https://github.com/osquery/osquery logo
Powered by
Title
f

fritz

10/15/2020, 9:11 PM
Of note, and this should be considered by others using the 
disk_encryption
table (perhaps @zwass knows the reason since he helped write it), you should always use a 
CROSS JOIN
to call 
disk_encryption
first in the 
FROM
clause otherwise the query runtime will be excessively slow, eg. 
osquery> select m.path,
    ...> case when de.encrypted = 1 then "true" else "false" end as filevault
    ...> from disk_encryption de
    ...> CROSS join mounts m on m.device_alias = de.name;
+--------------------------+-----------+
| path                     | filevault |
+--------------------------+-----------+
| /Volumes/Jeyi            | false     |
| /System/Volumes/Data     | true      |
| /private/var/vm          | true      |
| /                        | true      |
| /Volumes/Untitled        | false     |
+--------------------------+-----------+
Run Time: real 0.723 user 0.189720 sys 0.154101

osquery> select m.path,
    ...> case when de.encrypted = 1 then "true" else "false" end as filevault
    ...> from mounts m
    ...> CROSS join disk_encryption de on m.device_alias = de.name;
+--------------------------+-----------+
| path                     | filevault |
+--------------------------+-----------+
| /                        | true      |
| /System/Volumes/Data     | true      |
| /private/var/vm          | true      |
| /Volumes/Jeyi            | false     |
| /Volumes/Untitled        | false     |
+--------------------------+-----------+
Run Time: real 5.845 user 1.532276 sys 1.258735
:git-push: 1
🚀 2
z

zwass

10/15/2020, 9:37 PM
I helped write it eh? No memory of that :laugh:
:this_is_fine: 1
Maybe the disk encryption table implementation only knows how to generate all of the drives and so ends up doing the work a bunch of times in the second case?
f

fritz

10/15/2020, 9:40 PM
that sounds very possible
4 Views
#macosJoin Slack
Powered by