wave I had recently rebased from 4 9 0 to 5 2 1 I used to b osquery #general

:wave: - I had recently rebased from 4.9.0 to 5.2....

Jonathan

02/18/2022, 11:45 PM

👋 - I had recently rebased from 4.9.0 to 5.2.1. I used to be able to query the

encrypted

field to fetch the disk encryption status. However, after the rebase, it seems that this field just returns blank? I was unable to find any breaking changes in the change logs for the tags in between. This change occurs specifically on linux machines, my macos and windows queries seem to be fine. Did I miss some change regarding this? Any help would be appreciated!

seph

02/19/2022, 12:07 AM

I’m not sure what you mean by

rebase

? That word usually refers to code branches….

seph

02/19/2022, 12:08 AM

I assume you’re talking abut the

disk_encryption

table? There have been some changes there, but nothing breaking like that.

Jonathan

02/19/2022, 12:18 AM

ah, for recent changes, are you referring to: https://github.com/osquery/osquery/commit/482f79b7e0fc648e8e7db74c444b6c88d4428464?

seph

02/19/2022, 12:19 AM

I was thinking of https://github.com/osquery/osquery/pull/7382 but that hasn’t merged yet

Jonathan

02/19/2022, 12:30 AM

hm, could there have been some difference in how osquery checks for encrypted since

4.9.0

? If it helps, i’m looking at:

mount_type

ext4

path

seph

02/19/2022, 12:32 AM

What are you running, exactly? Is this a custom fork, or is this official distributed osquery? Are you running as root? What query are you running? What is the output between these two different versions?

seph

02/19/2022, 12:33 AM

I’m not sure I can help much more, I don’t offhand remember changes there. But I’d have to check the source history. There’s not a lot here to debug from

4 Views

Open in Slack

Previous Next