Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
m
Mike Tonks
10/16/2021, 9:56 AMHi, I'm trying out osquery for the first time, and looks good but I'm getting nothing under disk_encryption. This is one of the key things I'm looking to audit.
I'm using ubuntu and the disk was fully encrypted during the install, I think it uses LVM.
Here's some additional info:
osquery> SELECT version, build, platform FROM os_version;
version = 20.04.3 LTS (Focal Fossa)
build =
platform = ubuntuosquery> SELECT version from osquery_info;
version = 5.0.1osquery> select * from block_devices;
+----------------+--------------+--------+-------+------------+------------+------+------+-------+
| name | parent | vendor | model | size | block_size | uuid | type | label |
+----------------+--------------+--------+-------+------------+------------+------+------+-------+
| /dev/nvme0n1 | | | | 1000215216 | 512 | | | |
| /dev/nvme0n1p1 | /dev/nvme0n1 | | | 1048576 | | | | |
| /dev/nvme0n1p2 | /dev/nvme0n1 | | | 1499136 | | | | |
| /dev/nvme0n1p3 | /dev/nvme0n1 | | | 997664768 | | | | |
| /dev/loop0 | | | | 8 | 512 | | | |
...
| /dev/loop9 | | | | 133320 | 512 | | | |
| /dev/dm-0 | | | | 997660672 | 512 | | | |
| /dev/dm-1 | | | | 995647488 | 512 | | | |
| /dev/dm-2 | | | | 2007040 | 512 | | | |
+----------------+--------------+--------+-------+------------+------------+------+------+-------+
osquery> select * from disk_encryption;
osquery>lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
loop0 7:0 0 4K 1 loop /snap/bare/5
loop1 7:1 0 99.5M 1 loop /snap/core/11798
...
loop19 7:19 0 145.6M 1 loop /snap/chromium/1781
nvme0n1 259:0 0 477G 0 disk
├─nvme0n1p1 259:1 0 512M 0 part /boot/efi
├─nvme0n1p2 259:2 0 732M 0 part /boot
└─nvme0n1p3 259:3 0 475.7G 0 part
└─nvme0n1p3_crypt 253:0 0 475.7G 0 crypt
├─ubuntu--vg-root 253:1 0 474.8G 0 lvm /
└─ubuntu--vg-swap_1 253:2 0 980M 0 lvm [SWAP]Seems possibly related to https://github.com/osquery/osquery/issues/7207
Happy to raise a bug, thought I'd check in here first
s
seph
10/16/2021, 1:59 PMAre you running as root? Do you get any useful errors with
--verboseFWIW I’ve found it quite hard to detect and audit all the possible linux disk encryption options.
I should revisit this particular case, as it’s getting more common. I have some custom tables in Kolide’s launcher to try to help
m
Mike Tonks
10/16/2021, 2:10 PMah yes runnning
osqueryiosquery> select * from block_devices;
Configuration setting "activation/vdo_pool_autoextend_threshold" unknown.
Configuration setting "global/support_mirrored_mirror_log" unknown.
Configuration setting "global/event_activation" unknown.
Configuration setting "devices/scan_lvs" unknown.
Configuration setting "devices/allow_mixed_block_sizes" unknown.
+----------------+--------------+--------+-------+------------+------------+----------------------------------------+-------------+--------+
| name | parent | vendor | model | size | block_size | uuid | type | label |
+----------------+--------------+--------+-------+------------+------------+----------------------------------------+-------------+--------+
...
| /dev/dm-0 | | | | 997660672 | 512 | pY030M-hBwu-izjx-VZ33-kJYp-ac2I-Pyci9d | LVM2_member | |
| /dev/dm-1 | /dev/dm-0 | | | 995647488 | 512 | 330608bb-a6f1-447e-817f-7f1eb4d8104f | ext4 | UBUNTU |
| /dev/dm-2 | /dev/dm-0 | | | 2007040 | 512 | d1446d20-0643-4d76-8a80-f38bdcbfafb6 | swap | |
+----------------+--------------+--------+-------+------------+------------+----------------------------------------+-------------+--------+osquery> select * from disk_encryption;
+----------------+----------------------------------------+-----------+-----------------------+-------------------+
| name | uuid | encrypted | type | encryption_status |
+----------------+----------------------------------------+-----------+-----------------------+-------------------+
| /dev/nvme0n1 | | 0 | | not encrypted |
...
| /dev/loop9 | | 0 | | not encrypted |
| /dev/dm-0 | pY030M-hBwu-izjx-VZ33-kJYp-ac2I-Pyci9d | 1 | LUKS1-aes-xts-plain64 | encrypted |
| /dev/dm-1 | 330608bb-a6f1-447e-817f-7f1eb4d8104f | 1 | LUKS1-aes-xts-plain64 | encrypted |
| /dev/dm-2 | d1446d20-0643-4d76-8a80-f38bdcbfafb6 | 1 | LUKS1-aes-xts-plain64 | encrypted |
+----------------+----------------------------------------+-----------+-----------------------+-------------------+Not 100% clear but I think that's my disk. Thanks! Looks like user error 🙂
🙂 1
s
seph
10/16/2021, 2:30 PMI do think there's a case where it doesn't report. But I'm glad this solved it.
m
Mike Tonks
10/22/2021, 10:00 PMThanks for responding! Great to get some help I though this is a pretty obscure issue but being able to report on disk encryption is pretty important for us.