Add security policies and reports to Workstations

it-and-security/fleets/workstations.yml

@@ -119,6 +119,12 @@ policies:
   - path: ../lib/macos/policies/install-nudge.yml
   - path: ../lib/macos/policies/patch-fleet-maintained-apps.yml
   - path: ../lib/macos/policies/battery-health-check.yml
+  - path: ../lib/macos/policies/firewall-enabled.yml
+  - path: ../lib/macos/policies/gatekeeper-enabled.yml
+  - path: ../lib/macos/policies/sip-enabled.yml
+  - path: ../lib/macos/policies/remote-login-disabled.yml
+  - path: ../lib/macos/policies/screen-lock-inactivity.yml
+  - path: ../lib/macos/policies/local-admin-count-reasonable.yml
   # Windows policies
   - path: ../lib/windows/policies/antivirus-signatures-up-to-date.yml
   - path: ../lib/windows/policies/all-windows-updates-installed.yml
@@ -129,15 +135,25 @@ policies:
   - path: ../lib/windows/policies/patch-fleet-maintained-apps.yml
   - path: ../lib/windows/policies/battery-health-check.yml
   - path: ../lib/windows/policies/windows-defender-compliance-check.yml
+  - path: ../lib/windows/policies/secure-boot-enabled.yml
+  - path: ../lib/windows/policies/remote-desktop-disabled.yml
+  - path: ../lib/windows/policies/screen-lock-timeout-configured.yml
   # Linux policies
   - path: ../lib/linux/policies/disk-encryption-check.yml
   - path: ../lib/linux/policies/disk-space-check.yml
   - path: ../lib/linux/policies/check-fleet-desktop-extension-enabled.yml
+  - path: ../lib/linux/policies/sshd-permitrootlogin-restricted.yml
 reports:
   - path: ../lib/macos/reports/detect-apple-intelligence.yml
   - path: ../lib/macos/reports/collect-santa-denied-logs.yml
   - path: ../lib/macos/reports/collect-macos-27-incompatible-apps.yml
   - path: ../lib/all/reports/dex-queries.yml
+  - path: ../lib/all/reports/collect-local-user-accounts.yml
+  - path: ../lib/all/reports/collect-usb-devices.yml
+  - path: ../lib/all/reports/collect-chromium-browser-extensions.yml
+  - path: ../lib/all/reports/collect-safari-browser-extensions.yml
+  - path: ../lib/all/reports/collect-firefox-browser-extensions.yml
+  - path: ../lib/all/reports/collect-listening-ports.yml
 software:
   packages:
     # macOS apps

it-and-security/lib/all/reports/collect-chromium-browser-extensions.yml

@@ -0,0 +1,22 @@
+- name: Collect Chromium-family browser extensions
+  description: |-
+    Extension inventory across Chrome, Edge, Brave, and other Chromium-based profiles.
+    Supports **NET-94** / ISO **A.8.23** (web/content exposure), **VPM-75** / **A.8.8** (vulnerability management), and SOC2 **CC 7.1**.
+  query: |-
+    SELECT
+      u.username,
+      ce.browser_type,
+      ce.name,
+      ce.identifier,
+      ce.version,
+      ce.profile,
+      ce.path,
+      ce.permissions
+    FROM users u
+    INNER JOIN chrome_extensions ce USING (uid)
+    WHERE ce.name != '';
+  interval: 86400
+  observer_can_run: true
+  automations_enabled: false
+  logging: snapshot
+  platform: darwin,linux,windows

it-and-security/lib/all/reports/collect-firefox-browser-extensions.yml

@@ -0,0 +1,27 @@
+- name: Collect Firefox browser extensions
+  description: |-
+    Add-on/extension inventory across Firefox profiles for all users.
+    Supports **NET-94** / ISO **A.8.23** (web/content exposure), **VPM-75** / **A.8.8** (vulnerability management), and SOC2 **CC 7.1**.
+  query: |-
+    SELECT
+      u.username,
+      fa.name,
+      fa.identifier,
+      fa.creator,
+      fa.type,
+      fa.version,
+      fa.description,
+      fa.source_url,
+      fa.active,
+      fa.disabled,
+      fa.autoupdate,
+      fa.location,
+      fa.path
+    FROM users u
+    INNER JOIN firefox_addons fa USING (uid)
+    WHERE fa.name != '';
+  interval: 86400
+  observer_can_run: true
+  automations_enabled: false
+  logging: snapshot
+  platform: darwin,linux,windows

