Add Fleet's CIS policies using best practice GitOps

[pacamaster]

Goal

User story
As an security engineer using Fleet's best practice GitOps,
I want to add Fleet's CIS policies for CIS Benchmarks
so that I can get CIS report w/o translating Fleet's CIS policies from fleetctl apply format.

Context

• Requestor(s): @pacamaster
• Product designer: @noahtalerman

Changes

Change the best practice version to be GitOps compatible but maintain the fleetctl apply format for backward compatibility.

Product

• [ ] UI changes: TODO
• [ ] CLI usage changes: TODO
• [ ] REST API changes: TODO
• [ ] Permissions changes: TODO
• [ ] Outdated documentation changes: TODO
• [ ] Changes to paid features or tiers: TODO

Engineering

• [ ] Database schema migrations: TODO
• [ ] Load testing: TODO

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

• Requires load testing: TODO
• Risk level: Low / High TODO
• Risk description: TODO

Manual testing steps

1. Step 1
2. Step 2
3. Step 3

Testing notes

Confirmation

1. [ ] Engineer (@____): Added comment to user story confirming successful completion of QA.
2. [ ] QA (@____): Added comment to user story confirming successful completion of QA.

[noahtalerman]

Thanks @pacamaster! I think this is an improvement that we should bring through feature fest.

I removed the bug label and added ~feature fest.

[noahtalerman]

Hey @pacamaster, heads up, we brought this into the upcoming design sprint (4.49).

[noahtalerman]

Hey @pacamaster, because this issue is in the current design sprint, I updated this issue to use the user story template.

I moved your original issue description here for safekeeping:

Fleet version: <!-- Copy this from the "My account" page in the Fleet UI, or run fleetctl --version --> Fleet 4.47.3 Web browser and operating system: Current Stable Versions

---

💥  Actual behavior

When attempting to apply windows CIS get error.

Error: 1 error occurred:
  * failed to unmarshal policies file ../../ee/cis/win-11/cis-policy-queries.yml: error unmarshaling JSON: json: cannot unmarshal object into Go value of type []*spec.Policy

🧑‍💻  Steps to reproduce

1. Wire up reference to policies to CIS, and commit changes. Added to policies of team teams/workstations-canary.yml with - path: ../../ee/cis/win-11/cis-policy-queries.yml
2. Action kicks off during merge, errors out

🕯️ More info (optional)

Looks like the CIS contains some spec info that is not able to be read by the action and errors

🛠️ To fix

• [ ] Note/document on https://fleetdm.com/docs/using-fleet/cis-benchmarks about how the Windows CIS policies work with GPO
• [ ] Remove/update the spec from each policy
• [ ] Continue to dogfood policies
• [ ] Adjust policies to check SCP or something other than GPO
• [ ] Create remediation custom setting profiles

[noahtalerman]

Hey @pacamaster heads up this didn't make the 3-week drafting => estimation timeline. Bringing it back to feature fest.