Add security policies and reports to Workstations (#43457)

Add multiple endpoint security policies and telemetry reports and wire
them into the workstations fleet manifest. New macOS policies: firewall,
Gatekeeper, SIP (critical), Remote Login disabled, screen-lock
inactivity, and local-admin count; new Windows policies: Secure Boot,
Remote Desktop disabled, interactive screen-lock timeout; new Linux
policy: sshd PermitRootLogin restriction. Added cross-platform reports
for disk encryption (includes BitLocker), local user/admin inventory,
USB devices, listening ports, and Chromium-family browser extensions.
These changes improve compliance and detection coverage (SOC2/ISO
mappings included) and enable more comprehensive fleet monitoring.

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Added device compliance checks: macOS firewall, Gatekeeper, SIP, local
admin count, Windows Secure Boot, and Linux SSH root-login restriction
* Disabled high-risk remote access: macOS Remote Login and Windows
Remote Desktop checks
  * Added screen-lock inactivity checks for macOS and Windows
* New inventory reports: local user accounts, connected USB devices,
open listening ports, and browser extensions (Safari, Firefox,
Chromium-family)
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

Author: allenhouchins

it-and-security/fleets/workstations.yml

@@ -162,6 +162,12 @@ policies:
   - path: ../lib/macos/policies/patch-fleet-maintained-apps.yml
   - path: ../lib/macos/policies/update-fleet-desktop.yml
   - path: ../lib/macos/policies/battery-health-check.yml
+  - path: ../lib/macos/policies/firewall-enabled.yml
+  - path: ../lib/macos/policies/gatekeeper-enabled.yml
+  - path: ../lib/macos/policies/sip-enabled.yml
+  - path: ../lib/macos/policies/remote-login-disabled.yml
+  - path: ../lib/macos/policies/screen-lock-inactivity.yml
+  - path: ../lib/macos/policies/local-admin-count-reasonable.yml
   # Windows policies
   - path: ../lib/windows/policies/antivirus-signatures-up-to-date.yml
   - path: ../lib/windows/policies/all-windows-updates-installed.yml
@@ -171,16 +177,26 @@ policies:
   - path: ../lib/windows/policies/patch-fleet-maintained-apps.yml
   - path: ../lib/windows/policies/battery-health-check.yml
   - path: ../lib/windows/policies/windows-defender-compliance-check.yml
+  - path: ../lib/windows/policies/secure-boot-enabled.yml
+  - path: ../lib/windows/policies/remote-desktop-disabled.yml
+  - path: ../lib/windows/policies/screen-lock-timeout-configured.yml
   # Linux policies
   - path: ../lib/linux/policies/disk-encryption-check.yml
   - path: ../lib/linux/policies/disk-space-check.yml
   - path: ../lib/linux/policies/check-fleet-desktop-extension-enabled.yml
+  - path: ../lib/linux/policies/sshd-permitrootlogin-restricted.yml
 reports:
   - path: ../lib/macos/reports/detect-apple-intelligence.yml
   - path: ../lib/macos/reports/collect-default-browser.yml
   - path: ../lib/macos/reports/collect-santa-denied-logs.yml
   - path: ../lib/macos/reports/collect-macos-27-incompatible-apps.yml
   - path: ../lib/all/reports/dex-queries.yml
+  - path: ../lib/all/reports/collect-local-user-accounts.yml
+  - path: ../lib/all/reports/collect-usb-devices.yml
+  - path: ../lib/all/reports/collect-chromium-browser-extensions.yml
+  - path: ../lib/all/reports/collect-safari-browser-extensions.yml
+  - path: ../lib/all/reports/collect-firefox-browser-extensions.yml
+  - path: ../lib/all/reports/collect-listening-ports.yml
 software:
   packages:
     # macOS apps