it-and-security/lib/all/reports/collect-listening-ports.yml

@@ -0,0 +1,24 @@
+- name: Collect listening TCP/UDP ports
+  description: |-
+    Processes listening on network ports for anomaly detection and firewall reviews.
+    Maps to **NET-91** / ISO **A.8.20**, **MON-121** / **A.8.16**, and SOC2 **CC 6.6** / **CC 7.2**.
+  query: |-
+    SELECT
+      lp.port,
+      lp.protocol,
+      lp.family,
+      lp.address,
+      lp.path AS unix_socket_path,
+      p.pid,
+      p.name AS process_name,
+      p.path AS process_path,
+      p.cmdline
+    FROM listening_ports lp
+    LEFT JOIN processes p ON lp.pid = p.pid
+    WHERE lp.port > 0
+    ORDER BY lp.port;
+  interval: 3600
+  observer_can_run: true
+  automations_enabled: false
+  logging: snapshot
+  platform: darwin,linux,windows

it-and-security/lib/all/reports/collect-local-user-accounts.yml

@@ -0,0 +1,22 @@
+- name: Collect local user accounts and admin membership
+  description: |-
+    Inventory of local user accounts with admin-equivalent membership for access reviews.
+    Maps to Vanta **AST-66** / ISO **A.5.9** (asset inventory), **IAC-200** / **A.5.18** (access rights), and **IAC-201** / **A.8.2** (privileged access).
+  query: |-
+    SELECT
+      u.uid,
+      u.username,
+      u.uuid,
+      CASE WHEN EXISTS (
+        SELECT 1
+        FROM user_groups ug
+        INNER JOIN groups g ON ug.gid = g.gid
+        WHERE ug.uid = u.uid
+          AND g.groupname IN ('admin', 'Administrators', 'sudo', 'wheel')
+      ) THEN 'yes' ELSE 'no' END AS is_admin
+    FROM users u;
+  interval: 86400
+  observer_can_run: true
+  automations_enabled: false
+  logging: snapshot
+  platform: darwin,linux,windows

it-and-security/lib/all/reports/collect-safari-browser-extensions.yml

@@ -0,0 +1,24 @@
+- name: Collect Safari browser extensions
+  description: |-
+    Extension inventory across Safari profiles for all macOS users.
+    Supports **NET-94** / ISO **A.8.23** (web/content exposure), **VPM-75** / **A.8.8** (vulnerability management), and SOC2 **CC 7.1**.
+    Note: Safari data is isolated per macOS user, so osquery requires Full Disk Access to read it. See https://fleetdm.com/guides/enroll-hosts#grant-full-disk-access-to-osquery-on-macos.
+  query: |-
+    SELECT
+      u.username,
+      se.name,
+      se.identifier,
+      se.version,
+      se.sdk,
+      se.description,
+      se.path,
+      se.bundle_version,
+      se.copyright
+    FROM users u
+    INNER JOIN safari_extensions se USING (uid)
+    WHERE se.name != '';
+  interval: 86400
+  observer_can_run: true
+  automations_enabled: false
+  logging: snapshot
+  platform: darwin

it-and-security/lib/all/reports/collect-usb-devices.yml

@@ -0,0 +1,22 @@
+- name: Collect connected USB devices
+  description: |-
+    USB devices currently attached to the host (useful for removable media and exfiltration visibility).
+    Maps to Vanta **AST-70** / ISO **A.7.10** (storage media), **CRY-3** / SOC2 **CC 6.7**, and **DCH-112** / **A.8.12** (data leakage prevention).
+    Note: `usb_devices` is available on macOS and Linux only in Fleet’s schema.
+  query: |-
+    SELECT
+      usb_address,
+      usb_port,
+      vendor,
+      vendor_id,
+      model,
+      model_id,
+      serial,
+      version
+    FROM usb_devices
+    WHERE vendor != '' OR model != '';
+  interval: 86400
+  observer_can_run: true
+  automations_enabled: false
+  logging: snapshot
+  platform: darwin,linux

