implementing-device-posture-assessment-in-zero-trust

在零信任访问控制中实施设备态势评估,将来自 CrowdStrike ZTA、Microsoft Intune 和 Jamf 的端点健康信号集成到条件访问策略中,在授予资源访问权限前强制执行合规性。

9 stars

Best use case

implementing-device-posture-assessment-in-zero-trust is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

在零信任访问控制中实施设备态势评估,将来自 CrowdStrike ZTA、Microsoft Intune 和 Jamf 的端点健康信号集成到条件访问策略中,在授予资源访问权限前强制执行合规性。

Teams using implementing-device-posture-assessment-in-zero-trust should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/implementing-device-posture-assessment-in-zero-trust/SKILL.md --create-dirs "https://raw.githubusercontent.com/killvxk/cybersecurity-skills-zh/main/skills/implementing-device-posture-assessment-in-zero-trust/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/implementing-device-posture-assessment-in-zero-trust/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How implementing-device-posture-assessment-in-zero-trust Compares

Feature / Agentimplementing-device-posture-assessment-in-zero-trustStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

在零信任访问控制中实施设备态势评估,将来自 CrowdStrike ZTA、Microsoft Intune 和 Jamf 的端点健康信号集成到条件访问策略中,在授予资源访问权限前强制执行合规性。

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# 在零信任中实施设备态势评估

## 适用场景

- 将设备健康作为访问企业应用的前提条件时
- 将 CrowdStrike ZTA 评分、Intune 合规性或 Jamf 设备状态集成到访问决策时
- 实施 CISA 零信任成熟度模型设备支柱要求时
- 构建基于实时端点安全态势自适应的条件访问策略时
- 检测并阻断来自受损、未托管或不合规设备的访问时

**不适用于**无法运行态势 Agent 的物联网或无头设备、没有身份验证的独立安全控制,以及实时态势数据不可用而陈旧合规数据会产生虚假信任的场景。

## 前置条件

- 端点检测与响应(EDR):带 ZTA 模块的 CrowdStrike Falcon,或 Microsoft Defender for Endpoint
- 移动设备管理(MDM):Microsoft Intune、Jamf Pro 或 VMware Workspace ONE
- 身份提供商:具有条件访问能力的 Microsoft Entra ID、Okta 或 Ping Identity
- ZTNA 平台:Zscaler ZPA、Cloudflare Access、Palo Alto Prisma Access 或云原生 IAP
- EDR/MDM 平台的 API 访问权限,用于态势信号采集

## 工作流程

### 步骤 1:定义设备合规基线

为每个设备类别建立最低安全要求。

```powershell
# Microsoft Intune:通过 Graph API 创建设备合规策略
Connect-MgGraph -Scopes "DeviceManagementConfiguration.ReadWrite.All"

# Windows 10/11 合规策略
$compliancePolicy = @{
    "@odata.type" = "#microsoft.graph.windows10CompliancePolicy"
    displayName = "Zero Trust - Windows Compliance"
    description = "零信任访问的最低设备要求"
    osMinimumVersion = "10.0.19045"
    bitLockerEnabled = $true
    secureBootEnabled = $true
    codeIntegrityEnabled = $true
    tpmRequired = $true
    antivirusRequired = $true
    antiSpywareRequired = $true
    defenderEnabled = $true
    firewallEnabled = $true
    passwordRequired = $true
    passwordMinimumLength = 12
    passwordRequiredType = "alphanumeric"
    storageRequireEncryption = $true
    scheduledActionsForRule = @(
        @{
            ruleName = "PasswordRequired"
            scheduledActionConfigurations = @(
                @{
                    actionType = "block"
                    gracePeriodHours = 24
                    notificationTemplateId = ""
                    notificationMessageCCList = @()
                }
            )
        }
    )
}

New-MgDeviceManagementDeviceCompliancePolicy -BodyParameter $compliancePolicy

# 通过 Jamf Pro API 设置 macOS 合规策略
curl -X POST "https://jamf.company.com/api/v1/compliance-policies" \
  -H "Authorization: Bearer ${JAMF_TOKEN}" \
  -H "Content-Type: application/json" \
  --data '{
    "name": "Zero Trust - macOS Compliance",
    "rules": [
      {"type": "os_version", "operator": ">=", "value": "14.0"},
      {"type": "filevault_enabled", "value": true},
      {"type": "firewall_enabled", "value": true},
      {"type": "gatekeeper_enabled", "value": true},
      {"type": "sip_enabled", "value": true},
      {"type": "auto_update_enabled", "value": true},
      {"type": "screen_lock_timeout", "operator": "<=", "value": 300},
      {"type": "falcon_sensor_running", "value": true}
    ]
  }'
```

