0

I understand that it makes sense to use /etc/redhat-release or /etc/gentoo-release to identify os platform (aka the origin of the linux)

but why not use os name from /etc/os-release? which will more accurately describe the exact linux os name (e.g. the exact variant of a redhat)

jun shen
  • 53
  • 1
  • 4
  • related osquery code: https://github.com/osquery/osquery/blob/2e3495837d4fe4db3554c6ef76494bc86c74c099/osquery/tables/system/linux/os_version.cpp#L135C4-L142 – jun shen Jul 02 '23 at 06:03
  • According to this answer; https://unix.stackexchange.com/a/351560 every system that runs systemd *should* have a `/etc/os-release`, but what if they don't? But `redhat-release` and `gentoo-release` might not be present too. Another helpful answer; https://unix.stackexchange.com/a/92218 – doneforaiur Jul 02 '23 at 06:12
  • thanks @doneforaiur is it better to use /etc/os-release first if it exists? instead of using redhat-release and gentoo-release regardless? I still dont get the point why osquery prefers redhat-release/gentoo-release instead of os-release – jun shen Jul 02 '23 at 17:21

1 Answers1

0

You ask "why"... Asking why is sometimes hard to answer. In this case, I suspect it's because /etc/os-release is a systemd thing, and not universal.

Osquery tries to work on a broad range of operating systems.

As for whether it's better to try it, maybe? Osquery is a volunteer project. You could submit that as a patch (or an issue)

seph
  • 813
  • 6
  • 16