Hello everyone is there a way query to check if a device is osquery #fleet

Join Slack

Hello everyone, is there a way/query to check if a...

# fleet

Adrian Junge

01/18/2023, 2:46 PM

Hello everyone, is there a way/query to check if a device is a virtual machine?

Kathy Satterlee

01/18/2023, 5:42 PM

Something that can be used to determine if a host is a VM is to use the

system_table

to check the hardware manufacture of the device. If it is a VM, you will end up getting names of VM vendors (Vmware, Virtualbox, etc) VM host

Copy code

osqueryi.exe "select hardware_model from system_info"
+----------------+
| hardware_model |
+----------------+
| VMware7,1      |
+----------------+

Physical host

Copy code

osqueryi.exe "select hardware_model from system_info"
+---------------------+
| hardware_model      |
+---------------------+
| HP Laptop 15-dw3xxx |

Adrian Junge

01/19/2023, 9:52 AM

Yeah I already saw this column but it is just empty for my VM. Is this VM configuration related?

Adrian Junge

01/19/2023, 10:00 AM

Ok nvm @Kathy Satterlee when running it with osqueryi "hardware_model" is just empty. But when running your query in fleetdm it returns me the vendor of my VM in "hardware_model" column. But why? :o

Kathy Satterlee

01/19/2023, 4:28 PM

That's odd! What happens if you run

osquery

with

sudu

... or without if you already were? Is it just that column that comes up empty, or do you get all blank if you

osqueryi.exe "select * from system_info"

Adrian Junge

01/19/2023, 5:01 PM

Omg yeah with sudo the query works... Thanks a lot!

Open in Slack

Previous Next