empayre/fleet
14
0
Fork 0
mirror of https://github.com/empayre/fleet.git synced 2024-11-06 08:55:24 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
a1fa232aca
fleet/schema/tables/corestorage_logical_volumes.yml
Artemis Tosini 1d2ae58d5f
Add macOS CIS 5.3.2 (#10726) 
Add 2 new tables: corestorage_logical_volumes and corestorage_logical_volume_families.
Add a query that uses these tables
2023-03-28 11:57:38 -04:00

136 lines
4.6 KiB
YAML
Raw Blame History

name: corestorage_logical_volumes
platforms:
- darwin
description: Information about CoreStorage Logical Volumes from the `diskutil coreStorage list -plist` command.
columns:
- name: vg_UUID
type: text
required: false
description: The unique identifier of the containing volume group
- name: vg_Version
type: integer
required: false
description: The version of the volume group, probably 1
- name: vg_FreeSpace
type: bigint
required: false
description: |
Amount of space, in bytes, in the volume group that have not been allocated by any logical volume
- name: vg_FusionDrive
type: integer
required: false
description: Whether the volume group is a "fusion drive" (i.e. SSHD)
- name: vg_Name
type: text
required: false
description: The customizable name of the volume group
- name: vg_Sequence
type: bigint
required: false
description: Current sequence number of the volume group
- name: vg_Size
type: bigint
required: false
description: Total (i.e. either allocated or unallocated) size of the volume group
- name: vg_Sparse
type: integer
required: false
description: Whether the volume group allows overcommitting storage
- name: vg_Status
type: text
required: false
description: Status of the volume group, e.g. "Online"
- name: lvf_UUID
type: text
required: false
description: Unique ID of the logical volume family
- name: lvf_EncryptionStatus
type: text
required: false
description: Unlock status of the logical volume family, e.g. "Locked" or "Unlocked"
- name: lvf_EncryptionType
type: text
required: false
description: Encryption algorithm for the logical volume family, normally "AES-XTS" or "None"
- name: lvf_HasVisibleUsers
type: integer
required: false
description: Undocumented field returned from `diskutil cs info`
- name: lvf_HasVolumeKey
type: integer
required: false
description: Whether there is an encryption key assigned for the logical volume
- name: lvf_IsAcceptingNewUsers
type: integer
required: false
description: Whether new users may be granted access to the logical volume family encryption key
- name: lvf_IsFullySecure
type: integer
required: false
description: Undocumented field returned from `diskutil cs info`
- name: lvf_MayHaveEncryptedEvents
type: integer
required: false
description: Undocumented field returned from `diskutil cs info`
- name: lvf_RequiresPasswordUnlock
type: integer
required: false
description: Whether a password is currently required to unlock the volume
- name: ContentHint
type: text
required: false
description: What type of filesystem is on the logical volume, as written in metadata, e.g. "Apple_HFS"
- name: ConverstionProgressPercent
type: integer
required: false
description: How far the current conversion status has progressed, either empty or 0-100
- name: ConversionState
type: text
required: false
description: Status of the conversion, e.g. from HFS+ to CoreStorage or encrypting a volume
- name: Name
type: text
required: false
description: Name of the logical volume
- name: Sequence
type: bigint
required: false
description: Sequence number of the logical volume
- name: Size
type: bigint
required: false
description: Size of the logical volume in bytes
- name: Status
type: text
required: false
description: Lock status of the logical volume, e.g. "Locked"
- name: Version
type: bigint
required: false
description: CoreStorage version of the logical volume, normally 65536
- name: UUID
type: text
required: false
description: Unique ID of the logical volume
- name: DesignatedPhysicalVolume
type: text
required: false
description: UUID of one of the physical volumes on which the logical volume is stored
- name: DesignatedPhysicalVolumeIdentifier
type: text
required: false
description: |
Identifier of one of the physical volumes that holds this logical volume (e.g disk0s2)
- name: Identifier
type: text
required: false
description: Current identifier of the logical volume (e.g. "disk5")
- name: VolumeName
type: text
required: false
description: Name of the filesystem in the logical volume
notes: This table is not a core osquery table. It is included as part of [Fleetd](https://fleetdm.com/docs/using-fleet/orbit), the osquery manager from Fleet. Fleetd can be built with [fleetctl](https://fleetdm.com/docs/using-fleet/adding-hosts#osquery-installer).
evented: false
Reference in New Issue View Git Blame Copy Permalink