Added dconf_read table and documentation to enable fleet desktop on Fedora and Debian (#27684)

For #20675 and #25977.

- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
- [x] A detailed QA plan exists on the associated ticket (if it isn't
there, work with the product group's QA engineer to add it)
- [X] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [X] Make sure fleetd is compatible with the latest released version of
Fleet (see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/fleetd-development-and-release-strategy.md)).
- [X] Orbit runs on macOS, Linux and Windows. Check if the orbit
feature/bugfix should only apply to one platform (`runtime.GOOS`).
- [X] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [x] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).

Author: lucasmrod

articles/fleet-desktop-on-fedora-and-debian.md

@@ -0,0 +1,42 @@
+# Enabling Fleet Desktop on Fedora and Debian
+
+[Fleet Desktop](https://fleetdm.com/guides/fleet-desktop) is a menu bar icon available on macOS, Windows, and Linux that gives your end users visibility into the security posture of their machine.
+
+Fedora and Debian do not support tray icons by default and rely on the [appindicator-support](https://extensions.gnome.org/extension/615/appindicator-support/) GNOME extension for enabling tray icons. GNOME extensions prompt the end user to accept the installation.
+
+This article aims to explain how admins can enable Fleet Desktop on such Linux distributions by using policy queries paired with script execution.
+
+## Policy and script execution
+
+The [fedora-debian-check-fleet-desktop.yml](../it-and-security/lib/linux/policies/fedora-debian-check-fleet-desktop.yml) policy (used in our Dogfood environment) can be used to check if the extension needed for Fleet Desktop is installed and enabled on Fedora and Debian hosts.
+> NOTE: fleetd 1.41.0 is required (the policy query relies on a table added to that version).
+
+Starting in version v4.58.0, Fleet supports running scripts to remediate failing policies (see the [Automatically run scripts](./policy-automation-run-script.md) article for more information). Admins can therefore configure Fleet to run [fedora-debian-enable-fleet-desktop.sh](../it-and-security/lib/linux/scripts/fedora-debian-enable-fleet-desktop.sh) on devices where the policy detects the extension is missing.
+
+[Here](../it-and-security/lib/linux/policies/fedora-debian-check-fleet-desktop.yml)'s the full example (policy + script) we use in our GitOps configuration for our Dogfood environment.
+
+### End-user experience
+
+Following are screenshots of the end-user experience when Fleet runs the script to install the extension (GNOME requires a prompt for installation of extensions for security purposes).
+
+<p float="left">
+  <img src="../website/assets/images/fedora_38_appindicator_extension_prompt.png" title="Fedora 38" width="300" />
+  <img src="../website/assets/images/debian_12_appindicator_extension_prompt.png" title="Debian 12" width="300" /> 
+</p>
+
+> If the end-user hits `Cancel` instead of `Install` then the extension won't be installed and the policy will continue to fail on the host. Fleet only deploys the script on the first failure of the policy, so the end-user won't be prompted again and again, just once. Admins can still run the script on such hosts manually.
+
+### Tray icon
+
+After the extension is installed your users will see the Fleet icon on their menu bar:
+
+<p float="left">
+  <img src="../website/assets/images/fedora_38_fleet_desktop_tray.png" title="Fedora 38" width="300" />
+  <img src="../website/assets/images/debian_12_fleet_desktop_tray.png" title="Debian 12" width="300" /> 
+</p>
+
+<meta name="authorGitHubUsername" value="lucasmrod">
+<meta name="authorFullName" value="Lucas Rodriguez">
+<meta name="publishedOn" value="2025-04-01">
+<meta name="articleTitle" value="Enabling Fleet Desktop on Fedora and Debian">
+<meta name="category" value="guides">

