Cytool for Mac - Cortex XDR - Cortex XDR Agent - Advanced Endpoint Protection - Cortex - Security Operations

Traps Agent Administrator Guide

Product
Cortex XDR
Cortex XDR Agent
Version
5.0
Creation date
2022-09-01
Last date published
2023-01-04
Category
Administrator Guide

Cytool is a command-line interface that is integrated into Traps that enables you to query and manage both basic and advanced functions of Traps. Any changes that you make using Cytool are active until Traps receives the next heartbeat communication from the Traps management service.

On Mac endpoints, you can access Cytool as a super user using a terminal. Cytool is located in the /Library/Application Support/PaloAltoNetworks/Traps/bin directory on the endpoint.

The following table displays the Cytool options available on Mac endpoints.

Command Option

Description

-h --help

Traps-Mac:bin Traps$ sudo
./cytool

Usage: cytool<options>
cytool - Support tool

Options:
-h --help                                           Display help information.
enum                                                List processes protected by Traps.
startup query                                       List startup status for Traps agent and daemons.
startup <enable | disable> <process_name | all>     Enable/Disable Traps agent and daemons after reboot.
runtime query                                       List runtime status for agent, daemons, and kernel extensions.
runtime <start | stop> <process_name | all>         Start/Stop Traps agent, daemons, and kernel extensions immediately.
persist list                                        Display persistent databases.
persist export <db_name | db_path>                  Export databases in JSON format.
persist import <db_name | db_path> <file_name>      Import data into the database from the given JSON file.
persist print <db_name | db_path> [csv]             Print database to the command prompt.
log <log_level> <process_name | all>                Set log level for the desired process.
log collect                                         Generate support file archive.
wakeup                                              Wake up from OS incompatibility state.
dump <enable | disable | restore>                   Enable/Disable dump generation or restore policy settings.
checkin                                             Update Traps from server.
opswat <installed | running | protected | version>  Check Traps Agent status and version. 

enum

Enumerate protected processes.

Usage: sudo ./cytool enum

For example:

Traps-Mac:bin Traps$ sudo
./cytool enum
List of protected processes:
        Process name          Process ID             User
              Photos                2047            Traps
                Mail                2099            Traps

startup

Enable, disable, or query the startup state of Traps components.

Usage: sudo ./cytool startup <action> <component>

where:

  • <action> —Change startup action for a Traps component. Options are: enable, disable, query. The query option displays the startup status for each component.

  • <component> —Target component for which to set the startup action. To change the startup action for multiple components, list them with spaces separating each component. Options are: traps_agent, trapsd, authorized, pmd, kproc-ctrl

For example:

Traps-Mac:bin Traps$ sudo ./cytool
startup disable traps_agent pmd
                  Process name                Startup status
                   traps_agent                      Disabled
                        trapsd                      Enabled
                    authorized                      Enabled
                           pmd                      Disabled
                    kproc-ctrl                      Loaded
Traps-Mac:bin Traps$ sudo ./cytool startup enable all
                  Process name                Startup status
                   traps_agent                      Enabled
                        trapsd                      Enabled
                    authorized                      Enabled
                           pmd                      Enabled
                    kproc-ctrl                      Loaded

runtime

Stop or start product components.

Usage: sudo ./cytool runtime <action> <component>

where:

  • <action> —Change startup runtime action for a Traps component. Options are: start, stop, query. The query option displays the startup status for each component.

  • <component> —Target component for which to set the runtime action, or all components if no components are specified. To change the runtime action for multiple components, list them with spaces separating each component. Options are: traps_agent, trapsd, authorized, pmd, kproc-ctrl

For example:

Traps-Mac:bin Traps$ sudo ./cytool
runtime query
         Name    PID         User              Status		Command
  traps_agent   1055        Traps             Running		/Library/Application Support/PaloAltoNetworks/Traps/bin/traps_agent.app/Contents/MacOS/traps_agent
       trapsd    906         root             Running		/Library/Application Support/PaloAltoNetworks/Traps/bin/trapsd
   authorized    927  _traps_panw             Running		/Library/Application Support/PaloAltoNetworks/Traps/bin/authorized
          pmd    909         root             Running		/Library/Application Support/PaloAltoNetworks/Traps/bin/pmd
   kproc-ctrl    159         root              Loaded		com.paloaltonetworks.driver.kproc-ctrl
Traps-Mac:bin Traps$ sudo ./cytool runtime stop all
         Name    PID         User              Status		Command
   authorized    N/A          N/A             STOPPED		N/A
          pmd    N/A          N/A             STOPPED		N/A
  traps_agent    N/A          N/A             STOPPED		N/A
       trapsd    N/A          N/A             STOPPED		N/A
   kproc-ctrl    N/A          N/A            Unloaded		N/A
Traps-Mac:bin Traps$ sudo ./cytool runtime start all
         Name    PID         User              Status		Command
system call failed for command='/usr/bin/su -l Traps -c "/bin/launchctl start traps_agent.plist"', returned status code=768
   authorized   1883  _traps_panw             Running		/Library/Application Support/PaloAltoNetworks/Traps/bin/authorized
          pmd   1889         root             Running		/Library/Application Support/PaloAltoNetworks/Traps/bin/pmd
  traps_agent    N/A          N/A     FAILED TO START		N/A
       trapsd   1901         root             Running		/Library/Application Support/PaloAltoNetworks/Traps/bin/trapsd
   kproc-ctrl    160         root              Loaded		com.paloaltonetworks.driver.kproc-ctrl

