Improve UNIX screensaver detection, fix /git/git bug

Author: tstromberg

.yamllint

@@ -11,6 +11,6 @@ rules:
   document-start: disable
   line-length:
     level: warning
-    max: 160
+    max: 200
     allow-non-breakable-inline-mappings: true
   truthy: disable

cmd/agent/checks.yaml

@@ -173,11 +173,87 @@ checks:
           - Set screen lock delay to 5 seconds or less
           - Go to System Settings > Lock Screen
           - Set "Require password after..." to 5 seconds or less
-    linux:
-      - output: gsettings get org.gnome.desktop.screensaver lock-enabled
+    unix:
+      # GNOME - Only check if GNOME Shell is running
+      - output: pgrep gnome-shell && gsettings get org.gnome.desktop.screensaver lock-enabled
         includes: "false"
         remediation:
           - Enable screen lock with 'gsettings set org.gnome.desktop.screensaver lock-enabled true'
+      # MATE - Only check if MATE session is running
+      - output: pgrep mate-session && gsettings get org.mate.screensaver lock-enabled
+        includes: "false"
+        remediation:
+          - Enable screen lock with 'gsettings set org.mate.screensaver lock-enabled true'
+      # XFCE - Only check if XFCE session is running
+      - output: pgrep xfce4-session && xfconf-query -c xfce4-screensaver -p /saver/enabled
+        includes: "false"
+        remediation:
+          - Enable screensaver with 'xfconf-query -c xfce4-screensaver -p /saver/enabled -s true'
+      - output: pgrep xfce4-session && xfconf-query -c xfce4-screensaver -p /lock/enabled
+        includes: "false"
+        remediation:
+          - Enable screen lock with 'xfconf-query -c xfce4-screensaver -p /lock/enabled -s true'
+      # KDE Plasma - Only check if KDE session is running
+      - output: pgrep plasmashell && kreadconfig5 --file kscreenlockerrc --group Daemon --key Autolock
+        includes: "false"
+        remediation:
+          - Enable automatic screen locking in KDE System Settings > Desktop Behavior > Screen Locking
+          - Or run 'kwriteconfig5 --file kscreenlockerrc --group Daemon --key Autolock true'
+      # Cinnamon - Only check if Cinnamon is running
+      - output: pgrep cinnamon && gsettings get org.cinnamon.desktop.screensaver lock-enabled
+        includes: "false"
+        remediation:
+          - Enable Cinnamon screen lock with 'gsettings set org.cinnamon.desktop.screensaver lock-enabled true'
+      # Budgie - Only check if Budgie is running
+      - output: pgrep budgie-panel && gsettings get org.gnome.desktop.screensaver lock-enabled
+        includes: "false"
+        remediation:
+          - Enable Budgie screen lock with 'gsettings set org.gnome.desktop.screensaver lock-enabled true'
+      # LXQt - Only check if LXQt session is running
+      - output: pgrep lxqt-session && grep -r "lockScreenCommand" ~/.config/lxqt/
+        excludes: "lockScreenCommand"
+        remediation:
+          - Configure LXQt screen locking
+          - Set lockScreenCommand in ~/.config/lxqt/session.conf
+          - Install a screen locker like light-locker, xscreensaver, or xlock
+      # LXDE - Only check if LXDE session is running
+      - output: pgrep lxsession && (command -v light-locker || command -v xscreensaver || command -v xlock)
+        exitcode: 1
+        remediation:
+          - Install a screen locker for LXDE
+          - "Linux/FreeBSD: Install light-locker or xscreensaver"
+          - "OpenBSD/NetBSD: Install xlock from packages"
+      # i3 Window Manager - Only check if i3 is running
+      - output: pgrep i3 && grep -r "i3lock\|xautolock\|xss-lock" ~/.config/i3/ ~/.i3/config
+        excludes: "i3lock|xautolock|xss-lock"
+        remediation:
+          - Install and configure screen locking for i3
+          - "Install locker: i3lock, slock, or xlock (varies by OS)"
+          - "Add to i3 config: 'exec --no-startup-id xss-lock --transfer-sleep-lock -- i3lock -n'"
+      # Openbox Window Manager - Only check if openbox is running
+      - output: pgrep openbox && grep -r "xautolock\|xss-lock" ~/.config/openbox/
+        excludes: "xautolock|xss-lock"
+        remediation:
+          - Configure screen locking for Openbox
+          - "Add to ~/.config/openbox/autostart: 'xautolock -time 15 -locker \"i3lock -c 000000\" &'"
+      # Sway (Wayland) - Only check if sway is running
+      - output: pgrep sway && grep -r "exec swayidle" ~/.config/sway/
+        excludes: "swayidle"
+        remediation:
+          - Configure swayidle to lock screen automatically
+          - "Add to Sway config: 'exec swayidle -w timeout 900 \"swaylock -f\" before-sleep \"swaylock -f\"'"
+      # Generic X11 fallback - Only if X11 is running but no specific DE detected
+      - output: >
+          pgrep Xorg && ! (pgrep gnome-shell || pgrep mate-session || pgrep xfce4-session ||
+          pgrep plasmashell || pgrep cinnamon || pgrep budgie-panel || pgrep lxqt-session ||
+          pgrep lxsession || pgrep i3 || pgrep openbox || pgrep sway) && xset q
+        includes: "timeout:.*0"
+        remediation:
+          - Configure X11 screen saver with 'xset s 900'
+          - Install and configure a screen locker (xlock, i3lock, slock)
+          - "Add to window manager startup: 'xautolock -time 15 -locker \"xlock\" &'"
+    linux:
+      # Linux-specific additional checks
     windows:
       - output: >
           powershell -Command "(Get-ItemProperty -Path 'HKCU:\Control Panel\Desktop'
@@ -199,13 +275,89 @@ checks:
           - Go to System Settings > Lock Screen
           - Set "Turn display off on battery when inactive" to 15 minutes or less
           - Set "Turn display off on power adapter when inactive" to 15 minutes or less
-    linux:
-      # Check screensaver idle delay (in seconds) - fail if 0 or > 900
-      - output: gsettings get org.gnome.desktop.session idle-delay 2>&1 | grep -o '[0-9]*' || echo "0"
+    unix:
+      # GNOME - Only check timeout if GNOME Shell is running
+      - output: pgrep gnome-shell && gsettings get org.gnome.desktop.session idle-delay
         includes: "^(0|9[1-9][0-9]|[1-9][0-9]{3,})$"
         remediation:
-          - Set screensaver timeout to 15 minutes or less
+          - Set GNOME screensaver timeout to 15 minutes or less
           - Run 'gsettings set org.gnome.desktop.session idle-delay 900'
+      # MATE - Only check timeout if MATE session is running
+      - output: pgrep mate-session && gsettings get org.mate.screensaver idle-delay
+        includes: "^(0|1[6-9]|[2-9][0-9]|[1-9][0-9]{2,})$"
+        remediation:
+          - Set MATE screensaver timeout to 15 minutes or less
+          - Run 'gsettings set org.mate.screensaver idle-delay 15'
+      # XFCE - Only check timeout if XFCE session is running
+      - output: pgrep xfce4-session && xfconf-query -c xfce4-power-manager -p /xfce4-power-manager/dpms-on-ac-sleep
+        includes: "^(0|1[6-9]|[2-9][0-9]|[1-9][0-9]{2,})$"
+        remediation:
+          - Set XFCE display timeout to 15 minutes or less
+          - Run 'xfconf-query -c xfce4-power-manager -p /xfce4-power-manager/dpms-on-ac-sleep -s 15'
+      - output: pgrep xfce4-session && xfconf-query -c xfce4-power-manager -p /xfce4-power-manager/dpms-on-battery-sleep
+        includes: "^(0|1[6-9]|[2-9][0-9]|[1-9][0-9]{2,})$"
+        remediation:
+          - Set XFCE battery display timeout to 15 minutes or less
+          - Run 'xfconf-query -c xfce4-power-manager -p /xfce4-power-manager/dpms-on-battery-sleep -s 15'
+      # KDE Plasma - Only check timeout if KDE session is running
+      - output: pgrep plasmashell && kreadconfig5 --file kscreenlockerrc --group Daemon --key Timeout
