Compliance Reporting
Auto-generate compliance reports for SOC 2, ISO 27001, and HIPAA.
Overview
Nefia's compliance reporting feature analyzes audit logs, configuration, and policy state to automatically assess compliance against major security frameworks.
Supported Frameworks
| Framework | Description |
|---|---|
| SOC 2 Type II | Internal controls for service organizations |
| ISO 27001:2022 | Information security management system |
| HIPAA | Technical safeguards for healthcare information (45 CFR 164.312) |
Report Generation
Table Output (Default)
bash
nefia compliance report --framework soc2Specifying a Period
bash
# Relative period
nefia compliance report --framework iso27001 --period 90d
# Absolute period
nefia compliance report --framework hipaa --period 2026-01-01..2026-03-10HTML Report
bash
nefia compliance report --framework soc2 --format html --out report.htmlJSON/YAML Output
bash
nefia compliance report --framework soc2 --format json
nefia compliance report --framework iso27001 --format yamlEvidence Collection
Reports automatically collect evidence from the following sources:
Audit Log Analysis
| Item | Description |
|---|---|
| Total records | Number of audit log entries within the period |
| Operation distribution | Count by operation type (exec, fs_read, fs_write, etc.) |
| Unique hosts/users | Number of accessed devices and operators |
| JIT operations | Request/approval/denial/revocation counts |
| Policy denials | Number of denied operations |
| HMAC verification | Hash chain integrity |
Configuration Assessment
| Item | Check |
|---|---|
| Audit logging | Enabled, HMAC signed, retention days |
| Policy | Enforce mode |
| VPN | Enabled |
| Device Lock | Enabled |
| JIT access | Enabled |
| SIEM integration | Configured |
| Alerts | Configured |
| Session recording | Configured |
Control Assessment
Each control is assessed with one of the following statuses:
| Status | Score | Description |
|---|---|---|
pass | 1.0 | Fully compliant |
partial | 0.5 | Partially compliant (gaps exist) |
fail | 0.0 | Non-compliant |
not_applicable | — | Not applicable (excluded from score calculation) |
Compliance score = (pass + partial x 0.5) / (total - not_applicable) x 100%
HTML Report Structure
HTML reports are self-contained and include the following sections:
- Header — Framework name, reporting period, generation date
- Summary grid — Compliance score (color-coded), number of controls
- Configuration table — Status of audit, policy, VPN, device lock, JIT, SIEM, etc.
- Control details — Each control's ID, name, category, status, evidence, gaps, and recommendations
Score color coding:
- 80% or above: Green
- 60% or above: Amber
- Below 60%: Red
Best Practices
- Automate regular report generation with a scheduler
- Share HTML reports with the audit team
- Improve configuration based on gaps and recommendations
- Set audit log retention periods to match framework requirements