add windows machine GUID to hardware identifiers (#2282)

Co-authored-by: Rebecca Mahany-Horton <rebeccamahany@gmail.com>

Author: zackattack01

ee/agent/hardware_identifiers_other.go

@@ -0,0 +1,16 @@
+//go:build !windows
+// +build !windows
+
+package agent
+
+import (
+	"context"
+
+	"github.com/kolide/launcher/ee/agent/types"
+)
+
+// currentMachineGuid is only implemented for windows, where the hardware_uuid
+// cannot be used as a stable identifier
+func currentMachineGuid(_ context.Context, _ types.Knapsack) (string, error) {
+	return "", nil
+}

ee/agent/hardware_identifiers_windows.go

@@ -0,0 +1,44 @@
+//go:build windows
+// +build windows
+
+package agent
+
+import (
+	"context"
+	"fmt"
+	"log/slog"
+
+	"github.com/kolide/launcher/ee/agent/types"
+	"golang.org/x/sys/windows/registry"
+)
+
+const (
+	regKeyMachineGuidParent string = `SOFTWARE\Microsoft\Cryptography`
+	regValueMachineGuid     string = `MachineGuid`
+)
+
+// currentMachineGuid retrieves the current value of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
+// from the windows registry, to be used as a stable hardware identifier for windows
+func currentMachineGuid(ctx context.Context, k types.Knapsack) (string, error) {
+	parentKey, err := registry.OpenKey(registry.LOCAL_MACHINE, regKeyMachineGuidParent, registry.READ)
+	if err != nil {
+		return "", fmt.Errorf("opening registry key '%s': %w", regKeyMachineGuidParent, err)
+	}
+
+	defer func() {
+		if err := parentKey.Close(); err != nil {
+			k.Slogger().Log(ctx, slog.LevelInfo,
+				"could not close registry key",
+				"key_name", regKeyMachineGuidParent,
+				"err", err,
+			)
+		}
+	}()
+
+	machGuid, _, err := parentKey.GetStringValue(regValueMachineGuid)
+	if err != nil {
+		return "", fmt.Errorf("reading registry value '%s' for key '%s': %w", regValueMachineGuid, regKeyMachineGuidParent, err)
+	}
+
+	return machGuid, nil
+}

ee/agent/reset.go

@@ -35,6 +35,7 @@ var (
 	hostDataKeyHardwareUuid = []byte("hardware_uuid")
 	hostDataKeyMunemo       = []byte("munemo")
 	hostDataKeyResetRecords = []byte("reset_records")
+	hostDataKeyMachineGuid  = []byte("machine_guid") // used for windows only, because the hardware_uuid is not stable
 )
 
 const (
@@ -52,7 +53,9 @@ func (use UninitializedStorageError) Error() string {
 // stored data in the HostDataStore. If the hardware- or enrollment-identifying information
 // has changed, it logs the change. In the future, it will take a backup of the database, and
 // then clear all data from it.
-func DetectAndRemediateHardwareChange(ctx context.Context, k types.Knapsack) {
+// returns a bool of whether remediation occurred (for now, just whether it would have occurred
+// given the detection parameters in place)
+func DetectAndRemediateHardwareChange(ctx context.Context, k types.Knapsack) bool {
 	ctx, span := observability.StartSpan(ctx)
 	defer span.End()
 
@@ -61,11 +64,13 @@ func DetectAndRemediateHardwareChange(ctx context.Context, k types.Knapsack) {
 	serialChanged := false
 	hardwareUUIDChanged := false
 	munemoChanged := false
+	machineGuidChanged := false
 
 	defer func() {
 		slogger.Log(ctx, slog.LevelDebug, "finished check to see if database should be reset",
 			"serial", serialChanged,
 			"hardware_uuid", hardwareUUIDChanged,
+			"machine_guid", machineGuidChanged,
 			"munemo", munemoChanged,
 		)
 	}()
@@ -78,6 +83,13 @@ func DetectAndRemediateHardwareChange(ctx context.Context, k types.Knapsack) {
 		hardwareUUIDChanged = valueChanged(ctx, k, slogger, currentHardwareUUID, hostDataKeyHardwareUuid)
 	}
 