it-and-security/lib/linux/policies/fedora-debian-check-fleet-desktop.yml

@@ -0,0 +1,32 @@
+- name: Check Fleet Desktop on Fedora and Debian
+  critical: false
+  description: This policy checks if the extension required for Fleet Desktop is installed and enabled.
+  resolution: |
+    Install and enable the "[email protected]" extension by running the following commands on a terminal (as user, not root):
+    gdbus call --session \
+      --dest org.gnome.Shell.Extensions \
+      --object-path /org/gnome/Shell/Extensions \
+      --method org.gnome.Shell.Extensions.InstallRemoteExtension \
+      "[email protected]"
+    gnome-extensions enable "[email protected]"
+  platform: linux
+  query: |
+    SELECT 1 WHERE NOT EXISTS (
+      -- Policy succeeds on Linux distributions that are not Fedora or Debian.
+      SELECT 1 FROM os_version WHERE name = 'Fedora Linux' OR platform = 'debian'
+    ) OR NOT EXISTS (
+      -- Policy succeeds on Linux hosts that do not have Fleet Desktop enabled or
+      -- Fleet Desktop is not running (e.g. logged out from GUI).
+      SELECT 1 FROM processes WHERE name = 'fleet-desktop' LIMIT 1
+    ) OR EXISTS (
+      WITH fleet_desktop AS (SELECT TRIM(cwd, '/home/') AS username, cwd AS home FROM processes WHERE name = 'fleet-desktop' LIMIT 1)
+      SELECT 1 WHERE EXISTS (
+        -- Check if the extension is installed (an extension can be enabled but not installed, and viceversa).
+        SELECT 1 FROM file WHERE path = CONCAT((SELECT home FROM fleet_desktop), '/.local/share/gnome-shell/extensions/[email protected]') AND type = 'directory'
+      ) AND EXISTS (
+        -- Check if the extension is enabled (an extension can be enabled but not installed, and viceversa).
+        SELECT 1 FROM dconf_read WHERE username = (SELECT fleet_desktop.username FROM fleet_desktop) AND key = '/org/gnome/shell/enabled-extensions' AND value like '%[email protected]%'
+      )
+    );
+  run_script:
+    path: ../scripts/fedora-debian-enable-fleet-desktop.sh

it-and-security/lib/linux/queries/all-deb-hosts.yml

@@ -6,4 +6,4 @@
   logging: snapshot
   observer_can_run: true
   platform: linux
-  query: SELECT * FROM os_version WHERE platform_like = 'debian';
+  query: SELECT * FROM os_version WHERE platform = 'debian';

it-and-security/lib/linux/scripts/fedora-debian-enable-fleet-desktop.sh

@@ -0,0 +1,60 @@
+#!/bin/bash
+
+# Script assumes one user is using the desktop environment (no multi-session).
+# It was tested on Fedora 38, 39 and Debian 12.
+
+set -x
+
+run_uid=$(id -u)
+
+# Start detached script and exit as root (to send result back to Fleet).
+if [ $run_uid == 0 ] && [ $# -eq 0 ]; then
+	/bin/bash -c "/bin/bash $0 1 >/var/log/orbit/appindicator_script.log 2>/var/log/orbit/appindicator_script.log </dev/null &"
+	echo "A detached script to install extension has been started (logs can be found in /var/log/orbit/appindicator_script.log)."
+	exit 0
+fi
+
+# Wait for user to be logged in to the GUI (by checking fleet-desktop process).
+fleet_desktop_pid=$(pgrep fleet-desktop)
+while [ -z $fleet_desktop_pid ]; do
+	fleet_desktop_pid=$(pgrep fleet-desktop)
+	sleep 10
+done
+
+extension_name="[email protected]"
+username=$(ps -o user= -p $fleet_desktop_pid | xargs)
+uid=$(ps -o uid= -p $fleet_desktop_pid | xargs)
+
+# If the extension is not installed, then prompt the user.
+if [ ! -d "/home/$username/.local/share/gnome-shell/extensions/$extension_name" ]; then
+	# Show notification to user before the prompt.
+	sudo -i -u $username -H DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/$uid/bus \
+		gdbus call --session \
+		--dest org.freedesktop.Notifications \
+		--object-path /org/freedesktop/Notifications \
+		--method org.freedesktop.Notifications.Notify \
+		"Fleet Desktop" 0 \"\" "Fleet Desktop" "Install a GNOME extension to enable Fleet Desktop. This lets you see what your organization is doing on your computer." "[]" '{"urgency": <2>}' 0
+
+	# Give some time to user to see notification.
+	sleep 10
+
+	# Prompt user for installation of extension.
+	sudo -i -u $username -H DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/$uid/bus \
+		gdbus call --session \
+		--dest org.gnome.Shell.Extensions \
+		--object-path /org/gnome/Shell/Extensions \
+		--method org.gnome.Shell.Extensions.InstallRemoteExtension \
+		"$extension_name"
+
+	# Wait until the extension is accepted by the user ("gbus call" command above is asynchronous).
+	while [ ! -d "/home/$username/.local/share/gnome-shell/extensions/$extension_name" ]; do
+	  sleep 1
+	done
+
+	# Sleep to give some time for files to be downloaded.
+	sleep 15
+fi
+
+# Enable the extension in case it was disabled in the past.
+sudo -i -u $username -H DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/$uid/bus \
+	gnome-extensions enable "$extension_name"

