osquery icon indicating copy to clipboard operation
osquery copied to clipboard
verified publisher icon osquery

The `processes` table on Mac OS has a column that is missing from the documentation

Open stanimirivanovde opened this issue 3 years ago • 2 comments

https://github.com/osquery/osquery/blob/598983db97459f858e7a9cc5c731409ffc089b48/specs/processes.table#L1

On my Mac I get the following columns:

CREATE TABLE processes(`pid` BIGINT, `name` TEXT, `path` TEXT, `cmdline` TEXT, `state` TEXT, `cwd` TEXT, `root` TEXT, `uid` BIGINT, `gid` BIGINT, `euid` BIGINT, `egid` BIGINT, `suid` BIGINT, `sgid` BIGINT, `on_disk` INTEGER, `wired_size` BIGINT, `resident_size` BIGINT, `total_size` BIGINT, `user_time` BIGINT, `system_time` BIGINT, `disk_bytes_read` BIGINT, `disk_bytes_written` BIGINT, `start_time` BIGINT, `parent` BIGINT, `pgroup` BIGINT, `threads` INTEGER, `nice` INTEGER, `elevated_token` INTEGER HIDDEN, `secure_process` INTEGER HIDDEN, `protection_type` TEXT HIDDEN, `virtual_process` INTEGER HIDDEN, `elapsed_time` BIGINT HIDDEN, `handle_count` BIGINT HIDDEN, `percent_processor_time` BIGINT HIDDEN, `upid` BIGINT, `uppid` BIGINT, `cpu_type` INTEGER, `cpu_subtype` INTEGER, `translated` INTEGER, `phys_footprint` BIGINT HIDDEN, PRIMARY KEY (`pid`)) WITHOUT ROWID;

The last column phys_footprint is missing from the documentation.

stanimirivanovde avatar Aug 25 '22 20:08 stanimirivanovde

Looking around a little, the phys_footprint was renamed to total_size, and left as an alias. This was implemented in #2412. It's not much for documentation, but in the processes.table file you link to, it can be seen at https://github.com/osquery/osquery/blob/598983db97459f858e7a9cc5c731409ffc089b48/specs/processes.table#L21-L22

It's been renamed awhile, it wouldn't be wrong to just remove the old name

directionless avatar Aug 27 '22 19:08 directionless

@directionless it's an alias, but shouldn't it return the same results as what it aliases? Here's what I see.

osquery> select name,phys_footprint,total_size,wired_size,resident_size from processes where name is "Notes";
+-------+----------------+------------+------------+---------------+
| name  | phys_footprint | total_size | wired_size | resident_size |
+-------+----------------+------------+------------+---------------+
| Notes |                | 395317248  | 4096       | 226889728     |
+-------+----------------+------------+------------+---------------+

@stanimirivanovde this column name is a legacy of osquery being developed for the Mac first before its tables were made to attempt to return equivalent data from other platforms like Linux and Windows. The macOS kernel has always had a special accounting table for a process's memory resource usage that it called "physical footprint." If you run man footprint there is some good in-depth explanation of this that I have not seen anywhere else. This number is the same one returned as MEM by top and Memory by Activity Monitor.app. It is made to be efficient and useful for comparing or ranking the memory usage of your running applications, but, osquery is reporting it in total_size now, and not using quite the same memory metric for the same column on other platforms (Linux, Windows). For instance, on Linux, it's the vmSize field in procfs.

But yea since phys_footprint is confusing and a macOS specific term and it isn't apparently working in the table, would we like to just delete that alias?

michael-myers avatar Jun 29 '24 21:06 michael-myers