+	currentMachineGuid, err := currentMachineGuid(ctx, k)
+	if err != nil {
+		slogger.Log(ctx, slog.LevelWarn, "could not get current machine GUID", "err", err)
+	} else {
+		machineGuidChanged = valueChanged(ctx, k, slogger, currentMachineGuid, hostDataKeyMachineGuid)
+	}
+
 	// Collect munemo for logging/record-keeping purposes only -- we don't use it to determine whether
 	// we should perform a reset
 	currentTenantMunemo, err := currentMunemo(k)
@@ -87,11 +99,14 @@ func DetectAndRemediateHardwareChange(ctx context.Context, k types.Knapsack) {
 		munemoChanged = valueChanged(ctx, k, slogger, currentTenantMunemo, hostDataKeyMunemo)
 	}
 
-	if serialChanged && hardwareUUIDChanged {
+	// note that machineGuid is only collected for windows. machineGuidChanged will only ever have a meaningful value for Windows
+	remediationRequired := (serialChanged && hardwareUUIDChanged) || machineGuidChanged
+	if remediationRequired {
 		slogger.Log(ctx, slog.LevelWarn, "detected hardware change",
 			"serial_changed", serialChanged,
 			"hardware_uuid_changed", hardwareUUIDChanged,
 			"tenant_munemo_changed", munemoChanged,
+			"machine_guid_changed", machineGuidChanged,
 		)
 		// In the future, we can proceed with backing up and resetting the database.
 		// For now, we are only logging that we detected the change until we have a dependable
@@ -100,6 +115,7 @@ func DetectAndRemediateHardwareChange(ctx context.Context, k types.Knapsack) {
 			slogger.Log(ctx, slog.LevelWarn, "resetting the database",
 				"serial_changed", serialChanged,
 				"hardware_uuid_changed", hardwareUUIDChanged,
+				"machine_guid_changed", machineGuidChanged,
 				"tenant_munemo_changed", munemoChanged,
 			)
 
@@ -125,6 +141,13 @@ func DetectAndRemediateHardwareChange(ctx context.Context, k types.Knapsack) {
 			slogger.Log(ctx, slog.LevelWarn, "could not set munemo in host data store", "err", err)
 		}
 	}
+	if machineGuidChanged {
+		if err := k.PersistentHostDataStore().Set(hostDataKeyMachineGuid, []byte(currentMachineGuid)); err != nil {
+			slogger.Log(ctx, slog.LevelWarn, "could not set machine GUID in host data store", "err", err)
+		}
+	}
+
+	return remediationRequired
 }
 
 func GetResetRecords(ctx context.Context, k types.Knapsack) ([]dbResetRecord, error) {
@@ -240,7 +263,7 @@ func valueChanged(ctx context.Context, k types.Knapsack, slogger *slog.Logger, c
 		return false // assume no change
 	}
 
-	if len(storedValue) == 0 {
+	if len(storedValue) == 0 && len(currentValue) > 0 {
 		slogger.Log(ctx, slog.LevelDebug, "value not previously stored, storing now", "key", string(dataKey))
 		if err := k.PersistentHostDataStore().Set(dataKey, []byte(currentValue)); err != nil {
 			slogger.Log(ctx, slog.LevelError, "could not store value", "err", err, "key", string(dataKey))

