See if screenlock is enabled on Ubuntu Linux

[allenhouchins]

prospect-pingouin: Slack thread: https://fleetdm.slack.com/archives/C07GLME5P7C/p1728505255553249

• @noahtalerman: User requested this because they want to know whether screenlock is enabled across their Ubuntu Linux Fleet. There's some security/compliance requirement to have screenlock enabled, after a certain time (minutes), for all my workstations.
  • @noahtalerman: In the interim the user can write a script to pull the gsettings (see comment here)
  • @noahtalerman: In the interim the user could use auto table contruction (ATC) in Fleet to add a table that they can write osquery queries that get the gsettings (see comment here)
  • @noahtalerman: Eventually Fleet might update the screenlock table to support Ubuntu Linux. Fleet could add this to host vitals for macOS, Windows, and Ubuntu Linux

  • @allenhouchins: To do this, we could use the gsettings schema: https://github.com/fleetdm/fleet/issues/22823#issuecomment-2420353188

[noahtalerman]

Problem

Admins need a way to query specific settings managed by gsettings on Ubuntu Linux hosts to ensure security and report on compliance.

From the org.gnome.desktop.screensaver schema:

• lock-enabled Type: boolean Description: Enables or disables the lock screen. If false, the screen will not lock when idle. Example: gsettings set org.gnome.desktop.screensaver lock-enabled false
• idle-activation-enabled Type: boolean Description: If true, the screensaver will activate after the system is idle for a set amount of time. Example: gsettings set org.gnome.desktop.screensaver idle-activation-enabled false
• idle-delay Type: uint32 Description: Time in seconds before the screensaver is activated after inactivity. Example: gsettings set org.gnome.desktop.screensaver idle-delay 600 (sets 10 minutes)
• lock-delay Type: uint32 Description: Time in seconds after the screensaver has started when the screen should be locked. If set to 0, the screen locks immediately after the screensaver starts. Example: gsettings set org.gnome.desktop.screensaver lock-delay 60 (locks the screen 1 minute after the screensaver starts)
• picture-uri Type: string Description: URI of the image to display on the lock screen. Example: gsettings set org.gnome.desktop.screensaver picture-uri 'file:///path/to/image.jpg'
• picture-options Type: string Description: Defines how the lock screen background image should be displayed (options: none, wallpaper, centered, scaled, stretched, zoom, spanned). Example: gsettings set org.gnome.desktop.screensaver picture-options 'stretched'
• show-date Type: boolean Description: If true, the date will be shown on the lock screen. Example: gsettings set org.gnome.desktop.screensaver show-date true
• show-full-name-in-top-bar Type: boolean Description: If true, the full name of the user will be shown in the top bar on the lock screen. Example: gsettings set org.gnome.desktop.screensaver show-full-name-in-top-bar false
• show-notifications Type: boolean Description: If true, notifications will be shown on the lock screen. Example: gsettings set org.gnome.desktop.screensaver show-notifications true
• show-info Type: boolean Description: Shows the system information (e.g., battery status, Wi-Fi) on the lock screen. Example: gsettings set org.gnome.desktop.screensaver show-info true
• color-shading-type Type: string Description: Defines how shading is applied to the lock screen (options: solid, horizontal, vertical). Example: gsettings set org.gnome.desktop.screensaver color-shading-type 'horizontal'
• primary-color Type: string Description: Sets the primary color for the lock screen background (in hex format). Example: gsettings set org.gnome.desktop.screensaver primary-color 'HEXVALUE'
• secondary-color Type: string Description: Sets the secondary color for shading effects on the lock screen. Example: gsettings set org.gnome.desktop.screensaver secondary-color 'HEXVALUE'
• ubuntu-lock-on-suspend (specific to Ubuntu GNOME) Type: boolean Description: If true, the screen will lock when the system suspends. Example: gsettings set org.gnome.desktop.screensaver ubuntu-lock-on-suspend true

From the org.gnome.desktop.session schema:

• idle-delay Type: uint32 Description: The number of seconds before the session is considered idle. Example: gsettings set org.gnome.desktop.session idle-delay 300 (sets idle delay to 5 minutes)
• idlehint Type: boolean Description: If true, the system will hint that the user is idle.
• session-name Type: string Description: The name of the session (e.g., gnome, ubuntu).
• logout-prompt Type: boolean Description: If set to true, a prompt will appear before logging out of the session.
• auto-save-session Type: boolean Description: If set to true, the session will be automatically saved when you log out. Note: This may be deprecated in newer versions of GNOME.
• fail-whale-timeout Type: uint32 Description: The amount of time (in seconds) before the session manager considers the desktop to have failed.

What have you tried?

These settings are stored in a database managed by gsettings and not available in plain text.

Potential solutions

Build a new table in osquery/fleetd that is populated by the results of the command gsettings list-keys org.gnome.desktop.session and gsettings list-keys org.gnome.desktop.screensaver

What is the expected workflow as a result of your proposal?

Admins can easily build queries and policies to check security and compliance related settings on their Ubuntu Linux hosts.

[noahtalerman]

Hey @allenhouchins I pulled this request off of feature fest b/c it doesn't meet the criteria for prioritization: https://github.com/fleetdm/fleet/pull/23184/files#diff-c99d12c3af50c0c2aca2b9ef7597c02ccfe87678291956ff0b2e83d63978ea38R370