it-and-security/lib/all/reports/collect-chromium-browser-extensions.yml

@@ -0,0 +1,22 @@
+- name: Collect Chromium-family browser extensions
+  description: |-
+    Extension inventory across Chrome, Edge, Brave, and other Chromium-based profiles.
+    Supports **NET-94** / ISO **A.8.23** (web/content exposure), **VPM-75** / **A.8.8** (vulnerability management), and SOC2 **CC 7.1**.
+  query: |-
+    SELECT
+      u.username,
+      ce.browser_type,
+      ce.name,
+      ce.identifier,
+      ce.version,
+      ce.profile,
+      ce.path,
+      ce.permissions
+    FROM users u
+    INNER JOIN chrome_extensions ce USING (uid)
+    WHERE ce.name != '';
+  interval: 86400
+  observer_can_run: true
+  automations_enabled: false
+  logging: snapshot
+  platform: darwin,linux,windows

it-and-security/lib/all/reports/collect-firefox-browser-extensions.yml

@@ -0,0 +1,27 @@
+- name: Collect Firefox browser extensions
+  description: |-
+    Add-on/extension inventory across Firefox profiles for all users.
+    Supports **NET-94** / ISO **A.8.23** (web/content exposure), **VPM-75** / **A.8.8** (vulnerability management), and SOC2 **CC 7.1**.
+  query: |-
+    SELECT
+      u.username,
+      fa.name,
+      fa.identifier,
+      fa.creator,
+      fa.type,
+      fa.version,
+      fa.description,
+      fa.source_url,
+      fa.active,
+      fa.disabled,
+      fa.autoupdate,
+      fa.location,
+      fa.path
+    FROM users u
+    INNER JOIN firefox_addons fa USING (uid)
+    WHERE fa.name != '';
+  interval: 86400
+  observer_can_run: true
+  automations_enabled: false
+  logging: snapshot
+  platform: darwin,linux,windows

it-and-security/lib/all/reports/collect-listening-ports.yml

@@ -0,0 +1,24 @@
+- name: Collect listening TCP/UDP ports
+  description: |-
+    Processes listening on network ports for anomaly detection and firewall reviews.
+    Maps to **NET-91** / ISO **A.8.20**, **MON-121** / **A.8.16**, and SOC2 **CC 6.6** / **CC 7.2**.
+  query: |-
+    SELECT
+      lp.port,
+      lp.protocol,
+      lp.family,
+      lp.address,
+      lp.path AS unix_socket_path,
+      p.pid,
+      p.name AS process_name,
+      p.path AS process_path,
+      p.cmdline
+    FROM listening_ports lp
+    LEFT JOIN processes p ON lp.pid = p.pid
+    WHERE lp.port > 0
+    ORDER BY lp.port;
+  interval: 3600
+  observer_can_run: true
+  automations_enabled: false
+  logging: snapshot
+  platform: darwin,linux,windows

it-and-security/lib/all/reports/collect-local-user-accounts.yml

@@ -0,0 +1,22 @@
+- name: Collect local user accounts and admin membership
+  description: |-
+    Inventory of local user accounts with admin-equivalent membership for access reviews.
+    Maps to Vanta **AST-66** / ISO **A.5.9** (asset inventory), **IAC-200** / **A.5.18** (access rights), and **IAC-201** / **A.8.2** (privileged access).
+  query: |-
+    SELECT
+      u.uid,
+      u.username,
+      u.uuid,
+      CASE WHEN EXISTS (
+        SELECT 1
+        FROM user_groups ug
+        INNER JOIN groups g ON ug.gid = g.gid
+        WHERE ug.uid = u.uid
+          AND g.groupname IN ('admin', 'Administrators', 'sudo', 'wheel')
+      ) THEN 'yes' ELSE 'no' END AS is_admin
+    FROM users u;
+  interval: 86400
+  observer_can_run: true
+  automations_enabled: false
+  logging: snapshot
+  platform: darwin,linux,windows

