https://github.com/osquery/osquery logo
Join Slack
Powered by
Of note, and this should be considered by others u...
# macos
f
Of note, and this should be considered by others using the 
disk_encryption
table (perhaps @zwass knows the reason since he helped write it), you should always use a 
CROSS JOIN
to call 
disk_encryption
first in the 
FROM
clause otherwise the query runtime will be excessively slow, eg.
Copy code
osquery> select m.path,
    ...> case when de.encrypted = 1 then "true" else "false" end as filevault
    ...> from disk_encryption de
    ...> CROSS join mounts m on m.device_alias = de.name;
+--------------------------+-----------+
| path                     | filevault |
+--------------------------+-----------+
| /Volumes/Jeyi            | false     |
| /System/Volumes/Data     | true      |
| /private/var/vm          | true      |
| /                        | true      |
| /Volumes/Untitled        | false     |
+--------------------------+-----------+
Run Time: real 0.723 user 0.189720 sys 0.154101

osquery> select m.path,
    ...> case when de.encrypted = 1 then "true" else "false" end as filevault
    ...> from mounts m
    ...> CROSS join disk_encryption de on m.device_alias = de.name;
+--------------------------+-----------+
| path                     | filevault |
+--------------------------+-----------+
| /                        | true      |
| /System/Volumes/Data     | true      |
| /private/var/vm          | true      |
| /Volumes/Jeyi            | false     |
| /Volumes/Untitled        | false     |
+--------------------------+-----------+
Run Time: real 5.845 user 1.532276 sys 1.258735
git push 1
🚀 2
z
I helped write it eh? No memory of that laugh
this is fine 1
Maybe the disk encryption table implementation only knows how to generate all of the drives and so ends up doing the work a bunch of times in the second case?
f
that sounds very possible
4 Views
Open in Slack
PreviousNext
Powered by