it-and-security/teams/compliance-exclusions.yml

@@ -33,8 +33,10 @@ controls:
     - path: ../lib/macos/scripts/uninstall-fleetd-macos.sh
     - path: ../lib/windows/scripts/uninstall-fleetd-windows.ps1
     - path: ../lib/linux/scripts/uninstall-fleetd-linux.sh
+    - path: ../lib/linux/scripts/fedora-debian-enable-fleet-desktop.sh
 policies:
-    - path: ../lib/macos/policies/enrollment-profile-up-to-date.yml
+  - path: ../lib/macos/policies/enrollment-profile-up-to-date.yml
+  - path: ../lib/linux/policies/fedora-debian-check-fleet-desktop.yml
 queries:
 software:
   packages:

it-and-security/teams/servers-canary.yml

@@ -27,6 +27,8 @@ controls:
     deadline_days: null
     grace_period_days: null
   scripts:
+    - path: ../lib/linux/scripts/fedora-debian-enable-fleet-desktop.sh
 policies:
+  - path: ../lib/linux/policies/fedora-debian-check-fleet-desktop.yml
 queries:
 software:

it-and-security/teams/workstations-canary.yml

@@ -27,35 +27,35 @@ agent_options:
       logger_tls_period: 10
       pack_delimiter: /
   overrides:
-      platforms:
-        darwin:
-          auto_table_construction:
-            tcc_system:
-              path: /Library/Application Support/com.apple.TCC/TCC.db
-              query: 'select service, client, client_type, auth_value, auth_reason, policy_id, indirect_object_identifier, indirect_object_identifier_type, last_modified from access'
-              columns:
-                - service
-                - client
-                - client_type
-                - auth_value
-                - auth_reason
-                - policy_id
-                - indirect_object_identifier
-                - indirect_object_identifier_type
-                - last_modified
-            tcc_user:
-              path: /Users/%/Library/Application Support/com.apple.TCC/TCC.db
-              query: 'select service, client, client_type, auth_value, auth_reason, policy_id, indirect_object_identifier, indirect_object_identifier_type, last_modified from access'
-              columns:
-                - service
-                - client
-                - client_type
-                - auth_value
-                - auth_reason
-                - policy_id
-                - indirect_object_identifier
-                - indirect_object_identifier_type
-                - last_modified
+    platforms:
+      darwin:
+        auto_table_construction:
+          tcc_system:
+            path: /Library/Application Support/com.apple.TCC/TCC.db
+            query: "select service, client, client_type, auth_value, auth_reason, policy_id, indirect_object_identifier, indirect_object_identifier_type, last_modified from access"
+            columns:
+              - service
+              - client
+              - client_type
+              - auth_value
+              - auth_reason
+              - policy_id
+              - indirect_object_identifier
+              - indirect_object_identifier_type
+              - last_modified
+          tcc_user:
+            path: /Users/%/Library/Application Support/com.apple.TCC/TCC.db
+            query: "select service, client, client_type, auth_value, auth_reason, policy_id, indirect_object_identifier, indirect_object_identifier_type, last_modified from access"
+            columns:
+              - service
+              - client
