Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Anyone know a _query_ that can reliably (across osquery versions) identify if osquery is running on Linux? I thought this would do, but the results are inconsistent: `SELECT 1 FROM osquery_info WHERE build_platform = 'linux'`.

For context: <https://github.com/fleetdm/fleet/issues/1557>

do you want to identify all the machines that are running _any_ linux distro or you want information about the exact distro?

`platform_bitmask`  may be what you are looking for

<https://github.com/osquery/osquery/blob/d2be385d71f401c85872f00d479df8f499164c5a/osquery/utils/info/platform_type.h#L28>

Heh. IIRC we don’t expose the platform information usefully. Sometimes it’s “linux” sometimes it’s a random distro name. And there’s an `acts_like` that’s also wrong.

You might be able to say `not darwin, not windows`

(I added the bitmask because we don’t expose this usefully, and that seemed like a fine backstop)

Does `os_version` work? Specifically the `platform_like` column?
Or is that not 100% reliable?

It’s weird. IIRC redhat and centos just id as centos for both platform and platform_like. Something like that. I’d have to dig through notes or source code.

Thanks for the insights all! I'm looking for "any linux distro".