Anyone know a query that can reliably across osquery version

Question

Anyone know a query that can reliably across osquery versions identify if osquery is running on Linux I thought this would do but the results are inconsistent `SELECT 1 FROM osquery info WHERE build platform = linux `

zwass · Answer

For context <https github com fleetdm fleet issues 1557>

jordi · Answer

do you want to identify all the machines that are running any linux distro or you want information about the exact distro

jordi · Answer

`platform bitmask` may be what you are looking for <https github com osquery osquery blob d2be385d71f401c85872f00d479df8f499164c5a osquery utils info platform type h L28>

seph · Answer

Heh IIRC we don t expose the platform information usefully Sometimes it s linux sometimes it s a random distro name And there s an `acts like` that s also wrong

seph · Answer

You might be able to say `not darwin not windows`

seph · Answer

Or use the bitmask

seph · Answer

I added the bitmask because we don t expose this usefully and that seemed like a fine backstop

puffycid · Answer

Does `os version` work Specifically the `platform like` column Or is that not 100 reliable

seph · Answer

It s weird IIRC redhat and centos just id as centos for both platform and platform like Something like that I d have to dig through notes or source code

zwass · Answer

Thanks for the insights all I m looking for any linux distro

seph · Answer

I d use the bitmask