Focus

Traps™ Agent Administrator's Guide

Cytool for Mac

Table of Contents

Cytool for Mac

Cytool is a command-line interface that is integrated into Traps that enables you to query and manage both basic and advanced functions of Traps. Any changes that you make using Cytool are active until Traps receives the next heartbeat communication from the ESM Server.

On Mac endpoints, you can access Cytool as a super user using a terminal. Cytool is located in the /Library/Application Support/PaloAltoNetworks/Traps/bin directory on the endpoint.

The following table displays the Cytool options available on Mac endpoints.

Command Option	Description
-h --help	Traps-Mac:bin Traps$ sudo ./cytool Usage: cytool<options> cytool - Support tool Options: -h --help Display help information. enum List processes protected by Traps. esm <connect \| disconnect> [address=hostname:port] Connect/Disconnect Traps to/from ESM. startup query List startup status for Traps agent and daemons. startup <enable \| disable> <process_name \| all> Enable/Disable Traps agent and daemons after reboot. runtime query List runtime status for agent, daemons, and kernel extensions. runtime <start \| stop> <process_name \| all> Start/Stop Traps agent, daemons, and kernel extensions immediately. persist list Display persistent databases. persist export <db_name \| db_path> Export databases in JSON format. persist import <db_name \| db_path> <file_name> Import data into the database from the given JSON file. persist print <db_name \| db_path> [csv] Print database to the command prompt. log <log_level> <process_name \| all> Set log level for the desired process. log collect Generate support file archive. wakeup Wake up from OS incompatibility state. dump <enable \| disable \| restore> Enable/Disable dump generation or restore policy settings. checkin Update Traps from server. opswat <installed \| running \| protected \| version \| last_update_time> Check Traps Agent status and version.
enum	Enumerate protected processes. Usage: sudo ./cytool enum For example: Traps-Mac:bin Traps$ sudo ./cytool enum List of protected processes: Process name Process ID User Photos 2047 Traps Mail 2099 Traps
esm	Connect or disconnect from an ESM Server. Usage: sudo ./cytool connect http[s]://<hostname\|IP address>:<port> Usage: sudo ./cytool disconnect Use http or https depending on the communication settings of the ESM Server. For example: Traps-Mac:bin Traps$ sudo ./cytool disconnect Traps-Mac:bin Traps$ sudo ./cytool connect http://203.0.113.35:2125
startup	Enable, disable, or query the startup state of Traps components. Usage: sudo ./cytool startup `<action>` `<component>` where: `<action>`—Change startup action for a Traps component. Options are: enable, disable, query. The query option displays the startup status for each component. `<component>`—Target component for which to set the startup action. To change the startup action for multiple components, list them with spaces separating each component. Options are: traps_agent, trapsd, authorized, pmd, kproc-ctrl For example: Traps-Mac:bin Traps$ sudo ./cytool startup disable traps_agent pmd Process name Startup status traps_agent Disabled trapsd Enabled authorized Enabled pmd Disabled kproc-ctrl Loaded Traps-Mac:bin Traps$ sudo ./cytool startup enable all Process name Startup status traps_agent Enabled trapsd Enabled authorized Enabled pmd Enabled kproc-ctrl Loaded
runtime	Stop or start product components. Usage: sudo ./cytool runtime `<action>` `<component>` where: `<action>`—Change startup runtime action for a Traps component. Options are: start, stop, query. The query option displays the startup status for each component. `<component>`—Target component for which to set the runtime action, or all components if no components are specified. To change the runtime action for multiple components, list them with spaces separating each component. Options are: traps_agent, trapsd, authorized, pmd, kproc-ctrl For example: Traps-Mac:bin Traps$ sudo ./cytool runtime query Name PID User Status Command traps_agent 1055 Traps Running /Library/Application Support/PaloAltoNetworks/Traps/bin/traps_agent.app/Contents/MacOS/traps_agent trapsd 906 root Running /Library/Application Support/PaloAltoNetworks/Traps/bin/trapsd authorized 927 _traps_panw Running /Library/Application Support/PaloAltoNetworks/Traps/bin/authorized pmd 909 root Running /Library/Application Support/PaloAltoNetworks/Traps/bin/pmd kproc-ctrl 159 root Loaded com.paloaltonetworks.driver.kproc-ctrl Traps-Mac:bin Traps$ sudo ./cytool runtime stop all Name PID User Status Command authorized N/A N/A STOPPED N/A pmd N/A N/A STOPPED N/A traps_agent N/A N/A STOPPED N/A trapsd N/A N/A STOPPED N/A kproc-ctrl N/A N/A Unloaded N/A Traps-Mac:bin Traps$ sudo ./cytool runtime start all Name PID User Status Command system call failed for command='/usr/bin/su -l Traps -c "/bin/launchctl start traps_agent.plist"', returned status code=768 authorized 1883 _traps_panw Running /Library/Application Support/PaloAltoNetworks/Traps/bin/authorized pmd 1889 root Running /Library/Application Support/PaloAltoNetworks/Traps/bin/pmd traps_agent 1899 Traps Running /Library/Application Support/PaloAltoNetworks/Traps/bin/traps_agent.app/Contents/MacOS/traps_agent trapsd 1901 root Running /Library/Application Support/PaloAltoNetworks/Traps/bin/trapsd kproc-ctrl 160 root Loaded com.paloaltonetworks.driver.kproc-ctrl
