def check_data_secret(self, data):
reported_serial_number = data['serial_num']
if reported_serial_number != self.machine_serial_number:
# the SN reported by osquery is not the one configured in the enrollment secret
auth_err = "santa reported SN {} different from enrollment SN {}".format(reported_serial_number,
self.machine_serial_number)
machine_info = {k: v for k, v in data.items()
if k in ("hostname", "os_build", "os_version", "serial_num", "primary_user") and v}
post_machine_conflict_event(self.request, "zentral.contrib.santa",
reported_serial_number, self.machine_serial_number,
machine_info)
raise APIAuthError(auth_err)
def check_data_secret(self, data):
msn = data.get('machine_serial_number')
if not msn:
raise APIAuthError(
f"No reported machine serial number. Request SN {self.machine_serial_number}."
)
if msn != self.machine_serial_number:
# the serial number reported by the zentral postflight is not the one in the enrollment secret.
auth_err = "Zentral postflight reported SN {} different from enrollment SN {}".format(
msn, self.machine_serial_number)
post_machine_conflict_event(self.request, "zentral.contrib.munki",
msn, self.machine_serial_number, {})
raise APIAuthError(auth_err)
def check_data_secret(self, data):
super().check_data_secret(data)
self.data_data = data.pop("data")
for r in self.data_data:
decorations = r.pop("decorations", None)
if decorations:
hardware_serial = decorations.get("hardware_serial")
if hardware_serial and hardware_serial != self.machine_serial_number:
# the SN reported by osquery is not the one configured in the enrollment secret
auth_err = "osquery reported SN {} different from enrollment SN {}".format(
hardware_serial, self.machine_serial_number)
post_machine_conflict_event(self.request,
"zentral.contrib.osquery",
hardware_serial,
self.machine_serial_number,
decorations)
raise APIAuthError(auth_err)
def process_decorations(self, records):
if not records:
return
decorations = records[-1].get("decorations", {})
# verify serial number
serial_number = decorations.get("serial_number")
if serial_number and serial_number != self.machine.serial_number:
logger.warning(f"osquery reported SN {serial_number} "
f"different from enrolled machine SN {self.machine.serial_number}")
post_machine_conflict_event(self.request, "zentral.contrib.osquery",
serial_number, self.machine.serial_number,
decorations)
return {"node_invalid": True}
# update osquery version if necessary
osquery_version = decorations.get("version")
if osquery_version and self.enrolled_machine.osquery_version != osquery_version:
self.enrolled_machine.osquery_version = osquery_version
self.enrolled_machine.save()
def check_data_secret(self, data):
super().check_data_secret(data)
self.data_data = data.pop("data")
for r in self.data_data:
decorations = r.pop("decorations", None)
if decorations:
platform = platform_with_os_name(decorations.get("os_name"))
if platform == MACOS:
hardware_serial = decorations.get("hardware_serial")
if hardware_serial and hardware_serial != self.machine_serial_number:
# The SN reported by osquery is not the one configured in the enrollment secret.
# For other platforms than MACOS, it could happen. For example, we take the GCE instance ID as
# serial number in the enrollment secret for linux, if possible.
# Osquery builds one from the SMBIOS/DMI.
auth_err = "osquery reported SN {} different from enrollment SN {}".format(
hardware_serial, self.machine_serial_number)
post_machine_conflict_event(self.request,
SOURCE_MODULE,
hardware_serial,
self.machine_serial_number,
decorations)
raise APIAuthError(auth_err)
