Endpoint Protection
All machines on campus are required to comply with the Endpoint Protection Standard, defined in official university policy as RUL 08.00.18. A summary of each control is copied here for convenience, but all compliance certifications should follow the official policy linked above.
Most of these controls can be applied using the community Puppet code compliance and authentication profiles, but many control must be enabled via hiera. Though some controls are only required on endpoints which contain sensitive data, it is recommended to deploy these controls to all endpoints where it is feasible to do so.
Anti-malware and Antivirus Software
Status: Fully Implemented
This requirement specifies that all endpoints must employ software which scans for viruses and malware. The community Puppet code implements this control via the “endpoint_security” control on the compliance profile.
Application Control
Status: Partially Implemented
This requirement states that all endpoints with Red and/or Purple data implement a control which limits the ability to execute software to a list of “known-good” applications. The community Puppet code minimally implements this control via the “blocking_packages” control on the compliance profile, but currently only implements a deny-list of known bad packages which are disallowed from being installed via the package manager.
Authentication
Status: Fully Implemented
This requirement states that all endpoints must limit access to the device to authenticated users. The community Puppet code implements this control via the “auth” profile, which configures the machine to authenticate users via Active Directory, and optionally limit access to specific users or groups.
Data Discovery and Protection
Status: Adhoc
This requirement states that all endpoints must comply with the Data Management Regulation defined in REG 08.00.03. Enforcement of this requirement requires more process than technical enforcement, and there is no overall enforcement available in the community Puppet code.
Encrypted Network Communication
Status: Adhoc
This requirement states that all endpoints with Yellow, Red, and/or Purple data ensure that encryption protocols are used when accessing campus resources from outside the NC State network or over any unencrypted wireless network. Enforcement of this requirement varies by application, and there is no overall enforcement available in the community Puppet code.
Full Disk Encryption
Status: Not Implemented
This requirement states that all endpoints with Yellow, Red, and/or Purple data implement full disk encryption for local storage, and the protection and escrow of the encryption keys. There is not a supported implementation for this control in the community Puppet code yet.
Host-based Firewall
Status: Fully Implemented
This requirement states that all endpoints implement a firewall which denies all inbound traffic by default. The community Puppet code implements this control via the “firewall” profile, which configures the local firewall via firewalld.
Least Privilege Access
Status: Fully Implemented
This requirement states that all endpoints with Yellow, Red, and/or Purple data implement limits on user permissions to only allow users the minimum permissions required to do their work. The community Puppet code implements this control via the “auth” profile, which configures the machine to grant elevated privileges to users/groups via the sudo command, including limiting elevated access to specific commands.
Software Inventory
Status: Fully Implemented
This requirement states that all endpoints must maintain an inventory of operating system and software version information. The community Puppet code minimally implements this control via the “inventory” control on the compliance profile, which allows the ServiceNow CMDB system to take inventory of the machine.
Web Reputation Filtering
Status: Adhoc
This requirement states that all endpoints must protect users from browsing known bad websites, via a local browser configuration, operating system, or network service. The default configurations for major browsers, and/or the proxy used by machines in the datacenter fulfill this requirement, and there is no specific code in the community Puppet code for this control.