+        includes: "^(0|1[6-9]|[2-9][0-9]|[1-9][0-9]{2,})$"
+        remediation:
+          - Set KDE screen lock timeout to 15 minutes or less
+          - Run 'kwriteconfig5 --file kscreenlockerrc --group Daemon --key Timeout 15'
+          - Or configure in System Settings > Desktop Behavior > Screen Locking
+      # Cinnamon - Only check timeout if Cinnamon is running
+      - output: pgrep cinnamon && gsettings get org.cinnamon.desktop.screensaver lock-delay
+        includes: "^(0|9[1-9][0-9]|[1-9][0-9]{3,})$"
+        remediation:
+          - Set Cinnamon screensaver timeout to 15 minutes or less
+          - Run 'gsettings set org.cinnamon.desktop.screensaver lock-delay 900'
+      # Budgie - Only check timeout if Budgie is running
+      - output: pgrep budgie-panel && gsettings get org.gnome.desktop.session idle-delay
+        includes: "^(0|9[1-9][0-9]|[1-9][0-9]{3,})$"
+        remediation:
+          - Set Budgie screensaver timeout to 15 minutes or less
+          - Run 'gsettings set org.gnome.desktop.session idle-delay 900'
+      # LXQt - Only check timeout if LXQt session is running
+      - output: pgrep lxqt-session && grep -r "timeBeforeIdleMs" ~/.config/lxqt/
+        includes: "timeBeforeIdleMs.*([9][1-9][0-9][0-9][0-9][0-9]|[1-9][0-9]{6,})"
+        remediation:
+          - Set LXQt idle timeout to 15 minutes (900000 ms) or less
+          - Configure in LXQt System Settings > Power Management
+      # LXDE - Only check timeout if LXDE session is running
+      - output: pgrep lxsession && grep -r "sleep_display_ac" ~/.config/lxsession/ /etc/xdg/lxsession/
+        includes: "sleep_display_ac.*([1-9][6-9]|[2-9][0-9]|[1-9][0-9]{2,})"
+        remediation:
+          - Set LXDE display sleep to 15 minutes or less
+          - Edit ~/.config/lxsession/LXDE/desktop.conf and set sleep_display_ac=15
+      # Sway - Only check timeout if sway is running
+      - output: pgrep sway && grep -r "timeout" ~/.config/sway/
+        includes: "timeout [9][1-9][0-9][0-9]|timeout [1-9][0-9]{4,}"
+        remediation:
+          - Configure swayidle timeout to 15 minutes (900 seconds) or less
+          - "Add to Sway config: 'exec swayidle -w timeout 900 \"swaylock -f\"'"
+      # i3 Window Manager - Only check timeout if i3 is running
+      - output: pgrep i3 && grep -r "xautolock.*-time" ~/.config/i3/ ~/.i3/config
+        includes: "-time [1-9][6-9]|-time [2-9][0-9]|-time [1-9][0-9]{2,}"
+        remediation:
+          - Configure xautolock timeout to 15 minutes or less
+          - "Add to i3 config: 'exec --no-startup-id xautolock -time 15 -locker \"i3lock -c 000000\"'"
+      # Openbox - Only check timeout if openbox is running
+      - output: pgrep openbox && grep -r "xautolock.*-time" ~/.config/openbox/
+        includes: "-time [1-9][6-9]|-time [2-9][0-9]|-time [1-9][0-9]{2,}"
+        remediation:
+          - Configure xautolock timeout to 15 minutes or less
+          - "Add to ~/.config/openbox/autostart: 'xautolock -time 15 -locker \"i3lock -c 000000\" &'"
+      # Generic X11 - Only if X11 is running but no specific DE detected
+      - output: >
+          pgrep Xorg && ! (pgrep gnome-shell || pgrep mate-session || pgrep xfce4-session ||
+          pgrep plasmashell || pgrep cinnamon || pgrep budgie-panel || pgrep lxqt-session ||
+          pgrep lxsession || pgrep i3 || pgrep openbox || pgrep sway) && xset q
+        includes: "timeout:.*([9][1-9][0-9]|[1-9][0-9]{3,})"
+        remediation:
+          - Set X11 screen saver timeout to 15 minutes (900 seconds) or less
+          - Run 'xset s 900' to set timeout
+          - Add 'xset s 900' and screen locker to your startup scripts
     windows:
       # Check screensaver timeout in seconds (fail if 0 or > 900)
       - output: >

cmd/server/main.go

@@ -63,6 +63,9 @@ const (
 //go:embed templates/*
 var templates embed.FS
 
+//go:embed static/*
+var staticFiles embed.FS
+
 var (
 	gitURL = flag.String("git", os.Getenv("GIT_REPO"), "Git repository URL or path to clone to temp directory (env: GIT_REPO)")
 	clone  = flag.String("clone", "", "Path to existing local git clone to work in directly")
@@ -272,6 +275,10 @@ func main() {
 	mux.HandleFunc("/api/v1/devices", server.handleAPIDevices)
 	mux.HandleFunc("/health", server.handleHealth)
 
+	// Serve static files
+	staticHandler := http.FileServer(http.FS(staticFiles))
+	mux.Handle("/static/", http.StripPrefix("/static/", staticHandler))
+
 	srv := &http.Server{
 		Addr:           ":" + *port,
 		Handler:        loggingMiddleware(mux),
@@ -877,9 +884,8 @@ func loggingMiddleware(next http.Handler) http.Handler {
 		writer.Header().Set("X-Frame-Options", "DENY")
 		writer.Header().Set("X-XSS-Protection", "1; mode=block")
 		writer.Header().Set("Referrer-Policy", "strict-origin-when-cross-origin")
-		cspPolicy := "default-src 'self'; style-src 'self' 'unsafe-inline'; " +
-			"script-src 'self' 'sha256-lx2dNpe/W18YJvrDgNmLsDSM85bNRGfsh94PEHc787A=' " +
-			"'sha256-luoavMkf5zRI42vsq0JhiXNoMTeddLeACqCCElcW+GE='"
+		// Simplified CSP - only allow self-hosted scripts and styles
+		cspPolicy := "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self'"
 		writer.Header().Set("Content-Security-Policy", cspPolicy)
 
 		start := time.Now()

cmd/server/templates/device.html

@@ -578,45 +578,6 @@ <h3 class="empty-state-title">No Compliance Data Available</h3>
         {{end}}
     </div>
 
-    <script>
-        function toggleCheck(header) {
-            const checkItem = header.parentElement;
-            checkItem.classList.toggle('expanded');
-        }
-
-        document.addEventListener('DOMContentLoaded', function() {
-            // Add click listeners to check headers
-            document.querySelectorAll('.check-header').forEach(header => {
-                header.addEventListener('click', function() {
-                    toggleCheck(this);
-                });
-            });
-
-            // Filter functionality
-            document.querySelectorAll('.filter-btn').forEach(btn => {
-                btn.addEventListener('click', function() {
-                    // Update active button
-                    document.querySelectorAll('.filter-btn').forEach(b => b.classList.remove('active'));
-                    this.classList.add('active');
-                    
-                    // Filter checks
-                    const filter = this.dataset.filter;
-                    document.querySelectorAll('.check-item').forEach(item => {
-                        if (filter === 'all' || item.dataset.status === filter) {
-                            item.style.display = '';
-                        } else {
-                            item.style.display = 'none';
-                        }
-                    });
-                });
-            });
-
-            // Auto-expand failed checks
-            document.querySelectorAll('.check-item[data-status="fail"]').forEach(item => {
-                // Optionally auto-expand failed checks
-                // item.classList.add('expanded');
-            });
-        });
-    </script>
+    <script src="/static/device.js"></script>
 </body>
 </html>

internal/gitstore/store.go

@@ -63,25 +63,22 @@ func NewLocal(ctx context.Context, localPath string) (*Store, error) {
 	// Check if it's already a git repository
 	var repo *git.Repository
 	if _, err := os.Stat(filepath.Join(absPath, ".git")); err != nil {
-		if os.IsNotExist(err) {
-			// Initialize new repository
-			log.Printf("[INFO] Initializing new git repository at %s", absPath)
-			repo, err = git.PlainInit(absPath, false)
-			if err != nil {
-				return nil, fmt.Errorf("failed to initialize git repository: %w", err)
-			}
-
-			// Create initial commit
-			if err := createInitialCommit(repo, absPath); err != nil {
-				log.Printf("[WARN] Failed to create initial commit: %v", err)
-			}
+		if !os.IsNotExist(err) {
+			return nil, fmt.Errorf("failed to check git repository: %w", err)
+		}
+		// Initialize new repository
+		log.Printf("[INFO] Initializing new git repository at %s", absPath)
+		repo, err = git.PlainInit(absPath, false)
+		if err != nil {
+			return nil, fmt.Errorf("failed to initialize git repository: %w", err)
+		}
+		// No initial commit needed - first device will create directory structure
+	} else {
+		// Open existing repository
+		repo, err = git.PlainOpen(absPath)
+		if err != nil {
+			return nil, fmt.Errorf("failed to open git repository: %w", err)
 		}
-		return nil, fmt.Errorf("failed to check git repository: %w", err)
-	}
-	// Open existing repository
-	repo, err = git.PlainOpen(absPath)
-	if err != nil {
-		return nil, fmt.Errorf("failed to open git repository: %w", err)
 	}
 
