Title
#macos
f

fritz

10/15/2020, 9:07 PM
Can you run the following on the device in question and paste the output?
j

Julian Scala

10/15/2020, 9:19 PM
Sadly I cant, its a remote device and ad-hoc queries are disable. I’ll keep testing with all of this good intel you shared and keep you posted ☺️
f

fritz

10/15/2020, 9:22 PM
yes, please do, I am very interested to hear if it is falsely reporting as I have only ever encountered that one other time in my history of using osquery
9:23 PM
From my recollection of the incident it was a Japanese device and we assumed there may have been a localization issue at play.
j

Julian Scala

10/15/2020, 9:25 PM
I will. Hope this is not the case 😂 . 10k devices report correctly on the query I shared but a few of them are reporting incorrectly.
f

fritz

10/15/2020, 9:27 PM
I just looked back at my correspondence with the Japanese individual, he had the opposite issue, FileVault2 was disabled, but osquery reported the disk as Encrypted
j

Julian Scala

10/15/2020, 9:27 PM
Thats my current case!
f

fritz

10/15/2020, 9:27 PM
hrm
9:28 PM
What OS are these affected devices running?
j

Julian Scala

10/15/2020, 9:28 PM
Catalina,
10.15.17
mostly
9:29 PM
Osquery version is
4.4.0
f

fritz

10/15/2020, 9:30 PM
He was on Mojave from my memory:
9:31 PM
The first output shown is from:
diskutil apfs list
The second is from osquery
j

Julian Scala

10/15/2020, 9:32 PM
Interesting. I’ll push a new version of the query with your suggestions to our scheduled pack. I’ll get results probably tomorrow and keep you posted. This is really good intel! I really appreciate all this help!
f

fritz

10/15/2020, 9:32 PM
If you can put hands on one of the affected devices, I would love to work with you on further debugging, and ideally rope @zwass in as well, since this is something I am sure other osquery users would like to avoid being concerned with.
9:33 PM
I wonder if it is a case of any disk that is technically an apfs partition type is being recognized as 'encrypted' by osquery
9:33 PM
when apfs != filevault enabled
9:34 PM
that would be my best guess
9:34 PM
Are you guys using launcher @Julian Scala?
j

Julian Scala

10/15/2020, 9:38 PM
No we are not
f

fritz

10/16/2020, 3:45 PM
@Julian Scala I created an issue on osquery github if you want to add your comments there (should you discover any more details): https://github.com/osquery/osquery/issues/6718
j

Julian Scala

10/16/2020, 4:44 PM
Great, still same results on the updated query:
select
case when de.encrypted = 1 then "true" else "false" end as filevault
from disk_encryption de
CROSS join mounts m on m.device_alias = de.name where path= '/';
Still getting same results. I’ll add more info of the device itself to the issue. Thanks!
f

fritz

10/16/2020, 5:08 PM
@Julian Scala if you can put hands on the device I am curious what happens when you run the following:
sudo /usr/libexec/mdmclient QuerySecurityInfo | grep FDE_Enabled
5:09 PM
That and:
diskutil apfs list
j

Julian Scala

10/16/2020, 5:59 PM
Not at the moment, but as soon as I can I’ll paste output here.
5:59 PM
Same as to add more info to the issue
5:30 PM
sudo /usr/libexec/mdmclient QuerySecurityInfo | grep FDE_Enabled
returns
[ERROR] Unable to target 'local user' via XPC when running as daemon
[ERROR] Assertion Failed.  File: /BuildRoot/Library/Caches/com.apple.xbs/Sources/MCXTools/MCXTools-1170/mcxcommon/Common/XPCUtil.mm  Line: 337
        "FDE_Enabled" = 0;
While 
diskutil apfs list
returns
APFS Container (1 found)
|
+-- Container disk1 48574CD8-F9A0-5555-89AA-CBCE79CB930A
    ====================================================
    APFS Container Reference:     disk1
    Size (Capacity Ceiling):      499963174912 B (500.0 GB)
    Capacity In Use By Volumes:   387407650816 B (387.4 GB) (77.5% used)
    Capacity Not Allocated:       112555524096 B (112.6 GB) (22.5% free)
    |
    +-< Physical Store disk0s2 04920AA2-5555-4C96-8452-FA38ABB9347F
    |   -----------------------------------------------------------
    |   APFS Physical Store Disk:   disk0s2
    |   Size:                       499963174912 B (500.0 GB)
    |
    +-> Volume disk1s1 27C143C8-5555-4DD9-9B1B-733AC64EBA40
    |   ---------------------------------------------------
    |   APFS Volume Disk (Role):   disk1s1 (No specific role)
    |   Name:                      Macintosh HD (Case-insensitive)
    |   Mount Point:               /
    |   Capacity Consumed:         375944740864 B (375.9 GB)
    |   FileVault:                 No (Encrypted at rest)
    |
    +-> Volume disk1s2 D7749C98-1757-479E-A112-09333D1203D5
    |   ---------------------------------------------------
    |   APFS Volume Disk (Role):   disk1s2 (Preboot)
    |   Name:                      Preboot (Case-insensitive)
    |   Mount Point:               Not Mounted
    |   Capacity Consumed:         45330432 B (45.3 MB)
    |   FileVault:                 No
    |
    +-> Volume disk1s3 AEFAAA48-5559DF-92D5-D2D605655AB1
    |   ---------------------------------------------------
    |   APFS Volume Disk (Role):   disk1s3 (Recovery)
    |   Name:                      Recovery (Case-insensitive)
    |   Mount Point:               /Volumes/Recovery
    |   Capacity Consumed:         518598656 B (518.6 MB)
    |   FileVault:                 No
    |
    +-> Volume disk1s4 E09331A2-9AFE-5555-86FA-0E59CE660D2E
        ---------------------------------------------------
        APFS Volume Disk (Role):   disk1s4 (VM)
        Name:                      VM (Case-insensitive)
        Mount Point:               /private/var/vm
        Capacity Consumed:         10737512448 B (10.7 GB)
        FileVault:                 No (Encrypted at rest)
Adding this in a comment on the opened issue.
f

fritz

10/19/2020, 6:22 PM
@Julian Scala if you can add the osquery output for that device as well. That would be 💯
j

Julian Scala

10/19/2020, 6:43 PM
On the query:
select name, encrypted, encryption_status, type from disk_encryption
f

fritz

10/19/2020, 6:50 PM
👍
j

Julian Scala

10/19/2020, 6:51 PM
Thats al I can get since its a remote device, had to enable distributed for a sec
f

fritz

10/19/2020, 6:51 PM
Sounds good, do you want to add it to the issue, or I can if you prefer
j

Julian Scala

10/19/2020, 6:51 PM
I will
f

fritz

10/19/2020, 6:52 PM
thanks!
6:53 PM
@Julian Scala if you end up identifying any other common qualities shared by the misreporting devices that would be awesome to include as well, so that we can try to come up with steps to reproduce to state.
6:54 PM
@zwass curious if you have any thoughts on this
disk_encryption
misreporting stuff?
zwass

zwass

10/19/2020, 6:57 PM
We're using a private API to check disk encryption status for APFS volumes. Maybe Apple changed the API?
j

Julian Scala

10/19/2020, 6:59 PM
Of course I will.