persist	Traps stores policy and security event information such as the list of trusted signers, local verdicts, and one-time actions in local databases on the endpoint. To troubleshoot policy issues and security events, you can use cytool persist operations to import, export, and view information stored in the local database. Usage: sudo ./cytool persist `<action>` where `<action>`: list—List the local databases on the endpoint. export `[<database name>` \| `<database path>]`—Export database table to a file in the /Library/Application Support/PaloAltoNetworks/Traps/bin/ directory. import `[<database name>` \| `<database path>`] <file name>—Add records in a JSON file to the database. print `<database name>` \| `<database path>`—Print the database, in comma-separated values (CSV) format, to the command prompt. To view a list of all local databases, use the cytool persist list command. Traps-Mac:bin Traps$ sudo ./cytool persist list Persistent database list: fvhash.db Database of blacklisted fvhashes hash_override.db Database of hashes override (Admin exeptions) hashes.db Database of the verdicts received from WildFire trusted_signers.db Database of trusted signers post_detection.db Database of post-detection candidates remediation_events.db Database of remediation events file_upload.db Database of files being uploaded hash_containers.db Database of files and containers agent_actions.db Database of one time actions cloud_reports.db Database of Cloud reports policy.db Database of policy data hash_paths.db Database of file paths hashes_retransmit.db Database of hashes to be retransmitted hashes_lru.db Least recently used verdicts database agent_settings.db Database of agent settings cloud_frontend.db Database of Cloud frontend settings security_events.db Database of security events (preventions)
log	Set log level for the desired process. Usage: sudo ./cytool log <log_level> <components> where: `<log_level>` is an integer value corresponding to the log level: 0—Disable logging 1—Fatal 2—Critical 3—Error 4—Warning 5—Notice 6—Information 7—Debug 8—Trace `<components>` is all or one or more of the following Traps component: trapsd, authorized, pmd, traps_agent, kproc-ctrl. For example: Traps-Mac:bin Traps$ sudo ./cytool log 2 all Then use the sudo ./cytool log collect command to generate a support file archive of all logs in a TGZ file. On Mac endpoints running OS X 10.10 and OSX 10.11, Cytool outputs the logs to the /var/log/traps directory. On Mac endpoints running macOS 10.12, you can view logs from the Console application.
wakeup	Wake up the endpoint from an OS incompatibility state. Traps-Mac:bin Traps$ sudo ./cytool wakeup SIGTERM caught
dump	Enable or disable dump generation or restore policy settings. Traps-Mac:bin Traps$ sudo ./cytool dump enable Traps-Mac:bin Traps$ sudo ./cytool dump disable Traps-Mac:bin Traps$ sudo ./cytool dump restore
checkin	Initiate check-in to the server. Usage: sudo ./cytool checkin To verify the checkin, view the check-in time on the Traps console.
opswat	Check Traps Agent status and version. Usage: sudo ./cytool opswat <parameter> where `<parameter>` is: installed—Display the Traps installation status (true if the com.paloaltonetworks.pkg.traps package is installed or false if the package is not installed). You must also supply the Traps supervisor password to view the status. running—Display the running status of Traps daemons (true if running or false). protected—Display the applied policy status (true if applied or false). version—Display the version of Traps. last_update_time—Display the date and time of the last successful check-in with the ESM Server. Traps-Mac:bin Traps$ sudo ./cytool opswat version 4.2.0.1042 Traps-Mac:bin Traps$ sudo ./cytool opswat installed Password: true Traps-Mac:bin Traps$ sudo ./cytool opswat running true Traps-Mac:bin Traps$ sudo ./cytool opswat protected true Traps-Mac:bin Traps$ sudo ./cytool last_update_time Password:Fri Jun 22 09:24:20 2018 -0700 (%a %b %d %H:%M:%S %Y %z)

Troubleshooting Resources for the Traps Agent for Mac

Traps Agent 4.2 for Linux