Title
#linux
m

Mike Tonks

10/16/2021, 9:56 AM
Hi, I'm trying out osquery for the first time, and looks good but I'm getting nothing under disk_encryption. This is one of the key things I'm looking to audit. I'm using ubuntu and the disk was fully encrypted during the install, I think it uses LVM.
9:57 AM
Here's some additional info:
osquery> SELECT version, build, platform FROM os_version;
 version = 20.04.3 LTS (Focal Fossa)
   build = 
platform = ubuntu
osquery> SELECT version from osquery_info;
version = 5.0.1
Disk does not show in block_devices:
osquery> select * from block_devices;
+----------------+--------------+--------+-------+------------+------------+------+------+-------+
| name           | parent       | vendor | model | size       | block_size | uuid | type | label |
+----------------+--------------+--------+-------+------------+------------+------+------+-------+
| /dev/nvme0n1   |              |        |       | 1000215216 | 512        |      |      |       |
| /dev/nvme0n1p1 | /dev/nvme0n1 |        |       | 1048576    |            |      |      |       |
| /dev/nvme0n1p2 | /dev/nvme0n1 |        |       | 1499136    |            |      |      |       |
| /dev/nvme0n1p3 | /dev/nvme0n1 |        |       | 997664768  |            |      |      |       |
| /dev/loop0     |              |        |       | 8          | 512        |      |      |       |
...
| /dev/loop9     |              |        |       | 133320     | 512        |      |      |       |
| /dev/dm-0      |              |        |       | 997660672  | 512        |      |      |       |
| /dev/dm-1      |              |        |       | 995647488  | 512        |      |      |       |
| /dev/dm-2      |              |        |       | 2007040    | 512        |      |      |       |
+----------------+--------------+--------+-------+------------+------------+------+------+-------+

osquery> select * from disk_encryption;
osquery>
lsblk
NAME                    MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
loop0                     7:0    0     4K  1 loop  /snap/bare/5
loop1                     7:1    0  99.5M  1 loop  /snap/core/11798
...
loop19                    7:19   0 145.6M  1 loop  /snap/chromium/1781
nvme0n1                 259:0    0   477G  0 disk
├─nvme0n1p1             259:1    0   512M  0 part  /boot/efi
├─nvme0n1p2             259:2    0   732M  0 part  /boot
└─nvme0n1p3             259:3    0 475.7G  0 part
  └─nvme0n1p3_crypt     253:0    0 475.7G  0 crypt
    ├─ubuntu--vg-root   253:1    0 474.8G  0 lvm   /
    └─ubuntu--vg-swap_1 253:2    0   980M  0 lvm   [SWAP]
9:59 AM
9:59 AM
Happy to raise a bug, thought I'd check in here first
s

seph

10/16/2021, 1:59 PM
Are you running as root? Do you get any useful errors with
--verbose
?
2:01 PM
FWIW I’ve found it quite hard to detect and audit all the possible linux disk encryption options. I should revisit this particular case, as it’s getting more common. I have some custom tables in Kolide’s launcher to try to help
m

Mike Tonks

10/16/2021, 2:10 PM
ah yes runnning
osqueryi
as root seems to improve things, missed that 🙂
2:11 PM
osquery> select * from block_devices;
  Configuration setting "activation/vdo_pool_autoextend_threshold" unknown.
  Configuration setting "global/support_mirrored_mirror_log" unknown.
  Configuration setting "global/event_activation" unknown.
  Configuration setting "devices/scan_lvs" unknown.
  Configuration setting "devices/allow_mixed_block_sizes" unknown.
+----------------+--------------+--------+-------+------------+------------+----------------------------------------+-------------+--------+
| name           | parent       | vendor | model | size       | block_size | uuid                                   | type        | label  |
+----------------+--------------+--------+-------+------------+------------+----------------------------------------+-------------+--------+
...
| /dev/dm-0      |              |        |       | 997660672  | 512        | pY030M-hBwu-izjx-VZ33-kJYp-ac2I-Pyci9d | LVM2_member |        |
| /dev/dm-1      | /dev/dm-0    |        |       | 995647488  | 512        | 330608bb-a6f1-447e-817f-7f1eb4d8104f   | ext4        | UBUNTU |
| /dev/dm-2      | /dev/dm-0    |        |       | 2007040    | 512        | d1446d20-0643-4d76-8a80-f38bdcbfafb6   | swap        |        |
+----------------+--------------+--------+-------+------------+------------+----------------------------------------+-------------+--------+
2:11 PM
osquery> select * from disk_encryption;
+----------------+----------------------------------------+-----------+-----------------------+-------------------+
| name           | uuid                                   | encrypted | type                  | encryption_status |
+----------------+----------------------------------------+-----------+-----------------------+-------------------+
| /dev/nvme0n1   |                                        | 0         |                       | not encrypted     |
...
| /dev/loop9     |                                        | 0         |                       | not encrypted     |
| /dev/dm-0      | pY030M-hBwu-izjx-VZ33-kJYp-ac2I-Pyci9d | 1         | LUKS1-aes-xts-plain64 | encrypted         |
| /dev/dm-1      | 330608bb-a6f1-447e-817f-7f1eb4d8104f   | 1         | LUKS1-aes-xts-plain64 | encrypted         |
| /dev/dm-2      | d1446d20-0643-4d76-8a80-f38bdcbfafb6   | 1         | LUKS1-aes-xts-plain64 | encrypted         |
+----------------+----------------------------------------+-----------+-----------------------+-------------------+
2:12 PM
Not 100% clear but I think that's my disk. Thanks! Looks like user error 🙂
s

seph

10/16/2021, 2:30 PM
I do think there's a case where it doesn't report. But I'm glad this solved it.
m

Mike Tonks

10/22/2021, 10:00 PM
Thanks for responding! Great to get some help I though this is a pretty obscure issue but being able to report on disk encryption is pretty important for us.