Add security policies and reports to Workstations

[allenhouchins]

Add multiple endpoint security policies and telemetry reports and wire them into the workstations fleet manifest. New macOS policies: firewall, Gatekeeper, SIP (critical), Remote Login disabled, screen-lock inactivity, and local-admin count; new Windows policies: Secure Boot, Remote Desktop disabled, interactive screen-lock timeout; new Linux policy: sshd PermitRootLogin restriction. Added cross-platform reports for disk encryption (includes BitLocker), local user/admin inventory, USB devices, listening ports, and Chromium-family browser extensions. These changes improve compliance and detection coverage (SOC2/ISO mappings included) and enable more comprehensive fleet monitoring.

Summary by CodeRabbit

• New Features
  • Added device compliance checks: macOS firewall, Gatekeeper, SIP, local admin count, Windows Secure Boot, and Linux SSH root-login restriction
  • Disabled high-risk remote access: macOS Remote Login and Windows Remote Desktop checks
  • Added screen-lock inactivity checks for macOS and Windows
  • New inventory reports: local user accounts, connected USB devices, open listening ports, and browser extensions (Safari, Firefox, Chromium-family)

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: c5cd9f0e-4476-42d4-bc84-537710293f08

📥 Commits

Reviewing files that changed from the base of the PR and between 5620ccb and 59c88e3.

📒 Files selected for processing (1)

• it-and-security/fleets/workstations.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• it-and-security/fleets/workstations.yml

---

Walkthrough

This change registers new compliance policies and reporting jobs in the workstation fleet config. Policies added: macOS (application firewall, Gatekeeper, SIP, remote login disabled, screen-lock inactivity, local-admin count), Windows (Secure Boot, Remote Desktop disabled, screen-lock timeout), and Linux (sshd PermitRootLogin restriction). Reports added: Chromium-family, Firefox, and Safari browser extensions; local user accounts and admin membership; connected USB devices; and listening TCP/UDP ports. workstations.yml was updated to reference the new policy and report YAML files.

Possibly related PRs

• Deprecate "team" and "query" API params  #39873: Related to report file/path structure changes (renaming/migration from “queries” → “reports”) that affect the new report YAML locations.
• Add macOS report to collect default browser #44116: Adds macOS report YAMLs and registers them in workstations.yml, overlapping the macOS report additions in this change.
• Add Fleet Desktop update policy and bump package #43750: Modifies workstations.yml by adding macOS policy references, touching the same configuration areas updated here.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description comprehensively documents what was added (policies and reports across macOS, Windows, and Linux), the business objective (compliance and monitoring), and references to compliance mappings. However, it does not follow the repository's PR description template, which requires checklists for code quality, testing, and compliance verification.	Complete the repository's PR description template by checking relevant boxes (e.g., input validation for SQL, testing, QA) and documenting compliance with applicable sections.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title accurately and concisely summarizes the main change: adding multiple security policies and reports to the workstations configuration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch allenhouchins-compliance-reports-and-policies

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 6/8 reviews remaining, refill in 9 minutes and 3 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

it-and-security/lib/all/reports/collect-usb-devices.yml (1)

17-17: Harden the device filter for null/whitespace values.

Line 17 can be made more robust by normalizing nulls and trimming whitespace before comparison, which reduces noisy rows.

Suggested patch

-    WHERE vendor != '' OR model != '';
+    WHERE
+      COALESCE(TRIM(vendor), '') != ''
+      OR COALESCE(TRIM(model), '') != '';

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@it-and-security/lib/all/reports/collect-usb-devices.yml` at line 17, The
WHERE clause in collect-usb-devices.yml is too permissive for nulls/whitespace;
update the filter to normalize nulls and trim whitespace before comparing so
rows with only whitespace are excluded — replace the current WHERE clause with
one that uses COALESCE and TRIM (e.g., check COALESCE(TRIM(vendor), '') <> '' OR
COALESCE(TRIM(model), '') <> '') to ensure both null and whitespace-only
vendor/model values are treated as empty.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@it-and-security/lib/all/reports/collect-listening-ports.yml`:
- Line 15: The report currently snapshots raw process command lines via
p.cmdline which can expose secrets; remove p.cmdline from the collected fields
in the collect-listening-ports.yml rule (or move it behind an explicit
opt-in/exception flag) so command-line data is not captured by default; update
any comments/README in the rule to note how to request/enable cmdline capture
and, if you must keep it, implement a redaction or allowlist gating around
p.cmdline access in the same rule (refer to the p.cmdline field used in the
rule).