 	s := &Store{
@@ -102,8 +99,8 @@ func NewLocal(ctx context.Context, localPath string) (*Store, error) {
 	}
 
 	// Create devices directory if it doesn't exist
-	devicesDir := filepath.Join(s.repoPath, devicesDir)
-	if err := os.MkdirAll(devicesDir, repoDirPerm); err != nil {
+	devicesDirPath := filepath.Join(s.repoPath, devicesDir)
+	if err := os.MkdirAll(devicesDirPath, repoDirPerm); err != nil {
 		return nil, fmt.Errorf("failed to create devices directory: %w", err)
 	}
 
@@ -188,8 +185,8 @@ func NewRemote(ctx context.Context, gitURL string) (*Store, error) {
 	}
 
 	// Create devices directory if needed
-	devicesDir := filepath.Join(s.repoPath, devicesDir)
-	if err := os.MkdirAll(devicesDir, repoDirPerm); err != nil {
+	devicesDirPath := filepath.Join(s.repoPath, devicesDir)
+	if err := os.MkdirAll(devicesDirPath, repoDirPerm); err != nil {
 		return nil, fmt.Errorf("failed to create devices directory: %w", err)
 	}
 
@@ -386,8 +383,8 @@ func (s *Store) LoadDevices(ctx context.Context) ([]*gitmdm.Device, error) {
 		}
 	}
 
-	devicesDir := filepath.Join(s.repoPath, devicesDir)
-	entries, err := os.ReadDir(devicesDir)
+	devicesDirPath := filepath.Join(s.repoPath, devicesDir)
+	entries, err := os.ReadDir(devicesDirPath)
 	if err != nil {
 		if os.IsNotExist(err) {
 			log.Print("[INFO] No devices directory found, returning empty list")
@@ -539,47 +536,3 @@ func sanitizeID(id string) string {
 
 	return result
 }
-
-// createInitialCommit creates an initial commit with the devices directory.
-func createInitialCommit(repo *git.Repository, repoPath string) error {
-	w, err := repo.Worktree()
-	if err != nil {
-		return fmt.Errorf("failed to get worktree: %w", err)
-	}
-
-	// Create devices directory
-	devicesDir := filepath.Join(repoPath, devicesDir)
-	if err := os.MkdirAll(devicesDir, repoDirPerm); err != nil {
-		return fmt.Errorf("failed to create devices directory: %w", err)
-	}
-
-	// Create README in devices directory to ensure it's tracked
-	readmePath := filepath.Join(devicesDir, "README.md")
-	readmeContent := `# Device Compliance Data
-
-This directory contains compliance reports for all monitored devices.
-Each device has its own subdirectory identified by its hardware ID.
-`
-	if err := os.WriteFile(readmePath, []byte(readmeContent), 0o600); err != nil {
-		return fmt.Errorf("failed to create README: %w", err)
-	}
-
-	// Add README to staging
-	if _, err := w.Add("devices/README.md"); err != nil {
-		return fmt.Errorf("failed to add README: %w", err)
-	}
-
-	// Create initial commit
-	_, err = w.Commit("Initial commit - GitMDM repository initialized", &git.CommitOptions{
-		Author: &object.Signature{
-			Name:  "GitMDM",
-			Email: "gitmdm@localhost",
-			When:  time.Now(),
-		},
-	})
-	if err != nil {
-		return fmt.Errorf("failed to create initial commit: %w", err)
-	}
-
-	return nil
-}