• m

    Mike Tonks

    9 months ago
    Hi, I'm trying out osquery for the first time, and looks good but I'm getting nothing under disk_encryption. This is one of the key things I'm looking to audit. I'm using ubuntu and the disk was fully encrypted during the install, I think it uses LVM.
  • Here's some additional info:
    osquery> SELECT version, build, platform FROM os_version;
     version = 20.04.3 LTS (Focal Fossa)
       build = 
    platform = ubuntu
    osquery> SELECT version from osquery_info;
    version = 5.0.1
    Disk does not show in block_devices:
    osquery> select * from block_devices;
    +----------------+--------------+--------+-------+------------+------------+------+------+-------+
    | name           | parent       | vendor | model | size       | block_size | uuid | type | label |
    +----------------+--------------+--------+-------+------------+------------+------+------+-------+
    | /dev/nvme0n1   |              |        |       | 1000215216 | 512        |      |      |       |
    | /dev/nvme0n1p1 | /dev/nvme0n1 |        |       | 1048576    |            |      |      |       |
    | /dev/nvme0n1p2 | /dev/nvme0n1 |        |       | 1499136    |            |      |      |       |
    | /dev/nvme0n1p3 | /dev/nvme0n1 |        |       | 997664768  |            |      |      |       |
    | /dev/loop0     |              |        |       | 8          | 512        |      |      |       |
    ...
    | /dev/loop9     |              |        |       | 133320     | 512        |      |      |       |
    | /dev/dm-0      |              |        |       | 997660672  | 512        |      |      |       |
    | /dev/dm-1      |              |        |       | 995647488  | 512        |      |      |       |
    | /dev/dm-2      |              |        |       | 2007040    | 512        |      |      |       |
    +----------------+--------------+--------+-------+------------+------------+------+------+-------+
    
    osquery> select * from disk_encryption;
    osquery>
    lsblk
    NAME                    MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
    loop0                     7:0    0     4K  1 loop  /snap/bare/5
    loop1                     7:1    0  99.5M  1 loop  /snap/core/11798
    ...
    loop19                    7:19   0 145.6M  1 loop  /snap/chromium/1781
    nvme0n1                 259:0    0   477G  0 disk
    ├─nvme0n1p1             259:1    0   512M  0 part  /boot/efi
    ├─nvme0n1p2             259:2    0   732M  0 part  /boot
    └─nvme0n1p3             259:3    0 475.7G  0 part
      └─nvme0n1p3_crypt     253:0    0 475.7G  0 crypt
        ├─ubuntu--vg-root   253:1    0 474.8G  0 lvm   /
        └─ubuntu--vg-swap_1 253:2    0   980M  0 lvm   [SWAP]
  • Happy to raise a bug, thought I'd check in here first
  • s

    seph

    9 months ago
    Are you running as root? Do you get any useful errors with
    --verbose
    ?
  • FWIW I’ve found it quite hard to detect and audit all the possible linux disk encryption options. I should revisit this particular case, as it’s getting more common. I have some custom tables in Kolide’s launcher to try to help
  • m

    Mike Tonks

    9 months ago
    ah yes runnning
    osqueryi
    as root seems to improve things, missed that 🙂
  • osquery> select * from block_devices;
      Configuration setting "activation/vdo_pool_autoextend_threshold" unknown.
      Configuration setting "global/support_mirrored_mirror_log" unknown.
      Configuration setting "global/event_activation" unknown.
      Configuration setting "devices/scan_lvs" unknown.
      Configuration setting "devices/allow_mixed_block_sizes" unknown.
    +----------------+--------------+--------+-------+------------+------------+----------------------------------------+-------------+--------+
    | name           | parent       | vendor | model | size       | block_size | uuid                                   | type        | label  |
    +----------------+--------------+--------+-------+------------+------------+----------------------------------------+-------------+--------+
    ...
    | /dev/dm-0      |              |        |       | 997660672  | 512        | pY030M-hBwu-izjx-VZ33-kJYp-ac2I-Pyci9d | LVM2_member |        |
    | /dev/dm-1      | /dev/dm-0    |        |       | 995647488  | 512        | 330608bb-a6f1-447e-817f-7f1eb4d8104f   | ext4        | UBUNTU |
    | /dev/dm-2      | /dev/dm-0    |        |       | 2007040    | 512        | d1446d20-0643-4d76-8a80-f38bdcbfafb6   | swap        |        |
    +----------------+--------------+--------+-------+------------+------------+----------------------------------------+-------------+--------+
  • osquery> select * from disk_encryption;
    +----------------+----------------------------------------+-----------+-----------------------+-------------------+
    | name           | uuid                                   | encrypted | type                  | encryption_status |
    +----------------+----------------------------------------+-----------+-----------------------+-------------------+
    | /dev/nvme0n1   |                                        | 0         |                       | not encrypted     |
    ...
    | /dev/loop9     |                                        | 0         |                       | not encrypted     |
    | /dev/dm-0      | pY030M-hBwu-izjx-VZ33-kJYp-ac2I-Pyci9d | 1         | LUKS1-aes-xts-plain64 | encrypted         |
    | /dev/dm-1      | 330608bb-a6f1-447e-817f-7f1eb4d8104f   | 1         | LUKS1-aes-xts-plain64 | encrypted         |
    | /dev/dm-2      | d1446d20-0643-4d76-8a80-f38bdcbfafb6   | 1         | LUKS1-aes-xts-plain64 | encrypted         |
    +----------------+----------------------------------------+-----------+-----------------------+-------------------+
  • Not 100% clear but I think that's my disk. Thanks! Looks like user error 🙂
  • s

    seph

    9 months ago
    I do think there's a case where it doesn't report. But I'm glad this solved it.
  • m

    Mike Tonks

    9 months ago
    Thanks for responding! Great to get some help I though this is a pretty obscure issue but being able to report on disk encryption is pretty important for us.