'I can't list disk encrypted on osquery 5.0.1

I have this query to list all machine without disk encrypted in my pack.

SELECT m.device, m.device_alias, m.path, m.type, de.encryption_status
FROM mounts m
  LEFT JOIN disk_encryption de ON de.name = m.device_alias
WHERE m.path LIKE '/'
ORDER BY m.device;

But, when I've started to install the new osquery version(5.0.1) in some machines, I've started to receive alerts that those machines were not encrypted. The machines with old version(my old version is 4.5.1) I didn't problem, just at new version.

So I started this simple query to analyze the difference of both version(5.0.1 and 4.0.9). First with the version 5.0.1

SELECT * FROM disk_encryption

The result was:

machine0101 1   encrypted   /dev/dm-0   LUKS1-aes-xts-plain64   
machine0101 1   encrypted   /dev/dm-1   LUKS1-aes-xts-plain64   
machine0101 1   encrypted   /dev/dm-2   LUKS1-aes-xts-plain64

If I put a "where" the result is different. The same table, with only one condition, gives me a different result, saying the disk is not encrypted.

SELECT * FROM disk_encryption where name in ('/dev/dm-0', '/dev/dm-1', '/dev/dm-2')

machine0101 1   encrypted       /dev/dm-0   LUKS1-aes-xts-plain64   
machine0101 0   not encrypted   /dev/dm-1             -             
machine0101 0   not encrypted   /dev/dm-2

OK, now I run the same query with a old version(4.5.1).

SELECT * FROM disk_encryption

machine0101 1   encrypted   /dev/dm-0   aes-xts-plain64         
machine0101 1   encrypted   /dev/dm-1   aes-xts-plain64         
machine0101 1   encrypted   /dev/dm-2   aes-xts-plain64         

SELECT * FROM disk_encryption where name in ('/dev/dm-0', '/dev/dm-1', '/dev/dm-2')
        
machine0101 1   encrypted   /dev/dm-0   aes-xts-plain64         
machine0101 1   encrypted   /dev/dm-1   aes-xts-plain64         
machine0101 1   encrypted   /dev/dm-2   aes-xts-plain64

I don't know what is happening here. Is my last query wrong, or is there a bug in the new osquery version?

This is the result of the lsblk command:

sda                      8:0    0 223,6G  0 disk  
├─sda1                   8:1    0   512M  0 part  /boot/efi
├─sda2                   8:2    0   732M  0 part  /boot
└─sda3                   8:3    0 222,4G  0 part  
  └─sda3_crypt         253:0    0 222,4G  0 crypt 
    ├─ubuntu--vg-root  253:1    0 221,4G  0 lvm   /
    └─ubuntu--vg-swap_1
                       253:2    0   976M  0 lvm   [SWAP]

Can someone help me?

sqliteosquery


Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source

Related Questions

How do I return a list of all column titles in a table in SQLite? [duplicate]

How do I return a list of all column titles in a table in SQLite? [duplicate]

How do I return a list of all column titles in a table in SQLite? [duplicate]

SQLite extension in VSCode not showing tables

SQLite extension in VSCode not showing tables

SQLite extension in VSCode not showing tables

Is there are standard way to store a database schema outside a python app

Is there are standard way to store a database schema outside a python app

SQLite3.exe shell not successfully creating database?

Update table values from another table with the same user name

Warning: sqlite_query() expects parameter 1 to be resource, string given

Android-android.database.sqlite.SQLiteException: unknown error (code 0): INTEGER data in nativeGetBlob

Access Anki history from SQLite3 file

Unable to create an object of type 'MyContext'. For the different patterns supported at design time

Java - SQLITE_BUSY; database file is locked