persist

Traps stores policy and security event information such as the list of trusted signers, local verdicts, and one-time actions in local databases on the endpoint. To troubleshoot policy issues and security events, you can use cytool persist operations to import, export, and view information stored in the local database.

Usage: sudo ./cytool persist <action>

where <action> :

  • list—List the local databases on the endpoint.

  • export [<database name> | <database path>] —Export database table to a file in the /Library/Application Support/PaloAltoNetworks/Traps/bin/ directory.

  • import [<database name> | <database path>] <file name>—Add records in a JSON file to the database.

  • print <database name> | <database path> —Print the database, in comma-separated values (CSV) format, to the command prompt.

To view a list of all local databases, use the cytool persist list command.

Traps-Mac:bin Traps$ sudo
./cytool persist list
Persistent database list:
             fvhash.db		Database of blacklisted fvhashes
      hash_override.db		Database of hashes override (Admin exeptions)
             hashes.db		Database of the verdicts received from WildFire
    trusted_signers.db		Database of trusted signers
     post_detection.db		Database of post-detection candidates
 remediation_events.db		Database of remediation events
        file_upload.db		Database of files being uploaded
    hash_containers.db		Database of files and containers
      agent_actions.db		Database of one time actions
      cloud_reports.db		Database of Cloud reports
             policy.db		Database of policy data
         hash_paths.db		Database of file paths
  hashes_retransmit.db		Database of hashes to be retransmitted
         hashes_lru.db		Least recently used verdicts database
     agent_settings.db		Database of agent settings
     cloud_frontend.db		Database of Cloud frontend settings
    security_events.db		Database of security events (preventions)

log

Set log level for the desired process.

Usage: sudo ./cytool log <log_level> <components>

where:

  • <log_level> is an integer value corresponding to the log level:

    • 0—Disable logging

    • 1—Fatal

    • 2—Critical

    • 3—Error

    • 4—Warning

    • 5—Notice

    • 6—Information

    • 7—Debug

    • 8—Trace

  • <components> is all or one or more of the following Traps component: trapsd, authorized, pmd, traps_agent, kproc-ctrl.

For example:

Traps-Mac:bin Traps$ sudo ./cytool
log 2 all
                           

Then use the sudo ./cytool log collect command to generate a support file archive of all logs in a TGZ file. On Mac endpoints running OS X 10.10 and OSX 10.11, Cytool outputs the logs to the /var/log/traps directory. On Mac endpoints running macOS 10.12, you can view logs from the Console application.

wakeup

Wake up the endpoint from an OS incompatibility state.

Traps-Mac:bin Traps$ sudo
./cytool wakeup
SIGTERM caught
                           

dump

Enable or disable dump generation or restore policy settings.

Traps-Mac:bin Traps$ sudo
./cytool dump enable
Traps-Mac:bin Traps$ sudo ./cytool dump disable
Traps-Mac:bin Traps$ sudo ./cytool dump restore
                           

checkin

Initiate check-in to the server.

Usage: sudo ./cytool checkin

To verify the checkin, view the check-in time on the Traps console.

opswat

Check Traps Agent status and version.

Usage: sudo ./cytool opswat <parameter>

where <parameter> is:

  • version—Display the version of Traps.

  • installed—Display the Traps installation status (true if the com.paloaltonetworks.pkg.traps package is installed or false if the package is not installed). You must also supply the Traps supervisor password to view the status.

  • running—Display the running status of Traps daemons (true if running or false).

  • protected—Display the applied policy status (true if applied or false).

Traps-Mac:bin Traps$ sudo
./cytool opswat version
5.0.0.1042
Traps-Mac:bin Traps$ sudo ./cytool opswat installed
Password:
true
Traps-Mac:bin Traps$ sudo ./cytool opswat running
true
Traps-Mac:bin Traps$ sudo ./cytool opswat protected
true