empayre/fleet
14
0
Fork 0
mirror of https://github.com/empayre/fleet.git synced 2024-11-06 08:55:24 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
acb7959649
fleet/schema/tables/apfs_physical_stores.yml
Artemis Tosini af4c3f7061
Add macOS CIS 5.3.1 (#10397) 
This adds a new check about whether all APFS volumes are encrypted. I
needed to add a new table, and I took that opportunity to add another so
that osquery has all information from `diskutil apfs list -plist`.

Note that it is somewhat unclear whether to use the `encryption` or
`filevault` field in the query. FileVault is about whether the volume is
encrypted with a password and Encryption is about whether it is
encrypted at all, since all modern macs have hardware-backed disk
encryption.
2023-03-10 12:29:14 -05:00

46 lines
1.7 KiB
YAML
Raw Blame History

name: apfs_physical_stores
platforms:
- darwin
description: Information about APFS physical stores from the `diskutil apfs list -plist` command.
columns:
- name: container_uuid
type: text
required: false
description: The UUID of the APFS Contianer
- name: container_designated_physical_store
type: text
required: false
description: |
The disk displayed as the backing store of the container. There may be multiple,
use `apfs_physical_stores` to see all actual physical stores
- name: container_reference
type: text
required: false
description: The current reference for the APFS container, e.g. "disk3"
- name: container_fusion
type: text
required: false
description: Whether this container is on a "fusion drive" (i.e. SSHD)
- name: container_capacity_ceiling
type: bigint
required: false
description: The total amount of space in the container
- name: container_capacity_free
type: bigint
required: false
description: The amount of remaining free space in the container
- name: uuid
type: text
required: false
description: The UUID of the physical store
- name: identifier
type: text
required: false
description: The current identifier of the physical store (e.g. disk1s2)
- name: size
type: bigint
required: false
description: The size of the physical store in byptes
notes: This table is not a core osquery table. It is included as part of [Fleetd](https://fleetdm.com/docs/using-fleet/orbit), the osquery manager from Fleet. Fleetd can be built with [fleetctl](https://fleetdm.com/docs/using-fleet/adding-hosts#osquery-installer).
evented: false
Reference in New Issue View Git Blame Copy Permalink