-h --help | Traps-Mac:bin Traps$ sudo
./cytool
Usage: cytool<options>
cytool - Support tool
Options:
-h --help Display help information.
enum List processes protected by Traps.
startup query List startup status for Traps agent and daemons.
startup <enable | disable> <process_name | all> Enable/Disable Traps agent and daemons after reboot.
runtime query List runtime status for agent, daemons, and kernel extensions.
runtime <start | stop> <process_name | all> Start/Stop Traps agent, daemons, and kernel extensions immediately.
persist list Display persistent databases.
persist export <db_name | db_path> Export databases in JSON format.
persist import <db_name | db_path> <file_name> Import data into the database from the given JSON file.
persist print <db_name | db_path> [csv] Print database to the command prompt.
log <log_level> <process_name | all> Set log level for the desired process.
log collect Generate support file archive.
wakeup Wake up from OS incompatibility state.
dump <enable | disable | restore> Enable/Disable dump generation or restore policy settings.
checkin Update Traps from server.
opswat <installed | running | protected | version> Check Traps Agent status and version. |
enum | Enumerate protected processes. Usage: sudo ./cytool enum For example: Traps-Mac:bin Traps$ sudo
./cytool enum
List of protected processes:
Process name Process ID User
Photos 2047 Traps
Mail 2099 Traps |
startup | Enable, disable, or query the startup state of Traps components. Usage: sudo ./cytool startup <action> <component> where: <action> —Change startup action for a Traps component. Options are: enable , disable , query . The query option displays the startup status for each component. <component> —Target component for which to set the startup action. To change the startup action for multiple components, list them with spaces separating each component. Options are: traps_agent , trapsd , authorized , pmd , kproc-ctrl
For example: Traps-Mac:bin Traps$ sudo ./cytool
startup disable traps_agent pmd
Process name Startup status
traps_agent Disabled
trapsd Enabled
authorized Enabled
pmd Disabled
kproc-ctrl Loaded
Traps-Mac:bin Traps$ sudo ./cytool startup enable all
Process name Startup status
traps_agent Enabled
trapsd Enabled
authorized Enabled
pmd Enabled
kproc-ctrl Loaded
|
runtime | Stop or start product components. Usage: sudo ./cytool runtime <action> <component> where: <action> —Change startup runtime action for a Traps component. Options are: start , stop , query . The query option displays the startup status for each component. <component> —Target component for which to set the runtime action, or all components if no components are specified. To change the runtime action for multiple components, list them with spaces separating each component. Options are: traps_agent , trapsd , authorized , pmd , kproc-ctrl
For example: Traps-Mac:bin Traps$ sudo ./cytool
runtime query
Name PID User Status Command
traps_agent 1055 Traps Running /Library/Application Support/PaloAltoNetworks/Traps/bin/traps_agent.app/Contents/MacOS/traps_agent
trapsd 906 root Running /Library/Application Support/PaloAltoNetworks/Traps/bin/trapsd
authorized 927 _traps_panw Running /Library/Application Support/PaloAltoNetworks/Traps/bin/authorized
pmd 909 root Running /Library/Application Support/PaloAltoNetworks/Traps/bin/pmd
kproc-ctrl 159 root Loaded com.paloaltonetworks.driver.kproc-ctrl
Traps-Mac:bin Traps$ sudo ./cytool runtime stop all
Name PID User Status Command
authorized N/A N/A STOPPED N/A
pmd N/A N/A STOPPED N/A
traps_agent N/A N/A STOPPED N/A
trapsd N/A N/A STOPPED N/A
kproc-ctrl N/A N/A Unloaded N/A
Traps-Mac:bin Traps$ sudo ./cytool runtime start all
Name PID User Status Command
system call failed for command='/usr/bin/su -l Traps -c "/bin/launchctl start traps_agent.plist"', returned status code=768
authorized 1883 _traps_panw Running /Library/Application Support/PaloAltoNetworks/Traps/bin/authorized
pmd 1889 root Running /Library/Application Support/PaloAltoNetworks/Traps/bin/pmd
traps_agent N/A N/A FAILED TO START N/A
trapsd 1901 root Running /Library/Application Support/PaloAltoNetworks/Traps/bin/trapsd
kproc-ctrl 160 root Loaded com.paloaltonetworks.driver.kproc-ctrl |
persist | Traps stores policy and security event information such as the list of trusted signers, local verdicts, and one-time actions in local databases on the endpoint. To troubleshoot policy issues and security events, you can use cytool persist operations to import, export, and view information stored in the local database. Usage: sudo ./cytool persist <action> where <action> : list —List the local databases on the endpoint. export [<database name> | <database path>] —Export database table to a file in the /Library/Application Support/PaloAltoNetworks/Traps/bin/ directory. import [<database name> | <database path> ] <file name> —Add records in a JSON file to the database. print <database name> | <database path> —Print the database, in comma-separated values (CSV) format, to the command prompt.
