Device Posture
Evaluate target device security status (firewall, disk encryption) against policies.
Overview
Device Posture collects security signals from target PCs and evaluates them against operator-defined policies. It checks the status of firewall activation and disk encryption, and controls connections to devices that do not meet the required criteria.
How Evaluation Works
nefia facts (collection)
├─ Firewall: enabled/disabled
└─ Disk Encryption: enabled/disabled
↓
posture.Checker (evaluation)
├─ Policy matching
├─ Pass → connection allowed
└─ Fail → warn (warning) or enforce (deny)Detection Methods by OS
| Signal | Command | Detection Criteria |
|---|---|---|
| Firewall | /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate | Output contains "enabled" |
| Disk Encryption | fdesetup status | Output contains "FileVault is On" |
CLI Commands
Posture Check
nefia posture check # Check all hosts
nefia posture check -t prod # Check only the prod groupOutput example:
| Host | Firewall | Disk Encryption | Status | Violations |
|---|---|---|---|---|
| web-01 | Yes | Yes | PASS | — |
| db-01 | Yes | No | FAIL | disk encryption is not enabled |
View Policy
nefia posture policyDisplays the current configuration.
Configuration
posture:
enabled: true
mode: log # "off", "warn", "enforce"
require_firewall: true
require_disk_encryption: trueOperating Modes
| Mode | Behavior |
|---|---|
off | Disable posture evaluation |
warn | Log violations as warnings; allow connections |
enforce | Deny connections on violations |
MCP Tool
AI agents can evaluate device posture programmatically via MCP:
| Tool | Description |
|---|---|
nefia.posture.check | Evaluate device posture compliance for a host. Returns pass/fail status, violations, and remediation hints. |
See the MCP Protocol Reference for full parameter and response schemas.
Integration with Connection Flow
Posture checks are executed by connmanager before establishing an SSH connection:
- Retrieve the latest posture information from the host's
Meta.Posturedata - Evaluate against the
PostureConfigpolicy (require_firewall,require_disk_encryption) - In
enforcemode, deny the connection if violations are found - In
warnmode, output a warning and continue with the connection if violations are found
Posture Data Collection
Posture data is automatically collected by the nefia facts command and stored in the host's metadata. The collection timestamp (CollectedAt) is also recorded, enabling detection of decisions based on stale data.