it-and-security/lib/linux/policies/sshd-permitrootlogin-restricted.yml

@@ -0,0 +1,17 @@
+- name: Linux - SSH PermitRootLogin not set to yes
+  query: |-
+    SELECT 1 WHERE NOT EXISTS (
+      SELECT 1 FROM augeas
+      WHERE (path = '/etc/ssh/sshd_config' OR path LIKE '/etc/ssh/sshd_config.d/%')
+        AND label = 'PermitRootLogin'
+        AND value IN ('yes', 'true', '1')
+    );
+  critical: false
+  description: |-
+    Passes if sshd_config (including any drop-in files in /etc/ssh/sshd_config.d/) does not set PermitRootLogin to yes (absent or set to no/prohibit-password/without-password is OK).
+    Requires the augeas osquery table and augeas lenses on the host.
+  resolution: |-
+    Set `PermitRootLogin no` (or `prohibit-password`) in `/etc/ssh/sshd_config`, ensure no drop-in file in `/etc/ssh/sshd_config.d/` overrides it with `yes`, then restart `sshd`.
+
+    If you need help, please reach out in #help-it.
+  platform: linux

it-and-security/lib/macos/policies/firewall-enabled.yml

@@ -0,0 +1,9 @@
+- name: macOS - Application firewall enabled
+  query: SELECT 1 FROM alf WHERE global_state >= 1;
+  critical: false
+  description: |-
+    Verifies the macOS Application Layer Firewall is on (global_state 1 = enabled, 2 = enabled blocking all inbound).
+  resolution: |-
+    Firewall should be automatically enforced by MDM. If this fails, restart the Mac and refetch in Fleet Desktop.
+    If it still fails, drop a note in #help-it.
+  platform: darwin

it-and-security/lib/macos/policies/gatekeeper-enabled.yml

@@ -0,0 +1,9 @@
+- name: macOS - Gatekeeper enabled
+  query: SELECT 1 FROM gatekeeper WHERE assessments_enabled = 1;
+  critical: false
+  description: |-
+    Verifies Gatekeeper is enabled so only trusted software runs.
+  resolution: |-
+    Gatekeeper should be automatically enforced by MDM. If this fails, restart the Mac and refetch in Fleet Desktop.
+    If it still fails, drop a note in #help-it.
+  platform: darwin

it-and-security/lib/macos/policies/local-admin-count-reasonable.yml

@@ -0,0 +1,17 @@
+- name: macOS - Local admin accounts within limit
+  query: |-
+    SELECT 1 WHERE (
+      SELECT COUNT(DISTINCT u.uid)
+      FROM users u
+      INNER JOIN user_groups ug ON u.uid = ug.uid
+      INNER JOIN groups g ON ug.gid = g.gid
+      WHERE g.groupname = 'admin'
+    ) <= 5;
+  critical: false
+  description: |-
+    Flags Macs with more than five distinct users in the local `admin` group (review for over-privileged accounts).
+  resolution: |-
+    Review local administrators in  > System Settings > Users & Groups. Remove unnecessary admin rights and use a standard user account day-to-day.
+
+    If you need help, please reach out in #help-it.
+  platform: darwin

it-and-security/lib/macos/policies/remote-login-disabled.yml

@@ -0,0 +1,10 @@
+- name: macOS - Remote Login (SSH) disabled
+  query: SELECT 1 FROM sharing_preferences WHERE CAST(remote_login AS INTEGER) = 0;
+  critical: false
+  description: |-
+    Workstations should not accept inbound SSH (Remote Login).
+  resolution: |-
+    Turn off Remote Login in  > System Settings > General > Sharing > Remote Login.
+
+    If you need help, please reach out in #help-it.
+  platform: darwin

