You can create new Fixlets to check these types of compliance. The first thing you should do is check to see if you already have a Fixlet in your BigFix Compliance content, such as the Checklist sites for DISA STIG or CIS.
Here are a couple of samples of these inspectors to get you started.
q: (trustee of it, generic read permission of it, generic execute permission of it, list permission of it, grant type of it) of entries of dacl of security descriptor of system folder
A: NT SERVICE\TrustedInstaller, True, True, True, True
A: NT SERVICE\TrustedInstaller, False, False, False, True
A: NT AUTHORITY\SYSTEM, True, True, True, True
A: NT AUTHORITY\SYSTEM, False, False, False, True
A: BUILTIN\Administrators, True, True, True, True
A: BUILTIN\Administrators, False, False, False, True
A: BUILTIN\Users, True, True, True, True
A: BUILTIN\Users, False, False, False, True
A: CREATOR OWNER, False, False, False, True
A: APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES, True, True, True, True
A: APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES, False, False, False, True
A: APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APP PACKAGES, True, True, True, True
A: APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APP PACKAGES, False, False, False, True
T: 7.999 ms
I: plural ( security identifier, boolean, boolean, boolean, boolean )
This would check to see if BUILTIN\Users was granted the Generic Write permission on the System folder.
q: exists entries whose (account name of trustee of it = "BUILTIN\Users" and generic write permission of it and grant type of it) of dacl of security descriptor of system folder
A: False
T: 2.778 ms
I: singular Boolean
This post has some guidance around SACL instead of DACL, but the concept is the same: