------+
| 0 | kernel_task | 1584971117 | |
| 1 | launchd | 1584971117 | |
| 42 | syslogd | 1584971127 | |
| 43 | UserEventAgent | 1584971127 | |
| 45 | sh | 1584971127 | |
| 47 | uninstalled | 1584971127 | |
| 48 | kextd | 1584971127 | |
| 49 | fseventsd | 1584971127 | |
| 51 | jamf | 1584971127 | |
| 52 | vpnagentd | 1584971127 | |
| 57 | appleeventsd | 1584971127 | |
| 58 | systemstats | 1584971127 | |
| 60 | configd | 1584971127 | |
| 62 | ciscod | 1584971127 | |
| 63 | powerd | 1584971127 | |
+-----+----------------+------------+---------+s
seph
03/26/2020, 3:30 PM
This example seems weird — most of these don’t have cmdline, they have paths.
seph
03/26/2020, 3:30 PM
Try something like
select count(cmdline) from processes where cmdline != "" ;seph
03/26/2020, 3:30 PM
Also notable is that there’s a difference in what yuou can see if you run as a user vs root.
seph
03/26/2020, 3:31 PM
Or
select cmdline from processes where name like "osquery%";seph
03/26/2020, 6:26 PM
As said in main thread, there’ clearly a behavior change
8 Views