it-and-security/lib/macos/policies/screen-lock-inactivity.yml

@@ -0,0 +1,34 @@
+- name: macOS - Screen lock after inactivity (15 minutes or less)
+  query: |-
+    SELECT 1 WHERE EXISTS (
+      SELECT 1
+      FROM managed_policies
+      WHERE domain = 'com.apple.screensaver'
+        AND name = 'askForPasswordDelay'
+        AND CAST(value AS INTEGER) <= 60
+      LIMIT 1
+    )
+    AND EXISTS (
+      SELECT 1
+      FROM managed_policies
+      WHERE domain = 'com.apple.screensaver'
+        AND name = 'idleTime'
+        AND CAST(value AS INTEGER) >= 1
+        AND CAST(value AS INTEGER) <= 900
+      LIMIT 1
+    )
+    AND EXISTS (
+      SELECT 1
+      FROM managed_policies
+      WHERE domain = 'com.apple.screensaver'
+        AND name = 'askForPassword'
+        AND (value = 1 OR value = '1')
+      LIMIT 1
+    );
+  critical: false
+  description: |-
+    Verifies the Mac requires a password to wake from the screen saver and starts the screen saver after 15 minutes or less of inactivity.
+  resolution: |-
+    Screen lock should be automatically enforced by MDM. If this fails, restart the Mac and refetch in Fleet Desktop.
+    If it still fails, drop a note in #help-it.
+  platform: darwin

it-and-security/lib/macos/policies/sip-enabled.yml

@@ -0,0 +1,8 @@
+- name: macOS - System Integrity Protection enabled
+  query: SELECT 1 FROM sip_config WHERE config_flag = 'sip' AND enabled = 1;
+  critical: true
+  description: |-
+    Verifies System Integrity Protection (SIP) is enabled.
+  resolution: |-
+    System Integrity Protection (SIP) should never be disabled on managed Macs. If this policy is failing, drop a note in #help-it immediately.
+  platform: darwin

it-and-security/lib/windows/policies/remote-desktop-disabled.yml

@@ -0,0 +1,14 @@
+- name: Windows - Remote Desktop disabled
+  query: |-
+    SELECT 1 FROM registry
+    WHERE key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server'
+      AND name = 'fDenyTSConnections'
+      AND data = '1';
+  critical: false
+  description: |-
+    Workstations should deny inbound Remote Desktop connections unless explicitly exempted.
+  resolution: |-
+    Disable Remote Desktop in Settings > System > Remote Desktop.
+
+    If you need an exception or this is failing unexpectedly, please reach out in #help-it.
+  platform: windows

it-and-security/lib/windows/policies/screen-lock-timeout-configured.yml

@@ -0,0 +1,14 @@
+- name: Windows - Interactive logon screen lock timeout configured
+  query: |-
+    SELECT 1 FROM registry
+    WHERE key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
+      AND name = 'InactivityTimeoutSecs'
+      AND CAST(data AS INTEGER) > 0
+      AND CAST(data AS INTEGER) <= 900;
+  critical: false
+  description: |-
+    Verifies the screen lock inactivity timeout is set to 15 minutes or less.
+  resolution: |-
+    Screen lock timeout should be automatically enforced by MDM. If this fails, restart your device and refetch in Fleet Desktop.
+    If it still fails, drop a note in #help-it.
+  platform: windows

it-and-security/lib/windows/policies/secure-boot-enabled.yml

@@ -0,0 +1,12 @@
+- name: Windows - Secure Boot enabled
+  query: |-
+    SELECT 1 FROM registry
+    WHERE key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\State'
+      AND name = 'UEFISecureBootEnabled'
+      AND data = '1';
+  critical: false
+  description: |-
+    Verifies UEFI Secure Boot is enabled.
+  resolution: |-
+    Enable Secure Boot in firmware (UEFI) settings. On managed PCs, please reach out in #help-it before changing firmware options.
+  platform: windows