osquery
osquery copied to clipboard
osquery
Update linux block_device and disk_encryption source data to simple sysfs implementation
Fixes #8033
Purpose of this PR is to remove Linux's disk_encryption reliance on block_devices. We want a list of all block devices by name and a way to access their parent device, so I walk sysfs for that.
libudev accesses block devices primarily in the same way, but with a lot of other options. Those options aren't utilized in osquery's current implementation. Since we don't use them I figured I could take out libudevs usage in our Linux block_device and disk_encryption table generations.
I've added block_device_enumeration as a fairly simple traversal of sysfs to access all of the relevant data we previously were collecting. This should also be easy to add to if other data is desired down the road.
Purpose of this PR is to remove Linux's
disk_encryptionreliance onblock_devices. We want a list of all block devices by name and a way to access their parent device, so I walk sysfs for that.
Would this implementation also allow block_devices to work with query context? It's probably worth moving to a helper function and letting both table's generate methods call it.
Purpose of this PR is to remove Linux's
disk_encryptionreliance onblock_devices. We want a list of all block devices by name and a way to access their parent device, so I walk sysfs for that.Would this implementation also allow
block_devicesto work with query context? It's probably worth moving to a helper function and letting both table's generate methods call it.
I could definitely look at making that possible.
@Smjert I think you said you could review this PR this week?
Yes I began looking into it today but other things got my priority; I'll be able to finish my review by eod tomorrow. I mostly have minor corrections for now.
While I don't think there are major issues, I'm a bit concerned on the support for the various combinations of distros and disk setups.
Would it be possible to know on which distros and which setups has this been tested on?
Very sorry I have taken a long time to get back to this. I've tested these changes on Ubuntu 22.04, CentOS 7, and openSUSE 15.4. For disk setups I've been mostly testing with the below on my openSUSE device:
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sda 8:0 0 10G 0 disk
├─sda1 8:1 0 2M 0 part
├─sda2 8:2 0 20M 0 part /boot/efi
└─sda3 8:3 0 10G 0 part /
sdb 8:16 0 10G 0 disk
├─sdb1 8:17 0 1M 0 part
├─sdb2 8:18 0 1G 0 part
└─sdb3 8:19 0 9G 0 part
└─cryptlvm 254:4 0 9G 0 crypt
├─MyVolGroup-root 254:5 0 8G 0 lvm /mnt/test_drives/lvm_on_encryption
└─MyVolGroup-home 254:6 0 1016M 0 lvm /mnt/test_drives/lvm_on_encryption/home
sdc 8:32 0 10G 0 disk
├─sdc1 8:33 0 1M 0 part
└─sdc2 8:34 0 10G 0 part
├─LvmEncrypt-lvmcryptroot 254:0 0 5G 0 lvm
│ └─lvmcrypt 254:7 0 5G 0 crypt /mnt/test_drives/encryption_on_lvm
├─LvmEncrypt-lvmcryptswap 254:1 0 1G 0 lvm
├─LvmEncrypt-lvmcrypttmp 254:2 0 1G 0 lvm
└─LvmEncrypt-lvmcrypthome 254:3 0 3G 0 lvm /mnt/test_drives/encryption_on_lvm/home
sdd 8:48 0 10G 0 disk
├─sdd1 8:49 0 1M 0 part
├─sdd2 8:50 0 1G 0 part
├─sdd3 8:51 0 5G 0 part
│ └─cryptsetuproot 254:8 0 5G 0 crypt /mnt/test_drives/full_encryption_split_root_home
└─sdd4 8:52 0 4G 0 part
└─cryptsetuphome 254:9 0 4G 0 crypt /mnt/test_drives/full_encryption_split_root_home/home