Initial support for CIS 5.1.1

[defensivedepth]

Checklist for submitter

If some of the following don't apply, delete the relevant line.

• Changes file added for user-visible changes in changes/, orbit/changes/ or ee/fleetd-chrome/changes.
  See Changes files for more information.
• Input data is properly validated, SELECT * is avoided, SQL injection is prevented (using placeholders for values in statements)
• Added support on fleet's osquery simulator cmd/osquery-perf for new osquery data ingestion features.
• Added/updated tests
• If paths of existing endpoints are modified without backwards compatibility, checked the frontend/CLI for any necessary changes
• If database migrations are included, checked table schema to confirm autoupdate
• For database migrations:
  • Checked schema for all modified table for columns that will auto-update timestamps during migration.
  • Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects.
  • Ensured the correct collation is explicitly set for character columns (COLLATE utf8mb4_unicode_ci).
• Manual QA for all new/changed functionality
• For Orbit and Fleet Desktop changes:
  • Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (runtime.GOOS).
  • Manual QA must be performed in the three main OSs, macOS, Windows and Linux.
  • Auto-update manual QA, from released version of component to new version (see tools/tuf/test).

osquery> SELECT * 
    ...> FROM find_cmd 
    ...> WHERE directory = '/System/Volumes/Data/Users' 
    ...>   AND type = 'd' 
    ...>   AND mindepth = '1' 
    ...>   AND maxdepth = '1' 
    ...>   AND not_perm = '700' 
    ...>   AND path NOT LIKE '%/Shared' 
    ...>   AND path NOT LIKE '%/Guest';
+----------------------------+------+------+----------+----------+----------+-------------------------------------+
| directory                  | type | perm | not_perm | MinDepth | MaxDepth | path                                |
+----------------------------+------+------+----------+----------+----------+-------------------------------------+
| /System/Volumes/Data/Users | d    |      | 700      | 1        | 1        | /System/Volumes/Data/Users/sysadmin |
+----------------------------+------+------+----------+----------+----------+-------------------------------------+

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 63.56%. Comparing base (1a3b89d) to head (b0f911c).

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #24677      +/-   ##
==========================================
+ Coverage   63.55%   63.56%   +0.01%     
==========================================
  Files        1600     1601       +1     
  Lines      151494   151659     +165     
  Branches     3894     3894              
==========================================
+ Hits        96276    96409     +133     
- Misses      47559    47582      +23     
- Partials     7659     7668       +9     

Flag	Coverage Δ
backend	64.36% <ø> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[sharon-fdm]

@defensivedepth, for some reason I see two copies of this policy.
here