+              - client_type
+              - auth_value
+              - auth_reason
+              - policy_id
+              - indirect_object_identifier
+              - indirect_object_identifier_type
+              - last_modified
   update_channels:
     # We want to use these hosts to smoke test edge releases.
     osqueryd: edge
@@ -140,6 +140,7 @@ controls:
     - path: ../lib/windows/scripts/create-admin-user.ps1
     - path: ../lib/windows/scripts/uninstall-fleetd-windows.ps1
     - path: ../lib/linux/scripts/uninstall-fleetd-linux.sh
+    - path: ../lib/linux/scripts/fedora-debian-enable-fleet-desktop.sh
 policies:
   - path: ../lib/macos/policies/1password-emergency-kit-check.yml
   - path: ../lib/macos/policies/update-firefox.yml
@@ -156,6 +157,7 @@ policies:
   - path: ../lib/windows/policies/1password-installed.yml
   - path: ../lib/windows/policies/update-1password.yml
   - path: ../lib/linux/policies/disk-encryption-check.yml
+  - path: ../lib/linux/policies/fedora-debian-check-fleet-desktop.yml
 queries:
   - path: ../lib/macos/queries/detect-apple-intelligence.yml
 software:
@@ -174,4 +176,4 @@ software:
     - path: ../lib/windows/software/google-chrome-arm.yml # Google Chrome for Windows (ARM)
     - path: ../lib/windows/software/1password.yml # 1Password for Windows
   app_store_apps:
-      - app_store_id: '803453959' # Slack Desktop
+    - app_store_id: "803453959" # Slack Desktop

orbit/changes/20675-fleet-desktop-fedora-debian

@@ -0,0 +1 @@
+* Added `dconf_read` table to get configuration information from GNOME.

orbit/pkg/table/dconf_read/dconf_read_linux.go

@@ -0,0 +1,68 @@
+//go:build linux
+// +build linux
+
+package dconf_read
+
+import (
+	"bytes"
+	"context"
+	"errors"
+	"fmt"
+	"os/exec"
+
+	"github.com/osquery/osquery-go/plugin/table"
+	"github.com/rs/zerolog/log"
+)
+
+// Columns is the schema of the table.
+func Columns() []table.ColumnDefinition {
+	return []table.ColumnDefinition{
+		table.TextColumn("username"), // required
+		table.TextColumn("key"),      // required
+		table.TextColumn("value"),
+	}
+}
+
+// Generate is called to return the results for the table at query time.
+// Constraints for generating can be retrieved from the queryContext.
+func Generate(ctx context.Context, queryContext table.QueryContext) ([]map[string]string, error) {
+	getFirstConstraint := func(columnName string) string {
+		if constraints, ok := queryContext.Constraints[columnName]; ok {
+			for _, constraint := range constraints.Constraints {
+				if constraint.Operator == table.OperatorEquals {
+					return constraint.Expression
+				}
+			}
+		}
+		return ""
+	}
+
+	username := getFirstConstraint("username")
+	if username == "" {
+		return nil, errors.New("missing username")
+	}
+
+	key := getFirstConstraint("key")
+	if key == "" {
+		return nil, errors.New("missing key")
+	}
+
+	cmd := exec.Command("/usr/bin/sudo", "-u", username, "/usr/bin/dconf", "read", key)
+	var (
+		stdout bytes.Buffer
+		stderr bytes.Buffer
+	)
+	cmd.Stderr = &stderr
+	cmd.Stdout = &stdout
+	log.Debug().Str("cmd", cmd.String()).Msg("running")
+	err := cmd.Run()
+	if err != nil {
+		return nil, fmt.Errorf("dconf read failed: %w: %s", err, stderr.String())
+	}
+
+	return []map[string]string{{
+		"username": username,
+		"key":      key,
+		"value":    stdout.String(),
+	}}, nil
+}