In `@it-and-security/lib/all/reports/collect-local-user-accounts.yml`:
- Around line 3-17: The description claims "interactive" accounts but the SQL
(the query selecting from users u and computing is_admin) returns all users; fix
by either narrowing the query (add an interactivity filter on users u — e.g.,
require interactive login shells or non-system uid range, or check a field like
u.shell) or by changing the human-readable text to remove "interactive" so it
accurately reflects the result; update the description text at the top or add a
WHERE clause to the SELECT that filters u for interactive accounts while keeping
the is_admin logic intact.

In `@it-and-security/lib/linux/policies/sshd-permitrootlogin-restricted.yml`:
- Around line 3-8: The current query only checks augeas entries with path =
'/etc/ssh/sshd_config' for label 'PermitRootLogin', so it misses drop-in files;
update the SELECT to search the augeas table for all relevant SSH config paths
(e.g., include '/etc/ssh/sshd_config.d/' files or any path that starts with
'/etc/ssh/sshd_config') when looking for label = 'PermitRootLogin' and value IN
('yes','true','1') so that settings in drop-in files are detected; locate the
check that references path = '/etc/ssh/sshd_config' and change it to cover all
parsed SSH config paths (using path LIKE or an IN-list for
'/etc/ssh/sshd_config' and '/etc/ssh/sshd_config.d/%').

---

Nitpick comments:
In `@it-and-security/lib/all/reports/collect-usb-devices.yml`:
- Line 17: The WHERE clause in collect-usb-devices.yml is too permissive for
nulls/whitespace; update the filter to normalize nulls and trim whitespace
before comparing so rows with only whitespace are excluded — replace the current
WHERE clause with one that uses COALESCE and TRIM (e.g., check
COALESCE(TRIM(vendor), '') <> '' OR COALESCE(TRIM(model), '') <> '') to ensure
both null and whitespace-only vendor/model values are treated as empty.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: bf928a76-ddcd-42fc-b555-4b850cf3d67a

📥 Commits

Reviewing files that changed from the base of the PR and between 852ec6f and 89d969b.

📒 Files selected for processing (18)

• it-and-security/fleets/workstations.yml
• it-and-security/lib/all/reports/collect-chromium-browser-extensions.yml
• it-and-security/lib/all/reports/collect-disk-encryption-status.yml
• it-and-security/lib/all/reports/collect-firefox-browser-extensions.yml
• it-and-security/lib/all/reports/collect-listening-ports.yml
• it-and-security/lib/all/reports/collect-local-user-accounts.yml
• it-and-security/lib/all/reports/collect-safari-browser-extensions.yml
• it-and-security/lib/all/reports/collect-usb-devices.yml
• it-and-security/lib/linux/policies/sshd-permitrootlogin-restricted.yml
• it-and-security/lib/macos/policies/firewall-enabled.yml
• it-and-security/lib/macos/policies/gatekeeper-enabled.yml
• it-and-security/lib/macos/policies/local-admin-count-reasonable.yml
• it-and-security/lib/macos/policies/remote-login-disabled.yml
• it-and-security/lib/macos/policies/screen-lock-inactivity.yml
• it-and-security/lib/macos/policies/sip-enabled.yml
• it-and-security/lib/windows/policies/remote-desktop-disabled.yml
• it-and-security/lib/windows/policies/screen-lock-timeout-configured.yml
• it-and-security/lib/windows/policies/secure-boot-enabled.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Avoid snapshotting raw command lines by default.

Line 15 + Line 23 can store sensitive arguments (tokens, secrets, internal URLs) in snapshot logs across all workstations. Prefer excluding p.cmdline (or gating it behind a stricter exception flow).

Also applies to: 23-23

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@it-and-security/lib/all/reports/collect-listening-ports.yml` at line 15, The
report currently snapshots raw process command lines via p.cmdline which can
expose secrets; remove p.cmdline from the collected fields in the
collect-listening-ports.yml rule (or move it behind an explicit opt-in/exception
flag) so command-line data is not captured by default; update any
comments/README in the rule to note how to request/enable cmdline capture and,
if you must keep it, implement a redaction or allowlist gating around p.cmdline
access in the same rule (refer to the p.cmdline field used in the rule).