Anyone know a query that can reliably (across osquery versions) identify if osquery is running on Linux? I thought this would do, but the results are inconsistent:

SELECT 1 FROM osquery_info WHERE build_platform = 'linux'

.

do you want to identify all the machines that are running any linux distro or you want information about the exact distro?

Heh. IIRC we don’t expose the platform information usefully. Sometimes it’s “linux” sometimes it’s a random distro name. And there’s an

acts_like

that’s also wrong.

Does

os_version

work? Specifically the

platform_like

column? Or is that not 100% reliable?

It’s weird. IIRC redhat and centos just id as centos for both platform and platform_like. Something like that. I’d have to dig through notes or source code.

Thanks for the insights all! I'm looking for "any linux distro".

I’d use the bitmask.