Channels
#macos
Title
# macos
f
fritz
10/15/2020, 9:07 PMCan you run the following on the device in question and paste the output?
j
Julian Scala
10/15/2020, 9:19 PMSadly I cant, its a remote device and ad-hoc queries are disable. I’ll keep testing with all of this good intel you shared and keep you posted ☺️
f
fritz
10/15/2020, 9:22 PMyes, please do, I am very interested to hear if it is falsely reporting as I have only ever encountered that one other time in my history of using osquery
From my recollection of the incident it was a Japanese device and we assumed there may have been a localization issue at play.
🈳 1
this is fine 1
🇯🇵 1
j
Julian Scala
10/15/2020, 9:25 PMI will. Hope this is not the case 😂 . 10k devices report correctly on the query I shared but a few of them are reporting incorrectly.
f
fritz
10/15/2020, 9:27 PMI just looked back at my correspondence with the Japanese individual, he had the opposite issue, FileVault2 was disabled, but osquery reported the disk as Encrypted
j
Julian Scala
10/15/2020, 9:27 PMThats my current case!
f
fritz
10/15/2020, 9:27 PMhrm
What OS are these affected devices running?
j
Julian Scala
10/15/2020, 9:28 PMCatalina,
10.15.17Osquery version is
4.4.0f
fritz
10/15/2020, 9:30 PMHe was on Mojave from my memory:
The first output shown is from:
Copy code
diskutil apfs listj
Julian Scala
10/15/2020, 9:32 PMInteresting. I’ll push a new version of the query with your suggestions to our scheduled pack. I’ll get results probably tomorrow and keep you posted. This is really good intel! I really appreciate all this help!
f
fritz
10/15/2020, 9:32 PMIf you can put hands on one of the affected devices, I would love to work with you on further debugging, and ideally rope @zwass in as well, since this is something I am sure other osquery users would like to avoid being concerned with.
git push 1
I wonder if it is a case of any disk that is technically an apfs partition type is being recognized as 'encrypted' by osquery
when apfs != filevault enabled
that would be my best guess
Are you guys using launcher @Julian Scala?
j
Julian Scala
10/15/2020, 9:38 PMNo we are not
f
fritz
10/16/2020, 3:45 PM@Julian Scala I created an issue on osquery github if you want to add your comments there (should you discover any more details): https://github.com/osquery/osquery/issues/6718
git push 1
j
Julian Scala
10/16/2020, 4:44 PMGreat, still same results on the updated query:
Copy code
select
case when de.encrypted = 1 then "true" else "false" end as filevault
from disk_encryption de
CROSS join mounts m on m.device_alias = de.name where path= '/';f
fritz
10/16/2020, 5:08 PM@Julian Scala if you can put hands on the device I am curious what happens when you run the following:
Copy code
sudo /usr/libexec/mdmclient QuerySecurityInfo | grep FDE_EnabledThat and:
Copy code
diskutil apfs listj
Julian Scala
10/16/2020, 5:59 PMNot at the moment, but as soon as I can I’ll paste output here.
Same as to add more info to the issue
Copy code
sudo /usr/libexec/mdmclient QuerySecurityInfo | grep FDE_Enabled Copy code
[ERROR] Unable to target 'local user' via XPC when running as daemon
[ERROR] Assertion Failed. File: /BuildRoot/Library/Caches/com.apple.xbs/Sources/MCXTools/MCXTools-1170/mcxcommon/Common/XPCUtil.mm Line: 337
"FDE_Enabled" = 0;diskutil apfs list Copy code
APFS Container (1 found)
|
+-- Container disk1 48574CD8-F9A0-5555-89AA-CBCE79CB930A
====================================================
APFS Container Reference: disk1
Size (Capacity Ceiling): 499963174912 B (500.0 GB)
Capacity In Use By Volumes: 387407650816 B (387.4 GB) (77.5% used)
Capacity Not Allocated: 112555524096 B (112.6 GB) (22.5% free)
|
+-< Physical Store disk0s2 04920AA2-5555-4C96-8452-FA38ABB9347F
| -----------------------------------------------------------
| APFS Physical Store Disk: disk0s2
| Size: 499963174912 B (500.0 GB)
|
+-> Volume disk1s1 27C143C8-5555-4DD9-9B1B-733AC64EBA40
| ---------------------------------------------------
| APFS Volume Disk (Role): disk1s1 (No specific role)
| Name: Macintosh HD (Case-insensitive)
| Mount Point: /
| Capacity Consumed: 375944740864 B (375.9 GB)
| FileVault: No (Encrypted at rest)
|
+-> Volume disk1s2 D7749C98-1757-479E-A112-09333D1203D5
| ---------------------------------------------------
| APFS Volume Disk (Role): disk1s2 (Preboot)
| Name: Preboot (Case-insensitive)
| Mount Point: Not Mounted
| Capacity Consumed: 45330432 B (45.3 MB)
| FileVault: No
|
+-> Volume disk1s3 AEFAAA48-5559DF-92D5-D2D605655AB1
| ---------------------------------------------------
| APFS Volume Disk (Role): disk1s3 (Recovery)
| Name: Recovery (Case-insensitive)
| Mount Point: /Volumes/Recovery
| Capacity Consumed: 518598656 B (518.6 MB)
| FileVault: No
|
+-> Volume disk1s4 E09331A2-9AFE-5555-86FA-0E59CE660D2E
---------------------------------------------------
APFS Volume Disk (Role): disk1s4 (VM)
Name: VM (Case-insensitive)
Mount Point: /private/var/vm
Capacity Consumed: 10737512448 B (10.7 GB)
FileVault: No (Encrypted at rest)f
fritz
10/19/2020, 6:22 PM@Julian Scala if you can add the osquery output for that device as well. That would be 💯
j
Julian Scala
10/19/2020, 6:43 PMOn the query:
Copy code
select name, encrypted, encryption_status, type from disk_encryptionf
fritz
10/19/2020, 6:50 PM👍
j
Julian Scala
10/19/2020, 6:51 PMThats al I can get since its a remote device, had to enable distributed for a sec
f
fritz
10/19/2020, 6:51 PMSounds good, do you want to add it to the issue, or I can if you prefer
j
Julian Scala
10/19/2020, 6:51 PMI will
f
fritz
10/19/2020, 6:52 PMthanks!
@Julian Scala if you end up identifying any other common qualities shared by the misreporting devices that would be awesome to include as well, so that we can try to come up with steps to reproduce to state.
@zwass curious if you have any thoughts on this
disk_encryptionz
zwass
10/19/2020, 6:57 PM
We're using a private API to check disk encryption status for APFS volumes. Maybe Apple changed the API?
this is fine 1
j
Julian Scala
10/19/2020, 6:59 PMOf course I will.
5 Views