To view a list of all local databases, use the cytool persist list command. Traps-Mac:bin Traps$ sudo
./cytool persist list
Persistent database list:
fvhash.db Database of blacklisted fvhashes
hash_override.db Database of hashes override (Admin exeptions)
hashes.db Database of the verdicts received from WildFire
trusted_signers.db Database of trusted signers
post_detection.db Database of post-detection candidates
remediation_events.db Database of remediation events
file_upload.db Database of files being uploaded
hash_containers.db Database of files and containers
agent_actions.db Database of one time actions
cloud_reports.db Database of Cloud reports
policy.db Database of policy data
hash_paths.db Database of file paths
hashes_retransmit.db Database of hashes to be retransmitted
hashes_lru.db Least recently used verdicts database
agent_settings.db Database of agent settings
cloud_frontend.db Database of Cloud frontend settings
security_events.db Database of security events (preventions)
|
log | Set log level for the desired process. Usage: sudo ./cytool log <log_level> <components> where: <log_level> is an integer value corresponding to the log level: 0—Disable logging 1—Fatal 2—Critical 3—Error 4—Warning 5—Notice 6—Information 7—Debug 8—Trace
<components> is all or one or more of the following Traps component: trapsd , authorized , pmd , traps_agent , kproc-ctrl .
For example: Traps-Mac:bin Traps$ sudo ./cytool
log 2 all
Then use the sudo ./cytool log collect command to generate a support file archive of all logs in a TGZ file. On Mac endpoints running OS X 10.10 and OSX 10.11, Cytool outputs the logs to the /var/log/traps directory. On Mac endpoints running macOS 10.12, you can view logs from the Console application. |
wakeup | Wake up the endpoint from an OS incompatibility state. Traps-Mac:bin Traps$ sudo
./cytool wakeup
SIGTERM caught
|
dump | Enable or disable dump generation or restore policy settings. Traps-Mac:bin Traps$ sudo
./cytool dump enable
Traps-Mac:bin Traps$ sudo ./cytool dump disable
Traps-Mac:bin Traps$ sudo ./cytool dump restore
|
checkin | Initiate check-in to the server. Usage: sudo ./cytool checkin To verify the checkin, view the check-in time on the Traps console. |
opswat | Check Traps Agent status and version. Usage: sudo ./cytool opswat <parameter> where <parameter> is: version —Display the version of Traps. installed —Display the Traps installation status (true if the com.paloaltonetworks.pkg.traps package is installed or false if the package is not installed). You must also supply the Traps supervisor password to view the status. running —Display the running status of Traps daemons (true if running or false). protected —Display the applied policy status (true if applied or false).
Traps-Mac:bin Traps$ sudo
./cytool opswat version
5.0.0.1042
Traps-Mac:bin Traps$ sudo ./cytool opswat installed
Password:
true
Traps-Mac:bin Traps$ sudo ./cytool opswat running
true
Traps-Mac:bin Traps$ sudo ./cytool opswat protected
true |