orbit/pkg/table/extension_linux.go

@@ -7,9 +7,10 @@ import (
 	"github.com/fleetdm/fleet/v4/orbit/pkg/table/crowdstrike/falconctl"
 	"github.com/fleetdm/fleet/v4/orbit/pkg/table/cryptsetup"
 	"github.com/fleetdm/fleet/v4/orbit/pkg/table/dataflattentable"
-	"github.com/rs/zerolog/log"
-
+	"github.com/fleetdm/fleet/v4/orbit/pkg/table/dconf_read"
 	"github.com/osquery/osquery-go"
+	"github.com/osquery/osquery-go/plugin/table"
+	"github.com/rs/zerolog/log"
 )
 
 func PlatformTables(_ PluginOpts) ([]osquery.OsqueryPlugin, error) {
@@ -18,5 +19,6 @@ func PlatformTables(_ PluginOpts) ([]osquery.OsqueryPlugin, error) {
 		falconctl.NewFalconctlOptionTable(log.Logger), // table name is "falconctl_option"
 		falcon_kernel_check.TablePlugin(log.Logger),   // table name is "falcon_kernel_check"
 		dataflattentable.TablePluginExec(log.Logger, "nftables", dataflattentable.JsonType, []string{"nft", "-jat", "list", "ruleset"}, dataflattentable.WithBinDirs("/usr/bin", "/usr/sbin")), // -j (json) -a (show object handles) -t (terse, omit set contents)
+		table.NewPlugin("dconf_read", dconf_read.Columns(), dconf_read.Generate),
 	}, nil
 }

schema/osquery_fleet_schema.json

@@ -6011,6 +6011,37 @@
     ],
     "fleetRepoUrl": "https://github.com/fleetdm/fleet/blob/main/schema/tables/curl_certificate.yml"
   },
+  {
+    "name": "dconf_read",
+    "platforms": [
+      "linux"
+    ],
+    "description": "Returns GNOME configuration using the \"dconf read\" command.",
+    "columns": [
+      {
+        "name": "username",
+        "type": "text",
+        "required": true,
+        "description": "End user's username."
+      },
+      {
+        "name": "key",
+        "type": "text",
+        "required": true,
+        "description": "Name of the configuration key to read."
+      },
+      {
+        "name": "value",
+        "type": "text",
+        "required": false,
+        "description": "Value of the provided key."
+      }
+    ],
+    "notes": "This table is not a core osquery table. It is included as part of Fleet's agent ([fleetd](https://fleetdm.com/docs/get-started/anatomy#fleetd)).",
+    "evented": false,
+    "url": "https://fleetdm.com/tables/dconf_read",
+    "fleetRepoUrl": "https://github.com/fleetdm/fleet/blob/main/schema/tables/dconf_read.yml"
+  },
   {
     "name": "deb_packages",
     "description": "The installed DEB package database.",

schema/tables/dconf_read.yml

@@ -0,0 +1,19 @@
+name: dconf_read
+platforms:
+  - linux
+description: Returns GNOME configuration using the "dconf read" command.
+columns:
+  - name: username
+    type: text
+    required: true
+    description: End user's username. 
+  - name: key
+    type: text
+    required: true
+    description: Name of the configuration key to read.
+  - name: value
+    type: text
+    required: false
+    description: Value of the provided key.
+notes: This table is not a core osquery table. It is included as part of Fleet's agent ([fleetd](https://fleetdm.com/docs/get-started/anatomy#fleetd)).
+evented: false