GitLab reconciles the established device inventory against the enterprise log repository quarterly; devices which do not forward security configurations are remediated.
This control helps to close the loop between device inventory information and production logs. If all production systems are sending the appropriate logs, there should be a parity between the device inventory GitLab collects and the logs generated from those systems. This control is meant to be a check on the "Configuration Check" control. This reconciliation ensures that all systems that should be forwarding security configuration information, are.
This control applies to all systems within our production environment. The production environment includes all endpoints and cloud assets used in hosting GitLab.com and its subdomains. This may include third-party systems that support the business of GitLab.com.
Security configurations for endpoints can be collected using, for example, endpoint management tools such as Fleetsmith.
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the control issue.
Examples of evidence an auditor might request to satisfy this control: