2024-03-14
You might want to think about if your system serial numbers are sensitive
Recently, a commentator on my entry about what's lost when running the Prometheus host agent as a non-root user on Linux pointed out that if you do this, one of the things omitted (that I hadn't noticed) is part of the system DMI information. Specifically, you lose various serial numbers and the 'product UUID', which is potentially another unique identifier for the system, because Linux makes the /sys/class/dmi/id files with these readable only by root (this appears to have been the case since support for these was added to /sys in 2007). This got me thinking about whether serial numbers are something we should consider sensitive in general.
My tentative conclusion is that for us, serial numbers probably aren't sensitive enough to do anything special about. I don't think any of our system or component serial numbers can be used to issue one time license keys or the like, and while people could probably do some mischief with some of them, this is likely a low risk thing in our academic environment.
(Broadly we don't consider any metrics to be deeply sensitive, or to put it another way we wouldn't want to collect any metrics that are because in our environment it would take a lot of work to protect them. And we do collect DMI information and put it into our metrics system.)
This doesn't mean that serial numbers have no sensitivity even for us; I definitely do consider them something that I generally wouldn't (and don't) put in entries here, for example. Depending on the vendor, revealing serial numbers to the public may let the public do things like see your exact system configuration, when it was delivered, and other potentially somewhat sensitive information. There's also more of a risk that bored Internet people will engage in even minor mischief.
However, your situation is not necessarily like ours. There are probably plenty of environments where serial numbers are potentially more sensitive or more dangerous if exposed (especially if exposed widely). And in some environments, people run semi-hostile software that would love to get its hands on a permanent and unique identifier for the machine. Before you gather or expose serial number information (for systems or for things like disks), you might want to think about this.
At the same time, having relatively detailed hardware configuration information can be important, as in the war story that inspired me to start collecting this information in our metrics system. And serial numbers are a great way to disambiguate exactly which piece of hardware was being used for what, when. We deliberately collect disk drive serial number information from SMART, for example, and put it into our metrics system (sometimes with amusing results).