ee/agent/reset_test.go

@@ -86,6 +86,8 @@ func TestDetectAndRemediateHardwareChange(t *testing.T) {
 		serialChanged          bool
 		hardwareUUIDSetInStore bool
 		hardwareUUIDChanged    bool
+		machineGUIDSetInStore  bool
+		machineGUIDChanged     bool
 		osquerySuccess         bool
 		munemoSetInStore       bool
 		munemoChanged          bool
@@ -98,6 +100,8 @@ func TestDetectAndRemediateHardwareChange(t *testing.T) {
 			serialChanged:          false,
 			hardwareUUIDSetInStore: true,
 			hardwareUUIDChanged:    false,
+			machineGUIDSetInStore:  false,
+			machineGUIDChanged:     false,
 			osquerySuccess:         true,
 			munemoSetInStore:       true,
 			munemoChanged:          false,
@@ -110,6 +114,8 @@ func TestDetectAndRemediateHardwareChange(t *testing.T) {
 			serialChanged:          true,
 			hardwareUUIDSetInStore: true,
 			hardwareUUIDChanged:    false,
+			machineGUIDSetInStore:  false,
+			machineGUIDChanged:     false,
 			osquerySuccess:         true,
 			munemoSetInStore:       true,
 			munemoChanged:          false,
@@ -122,6 +128,8 @@ func TestDetectAndRemediateHardwareChange(t *testing.T) {
 			serialChanged:          false,
 			hardwareUUIDSetInStore: true,
 			hardwareUUIDChanged:    true,
+			machineGUIDSetInStore:  false,
+			machineGUIDChanged:     false,
 			osquerySuccess:         true,
 			munemoSetInStore:       true,
 			munemoChanged:          false,
@@ -134,6 +142,8 @@ func TestDetectAndRemediateHardwareChange(t *testing.T) {
 			serialChanged:          false,
 			hardwareUUIDSetInStore: true,
 			hardwareUUIDChanged:    false,
+			machineGUIDSetInStore:  false,
+			machineGUIDChanged:     false,
 			osquerySuccess:         true,
 			munemoSetInStore:       true,
 			munemoChanged:          true,
@@ -146,6 +156,8 @@ func TestDetectAndRemediateHardwareChange(t *testing.T) {
 			serialChanged:          true,
 			hardwareUUIDSetInStore: true,
 			hardwareUUIDChanged:    true,
+			machineGUIDSetInStore:  true,
+			machineGUIDChanged:     true,
 			osquerySuccess:         true,
 			munemoSetInStore:       true,
 			munemoChanged:          true,
@@ -158,6 +170,8 @@ func TestDetectAndRemediateHardwareChange(t *testing.T) {
 			serialChanged:          false,
 			hardwareUUIDSetInStore: true,
 			hardwareUUIDChanged:    false,
+			machineGUIDSetInStore:  false,
+			machineGUIDChanged:     false,
 			osquerySuccess:         false,
 			munemoSetInStore:       true,
 			munemoChanged:          false,
@@ -170,6 +184,8 @@ func TestDetectAndRemediateHardwareChange(t *testing.T) {
 			serialChanged:          false,
 			hardwareUUIDSetInStore: true,
 			hardwareUUIDChanged:    false,
+			machineGUIDSetInStore:  false,
+			machineGUIDChanged:     false,
 			osquerySuccess:         true,
 			munemoSetInStore:       true,
 			munemoChanged:          false,
@@ -182,6 +198,8 @@ func TestDetectAndRemediateHardwareChange(t *testing.T) {
 			serialChanged:          false,
 			hardwareUUIDSetInStore: true,
 			hardwareUUIDChanged:    false,
+			machineGUIDSetInStore:  false,
+			machineGUIDChanged:     false,
 			osquerySuccess:         true,
 			munemoSetInStore:       true,
 			munemoChanged:          false,
@@ -194,6 +212,8 @@ func TestDetectAndRemediateHardwareChange(t *testing.T) {
 			serialChanged:          false,
 			hardwareUUIDSetInStore: false,
 			hardwareUUIDChanged:    false,
+			machineGUIDSetInStore:  false,
+			machineGUIDChanged:     false,
 			osquerySuccess:         true,
 			munemoSetInStore:       true,
 			munemoChanged:          false,
@@ -206,6 +226,8 @@ func TestDetectAndRemediateHardwareChange(t *testing.T) {
 			serialChanged:          false,
 			hardwareUUIDSetInStore: true,
 			hardwareUUIDChanged:    false,
+			machineGUIDSetInStore:  false,
+			machineGUIDChanged:     false,
 			osquerySuccess:         true,
 			munemoSetInStore:       false,
 			munemoChanged:          false,
@@ -218,24 +240,63 @@ func TestDetectAndRemediateHardwareChange(t *testing.T) {
 			serialChanged:          false,
 			hardwareUUIDSetInStore: true,
 			hardwareUUIDChanged:    true,
+			machineGUIDSetInStore:  false,
+			machineGUIDChanged:     false,
 			osquerySuccess:         true,
 			munemoSetInStore:       true,
 			munemoChanged:          false,
 			registrationsExist:     true,
 			expectDatabaseWipe:     false,
 		},
+		{
+			name:                   "machine GUID previously stored, all other data unchanged, no database wipe",
+			serialSetInStore:       true,
+			serialChanged:          false,
+			hardwareUUIDSetInStore: true,
+			hardwareUUIDChanged:    false,
+			machineGUIDSetInStore:  true,
+			machineGUIDChanged:     false,
+			osquerySuccess:         true,
+			munemoSetInStore:       true,
+			munemoChanged:          false,
+			registrationsExist:     true,
+			expectDatabaseWipe:     false,
+		},
+		{
+			name:                   "machine GUID not previously stored, all other data unchanged, no database wipe",
+			serialSetInStore:       true,
+			serialChanged:          false,
+			hardwareUUIDSetInStore: true,
+			hardwareUUIDChanged:    false,
+			machineGUIDSetInStore:  false,
+			machineGUIDChanged:     true,
+			osquerySuccess:         true,
+			munemoSetInStore:       true,
+			munemoChanged:          false,
+			registrationsExist:     true,
+			expectDatabaseWipe:     false,
+		},
+		{
+			name:                   "machine GUID previously stored, then changed, expect database wipe",
+			serialSetInStore:       true,
+			serialChanged:          false,
+			hardwareUUIDSetInStore: true,
+			hardwareUUIDChanged:    false,
+			machineGUIDSetInStore:  true,
+			machineGUIDChanged:     true,
+			osquerySuccess:         true,
+			munemoSetInStore:       true,
+			munemoChanged:          false,
+			registrationsExist:     true,
+			expectDatabaseWipe:     true,
+		},
 	}
 
