Incorrect reporting for unix domain sockets on macOS
Opened this issue · 0 comments
zwass commented
Bug report
What operating system and version are you using?
osqueryi --line "SELECT version, build, platform FROM os_version;"
version = 14.3
build = 23D56
platform = darwin
What version of osquery are you using?
osqueryi --line "SELECT version from osquery_info;"
version = 5.11.0
What steps did you take to reproduce the issue?
- Open a unix domain socket:
nc -lkU aSocket.sock
(leave running) - Query for it with
listening_ports
andprocess_open_sockets
tables.
What did you expect to see?
process_open_sockets.family
and listening_ports.family
should be 1
instead of 0
.
listening_ports.path
should be nonempty.
What did you see instead?
osquery> select * from process_open_sockets where pid = 92233;
pid = 92233
fd =
socket = 3
family = 0
protocol = 0
local_address =
remote_address =
local_port = 0
remote_port = 0
path = aSocket.sock
state =
osquery> select * from listening_ports where pid = 92233;
pid = 92233
port = 0
protocol = 0
family = 0
address =
fd = 0
socket = 3
path =
Looking at the code it seems the path
issue may result from the family
issue.
This line should be setting the value to 1
?
This would then properly set the path?
osquery/osquery/tables/networking/listening_ports.cpp
Lines 42 to 44 in b9720d9