https://github.com/osquery/osquery logo
Join Slack
Powered by
Can you run the following on the device in questio...
# macos
f
Can you run the following on the device in question and paste the output?
j
Sadly I cant, its a remote device and ad-hoc queries are disable. I’ll keep testing with all of this good intel you shared and keep you posted ☺️
f
yes, please do, I am very interested to hear if it is falsely reporting as I have only ever encountered that one other time in my history of using osquery
From my recollection of the incident it was a Japanese device and we assumed there may have been a localization issue at play.
🈳 1
this is fine 1
🇯🇵 1
j
I will. Hope this is not the case 😂 . 10k devices report correctly on the query I shared but a few of them are reporting incorrectly.
f
I just looked back at my correspondence with the Japanese individual, he had the opposite issue, FileVault2 was disabled, but osquery reported the disk as Encrypted
j
Thats my current case!
f
hrm
What OS are these affected devices running?
j
Catalina, 
10.15.17
mostly
Osquery version is 
4.4.0
f
He was on Mojave from my memory:
The first output shown is from:
Copy code
diskutil apfs list
The second is from osquery
j
Interesting. I’ll push a new version of the query with your suggestions to our scheduled pack. I’ll get results probably tomorrow and keep you posted. This is really good intel! I really appreciate all this help!
f
If you can put hands on one of the affected devices, I would love to work with you on further debugging, and ideally rope @zwass in as well, since this is something I am sure other osquery users would like to avoid being concerned with.
git push 1
I wonder if it is a case of any disk that is technically an apfs partition type is being recognized as 'encrypted' by osquery
when apfs != filevault enabled
that would be my best guess
Are you guys using launcher @Julian Scala?
j
No we are not
f
@Julian Scala I created an issue on osquery github if you want to add your comments there (should you discover any more details): https://github.com/osquery/osquery/issues/6718
git push 1
j
Great, still same results on the updated query:
Copy code
select
case when de.encrypted = 1 then "true" else "false" end as filevault
from disk_encryption de
CROSS join mounts m on m.device_alias = de.name where path= '/';
Still getting same results. I’ll add more info of the device itself to the issue. Thanks!
f
@Julian Scala if you can put hands on the device I am curious what happens when you run the following:
Copy code
sudo /usr/libexec/mdmclient QuerySecurityInfo | grep FDE_Enabled
That and:
Copy code
diskutil apfs list
j
Not at the moment, but as soon as I can I’ll paste output here.
Same as to add more info to the issue
Copy code
sudo /usr/libexec/mdmclient QuerySecurityInfo | grep FDE_Enabled
returns
Copy code
[ERROR] Unable to target 'local user' via XPC when running as daemon
[ERROR] Assertion Failed.  File: /BuildRoot/Library/Caches/com.apple.xbs/Sources/MCXTools/MCXTools-1170/mcxcommon/Common/XPCUtil.mm  Line: 337
        "FDE_Enabled" = 0;
While 
diskutil apfs list
returns
Copy code
APFS Container (1 found)
|
+-- Container disk1 48574CD8-F9A0-5555-89AA-CBCE79CB930A
    ====================================================
    APFS Container Reference:     disk1
    Size (Capacity Ceiling):      499963174912 B (500.0 GB)
    Capacity In Use By Volumes:   387407650816 B (387.4 GB) (77.5% used)
    Capacity Not Allocated:       112555524096 B (112.6 GB) (22.5% free)
    |
    +-< Physical Store disk0s2 04920AA2-5555-4C96-8452-FA38ABB9347F
    |   -----------------------------------------------------------
    |   APFS Physical Store Disk:   disk0s2
    |   Size:                       499963174912 B (500.0 GB)
    |
    +-> Volume disk1s1 27C143C8-5555-4DD9-9B1B-733AC64EBA40
    |   ---------------------------------------------------
    |   APFS Volume Disk (Role):   disk1s1 (No specific role)
    |   Name:                      Macintosh HD (Case-insensitive)
    |   Mount Point:               /
    |   Capacity Consumed:         375944740864 B (375.9 GB)
    |   FileVault:                 No (Encrypted at rest)
    |
    +-> Volume disk1s2 D7749C98-1757-479E-A112-09333D1203D5
    |   ---------------------------------------------------
    |   APFS Volume Disk (Role):   disk1s2 (Preboot)
    |   Name:                      Preboot (Case-insensitive)
    |   Mount Point:               Not Mounted
    |   Capacity Consumed:         45330432 B (45.3 MB)
    |   FileVault:                 No
    |
    +-> Volume disk1s3 AEFAAA48-5559DF-92D5-D2D605655AB1
    |   ---------------------------------------------------
    |   APFS Volume Disk (Role):   disk1s3 (Recovery)
    |   Name:                      Recovery (Case-insensitive)
    |   Mount Point:               /Volumes/Recovery
    |   Capacity Consumed:         518598656 B (518.6 MB)
    |   FileVault:                 No
    |
    +-> Volume disk1s4 E09331A2-9AFE-5555-86FA-0E59CE660D2E
        ---------------------------------------------------
        APFS Volume Disk (Role):   disk1s4 (VM)
        Name:                      VM (Case-insensitive)
        Mount Point:               /private/var/vm
        Capacity Consumed:         10737512448 B (10.7 GB)
        FileVault:                 No (Encrypted at rest)
Adding this in a comment on the opened issue.
f
@Julian Scala if you can add the osquery output for that device as well. That would be 💯
j
On the query:
Copy code
select name, encrypted, encryption_status, type from disk_encryption
f
👍
j
Thats al I can get since its a remote device, had to enable distributed for a sec
f
Sounds good, do you want to add it to the issue, or I can if you prefer
j
I will
f
thanks!
@Julian Scala if you end up identifying any other common qualities shared by the misreporting devices that would be awesome to include as well, so that we can try to come up with steps to reproduce to state.
@zwass curious if you have any thoughts on this 
disk_encryption
misreporting stuff?
z
We're using a private API to check disk encryption status for APFS volumes. Maybe Apple changed the API?
this is fine 1
j
Of course I will.
5 Views
Open in Slack
PreviousNext
Powered by