 	for _, tt := range testCases {
 		tt := tt
 		t.Run(tt.name, func(t *testing.T) {
 			t.Parallel()
 
-			// For now, we never expect the database to be wiped. In the future, when we
-			// decide to proceed with resetting the database, we can remove this line from
-			// the tests and they will continue to validate expected behavior.
-			tt.expectDatabaseWipe = false
-
 			slogger := multislogger.NewNopLogger()
 
 			// Set up dependencies: data store for hardware-identifying data
@@ -270,6 +331,9 @@ func TestDetectAndRemediateHardwareChange(t *testing.T) {
 				actualHardwareUUID = "test-hardware-uuid"
 			}
 
+			actualMachineGUID, err := currentMachineGuid(context.TODO(), mockKnapsack)
+			require.NoError(t, err, "expected to be able to read machine GUID")
+
 			if tt.serialSetInStore {
 				if tt.serialChanged {
 					require.NoError(t, testHostDataStore.Set(hostDataKeySerial, []byte("some-old-serial")), "could not set serial in test store")
@@ -286,6 +350,14 @@ func TestDetectAndRemediateHardwareChange(t *testing.T) {
 				}
 			}
 
+			if tt.machineGUIDSetInStore {
+				if tt.machineGUIDChanged {
+					require.NoError(t, testHostDataStore.Set(hostDataKeyMachineGuid, []byte("some-old-machine-guid")), "could not set machine guid in test store")
+				} else {
+					require.NoError(t, testHostDataStore.Set(hostDataKeyMachineGuid, []byte(actualMachineGUID)), "could not set machine guid in test store")
+				}
+			}
+
 			// Set up dependencies: ensure that retrieved tenant matches current data
 			munemoValue := []byte("test-munemo")
 
@@ -331,7 +403,13 @@ func TestDetectAndRemediateHardwareChange(t *testing.T) {
 			require.NoError(t, testConfigStore.Set([]byte("localEccKey"), testLocalEccKeyRaw))
 
 			// Make test call
-			DetectAndRemediateHardwareChange(context.TODO(), mockKnapsack)
+			remediationRequired := DetectAndRemediateHardwareChange(context.TODO(), mockKnapsack)
+			require.Equal(t, tt.expectDatabaseWipe, remediationRequired, "expected remediation to be required when database should be wiped")
+
+			// For now, we never expect the database to be wiped. In the future, when we
+			// decide to proceed with resetting the database, we can remove this line from
+			// the tests and they will continue to validate expected behavior.
+			tt.expectDatabaseWipe = false
 
 			// Confirm backup occurred, if database got wiped
 			if tt.expectDatabaseWipe {