osquery/osquery

Incorrect reporting for unix domain sockets on macOS

Opened this issue · 0 comments

Bug report

What operating system and version are you using?

osqueryi --line "SELECT version, build, platform FROM os_version;"
 version = 14.3
   build = 23D56
platform = darwin

What version of osquery are you using?

osqueryi --line "SELECT version from osquery_info;"
version = 5.11.0

What steps did you take to reproduce the issue?

  1. Open a unix domain socket: nc -lkU aSocket.sock (leave running)
  2. Query for it with listening_ports and process_open_sockets tables.

What did you expect to see?

process_open_sockets.family and listening_ports.family should be 1 instead of 0.

listening_ports.path should be nonempty.

What did you see instead?

osquery> select * from process_open_sockets where pid = 92233;
           pid = 92233
            fd =
        socket = 3
        family = 0
      protocol = 0
 local_address =
remote_address =
    local_port = 0
   remote_port = 0
          path = aSocket.sock
         state =

osquery> select * from listening_ports where pid = 92233;
     pid = 92233
    port = 0
protocol = 0
  family = 0
 address =
      fd = 0
  socket = 3
    path =

Looking at the code it seems the path issue may result from the family issue.

This line should be setting the value to 1?

This would then properly set the path?

if (socket.at("family") == kAF_UNIX) {
r["port"] = "0";
r["path"] = socket.at("path");