Title
#macos
f

fritz

10/15/2020, 9:11 PM
Of note, and this should be considered by others using the
disk_encryption
table (perhaps @zwass knows the reason since he helped write it), you should always use a
CROSS JOIN
to call
disk_encryption
first in the
FROM
clause otherwise the query runtime will be excessively slow, eg.
osquery> select m.path,
    ...> case when de.encrypted = 1 then "true" else "false" end as filevault
    ...> from disk_encryption de
    ...> CROSS join mounts m on m.device_alias = de.name;
+--------------------------+-----------+
| path                     | filevault |
+--------------------------+-----------+
| /Volumes/Jeyi            | false     |
| /System/Volumes/Data     | true      |
| /private/var/vm          | true      |
| /                        | true      |
| /Volumes/Untitled        | false     |
+--------------------------+-----------+
Run Time: real 0.723 user 0.189720 sys 0.154101

osquery> select m.path,
    ...> case when de.encrypted = 1 then "true" else "false" end as filevault
    ...> from mounts m
    ...> CROSS join disk_encryption de on m.device_alias = de.name;
+--------------------------+-----------+
| path                     | filevault |
+--------------------------+-----------+
| /                        | true      |
| /System/Volumes/Data     | true      |
| /private/var/vm          | true      |
| /Volumes/Jeyi            | false     |
| /Volumes/Untitled        | false     |
+--------------------------+-----------+
Run Time: real 5.845 user 1.532276 sys 1.258735
zwass

zwass

10/15/2020, 9:37 PM
I helped write it eh? No memory of that :laugh:
9:38 PM
Maybe the disk encryption table implementation only knows how to generate all of the drives and so ends up doing the work a bunch of times in the second case?
f

fritz

10/15/2020, 9:40 PM
that sounds very possible