it-and-security/lib/all/reports/collect-safari-browser-extensions.yml

@@ -0,0 +1,24 @@
+- name: Collect Safari browser extensions
+  description: |-
+    Extension inventory across Safari profiles for all macOS users.
+    Supports **NET-94** / ISO **A.8.23** (web/content exposure), **VPM-75** / **A.8.8** (vulnerability management), and SOC2 **CC 7.1**.
+    Note: Safari data is isolated per macOS user, so osquery requires Full Disk Access to read it. See https://fleetdm.com/guides/enroll-hosts#grant-full-disk-access-to-osquery-on-macos.
+  query: |-
+    SELECT
+      u.username,
+      se.name,
+      se.identifier,
+      se.version,
+      se.sdk,
+      se.description,
+      se.path,
+      se.bundle_version,
+      se.copyright
+    FROM users u
+    INNER JOIN safari_extensions se USING (uid)
+    WHERE se.name != '';
+  interval: 86400
+  observer_can_run: true
+  automations_enabled: false
+  logging: snapshot
+  platform: darwin

it-and-security/lib/all/reports/collect-usb-devices.yml

@@ -0,0 +1,22 @@
+- name: Collect connected USB devices
+  description: |-
+    USB devices currently attached to the host (useful for removable media and exfiltration visibility).
+    Maps to Vanta **AST-70** / ISO **A.7.10** (storage media), **CRY-3** / SOC2 **CC 6.7**, and **DCH-112** / **A.8.12** (data leakage prevention).
+    Note: `usb_devices` is available on macOS and Linux only in Fleet’s schema.
+  query: |-
+    SELECT
+      usb_address,
+      usb_port,
+      vendor,
+      vendor_id,
+      model,
+      model_id,
+      serial,
+      version
+    FROM usb_devices
+    WHERE vendor != '' OR model != '';
+  interval: 86400
+  observer_can_run: true
+  automations_enabled: false
+  logging: snapshot
+  platform: darwin,linux

it-and-security/lib/linux/policies/sshd-permitrootlogin-restricted.yml

@@ -0,0 +1,17 @@
+- name: Linux - SSH PermitRootLogin not set to yes
+  query: |-
+    SELECT 1 WHERE NOT EXISTS (
+      SELECT 1 FROM augeas
+      WHERE (path = '/etc/ssh/sshd_config' OR path LIKE '/etc/ssh/sshd_config.d/%')
+        AND label = 'PermitRootLogin'
+        AND value IN ('yes', 'true', '1')
+    );
+  critical: false
+  description: |-
+    Passes if sshd_config (including any drop-in files in /etc/ssh/sshd_config.d/) does not set PermitRootLogin to yes (absent or set to no/prohibit-password/without-password is OK).
+    Requires the augeas osquery table and augeas lenses on the host.
+  resolution: |-
+    Set `PermitRootLogin no` (or `prohibit-password`) in `/etc/ssh/sshd_config`, ensure no drop-in file in `/etc/ssh/sshd_config.d/` overrides it with `yes`, then restart `sshd`.
+
+    If you need help, please reach out in #help-it.
+  platform: linux

it-and-security/lib/macos/policies/firewall-enabled.yml

@@ -0,0 +1,9 @@
+- name: macOS - Application firewall enabled
+  query: SELECT 1 FROM alf WHERE global_state >= 1;
+  critical: false
+  description: |-
+    Verifies the macOS Application Layer Firewall is on (global_state 1 = enabled, 2 = enabled blocking all inbound).
+  resolution: |-
+    Firewall should be automatically enforced by MDM. If this fails, restart the Mac and refetch in Fleet Desktop.
+    If it still fails, drop a note in #help-it.
+  platform: darwin

it-and-security/lib/macos/policies/gatekeeper-enabled.yml

@@ -0,0 +1,9 @@
+- name: macOS - Gatekeeper enabled
+  query: SELECT 1 FROM gatekeeper WHERE assessments_enabled = 1;
+  critical: false
+  description: |-
+    Verifies Gatekeeper is enabled so only trusted software runs.
+  resolution: |-
+    Gatekeeper should be automatically enforced by MDM. If this fails, restart the Mac and refetch in Fleet Desktop.
+    If it still fails, drop a note in #help-it.
+  platform: darwin