fix: check device mounted at filesystem root for encryption (#8719)

changes/follow-up-pr-8526-disk-encryption

@@ -0,0 +1 @@
+* Reduce false negatives for query used for determining encryption status on Linux systems

frontend/pages/policies/constants.ts

@@ -71,10 +71,10 @@ export const DEFAULT_POLICIES: IPolicyNew[] = [
   {
     key: 5,
     query:
-      "SELECT 1 FROM disk_encryption WHERE encrypted=1 AND name LIKE '/dev/dm-1';",
+      "SELECT 1 FROM (SELECT encrypted, path FROM disk_encryption FULL OUTER JOIN mounts ON mounts.device_alias = disk_encryption.name) WHERE encrypted = 1 AND path = '/';",
     name: "Full disk encryption enabled (Linux)",
     description:
-      "Checks if the dm-1 device is encrypted. There are many ways to encrypt Linux systems. This is the default on distributions such as Ubuntu. You may need to adapt this query, or submit an issue in the Fleet repo.",
+      "Checks if the device mounted at / is encrypted. There are many ways to encrypt Linux systems. You may need to adapt this query, or submit an issue in the Fleet repo.",
     resolution:
       "Ensure the image deployed to your Linux workstation includes full disk encryption.",
     platform: "linux",

server/service/osquery_utils/queries.go

@@ -585,7 +585,7 @@ FROM
 		// osquery table on darwin and linux, it is always present.
 	},
 	"disk_encryption_linux": {
-		Query:            `SELECT 1 FROM disk_encryption WHERE encrypted = 1 AND name = '/dev/dm-1';`,
+		Query:            `SELECT 1 FROM (SELECT encrypted, path FROM disk_encryption FULL OUTER JOIN mounts ON mounts.device_alias = disk_encryption.name) WHERE encrypted = 1 AND path = '/';`,
 		Platforms:        fleet.HostLinuxOSs,
 		DirectIngestFunc: directIngestDiskEncryption,
 		// the "disk_encryption" table doesn't need a Discovery query as it is an official