### 步骤 2:配置 CrowdStrike 零信任评估

启用 ZTA 评分并配置访问层级的评分阈值。

```bash
# CrowdStrike Falcon API:查询所有端点的 ZTA 评分
curl -X GET "https://api.crowdstrike.com/zero-trust-assessment/entities/assessments/v1?ids=${DEVICE_AID}" \
  -H "Authorization: Bearer ${CS_TOKEN}" \
  -H "Content-Type: application/json"

# 响应包含:
# {
#   "aid": "device-agent-id",
#   "assessment": {
#     "overall": 82,
#     "os": 90,
#     "sensor_config": 85,
#     "version": "7.14.16703"
#   },
#   "assessment_items": {
#     "os_signals": [
#       {"signal_id": "firmware_protection", "meets_criteria": "yes"},
#       {"signal_id": "disk_encryption", "meets_criteria": "yes"},
#       {"signal_id": "kernel_protection", "meets_criteria": "yes"}
#     ],
#     "sensor_signals": [
#       {"signal_id": "sensor_version", "meets_criteria": "yes"},
#       {"signal_id": "prevention_policies", "meets_criteria": "yes"}
#     ]
#   }
# }

# 定义访问层级的 ZTA 评分阈值
# 第 1 层(基本访问):      ZTA >= 50
# 第 2 层(标准访问):      ZTA >= 65
# 第 3 层(敏感访问):      ZTA >= 80
# 第 4 层(关键访问):      ZTA >= 90

# 查询低于最低阈值的设备
curl -X GET "https://api.crowdstrike.com/zero-trust-assessment/queries/assessments/v1?filter=assessment.overall:<50" \
  -H "Authorization: Bearer ${CS_TOKEN}"

# CrowdStrike ZTA 评估的信号:
# - 操作系统补丁级别和版本
# - 磁盘加密(BitLocker/FileVault)
# - 传感器版本和配置
# - 防护策略执行
# - 固件保护(Secure Boot)
# - 内核保护(SIP、Code Integrity)
# - 防火墙状态
```

### 步骤 3:将设备态势与 Entra ID 条件访问集成

创建要求合规设备的条件访问策略。

```powershell
# 创建要求合规设备的条件访问策略
Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess"

$caPolicy = @{
    displayName = "Zero Trust - Require Compliant Device"
    state = "enabled"
    conditions = @{
        applications = @{
            includeApplications = @("All")
        }
        users = @{
            includeUsers = @("All")
            excludeGroups = @("BreakGlass-Admins-Group-ID")
        }
        platforms = @{
            includePlatforms = @("all")
        }
        clientAppTypes = @("browser", "mobileAppsAndDesktopClients")
    }
    grantControls = @{
        operator = "AND"
        builtInControls = @("mfa", "compliantDevice")
    }
    sessionControls = @{
        signInFrequency = @{
            value = 4
            type = "hours"
            isEnabled = $true
            authenticationType = "primaryAndSecondaryAuthentication"
            frequencyInterval = "timeBased"
        }
        persistentBrowser = @{
            mode = "never"
            isEnabled = $true
        }
    }
}

New-MgIdentityConditionalAccessPolicy -BodyParameter $caPolicy

# 创建基于设备合规性和登录风险的风险策略
$riskPolicy = @{
    displayName = "Zero Trust - Block High Risk Sign-Ins on Non-Compliant Devices"
    state = "enabled"
    conditions = @{
        applications = @{ includeApplications = @("All") }
        users = @{ includeUsers = @("All") }
        signInRiskLevels = @("high", "medium")
        devices = @{
            deviceFilter = @{
                mode = "include"
                rule = "device.isCompliant -ne True"
            }
        }
    }
    grantControls = @{
        operator = "OR"
        builtInControls = @("block")
    }
}

New-MgIdentityConditionalAccessPolicy -BodyParameter $riskPolicy
```

### 步骤 4:配置 Okta 设备信任与 CrowdStrike 集成

使用 CrowdStrike 态势信号设置 Okta 设备信任策略。

```bash
# Okta:配置 CrowdStrike 设备信任集成
# 管理控制台 > 安全 > 设备集成 > 添加集成

# Okta API:创建设备保障策略
curl -X POST "https://company.okta.com/api/v1/device-assurances" \
  -H "Authorization: SSWS ${OKTA_API_TOKEN}" \
  -H "Content-Type: application/json" \
  --data '{
    "name": "Corporate Device Assurance",
    "platform": "WINDOWS",
    "osVersion": {
      "minimum": "10.0.19045"
    },
    "diskEncryptionType": {
      "include": ["ALL_INTERNAL_VOLUMES"]
    },
    "screenLockType": {
      "include": ["BIOMETRIC", "PASSCODE"]
    },
    "secureHardwarePresent": true,
    "thirdPartySignalProviders": {
      "dtc": {
        "browserVersion": {
          "minimum": "120.0"
        },
        "builtInDnsClientEnabled": true,
        "chromeRemoteDesktopAppBlocked": true,
        "crowdStrikeCustomerId": "CS_CUSTOMER_ID",
        "crowdStrikeAgentId": "REQUIRED",
        "crowdStrikeVerifiedState": {
          "include": ["RUNNING"]
        }
      }
    }
  }'

# 创建带设备保障的 Okta 认证策略
curl -X POST "https://company.okta.com/api/v1/policies" \
  -H "Authorization: SSWS ${OKTA_API_TOKEN}" \
  -H "Content-Type: application/json" \
  --data '{
    "name": "Zero Trust Application Policy",
    "type": "ACCESS_POLICY",
    "conditions": null,
    "rules": [
      {
        "name": "Managed Device Access",
        "conditions": {
          "device": {
            "assurance": {
              "include": ["DEVICE_ASSURANCE_POLICY_ID"]
            },
            "managed": true,
            "registered": true
          },
          "people": {
            "groups": {"include": ["EMPLOYEES_GROUP_ID"]}
          }
        },
        "actions": {
          "appSignOn": {
            "access": "ALLOW",
            "verificationMethod": {
              "factorMode": "1FA",
              "type": "ASSURANCE"
            }
          }
        }
      },
      {
        "name": "Unmanaged Device - Block",
        "conditions": {
          "device": { "managed": false }
        },
        "actions": {
          "appSignOn": { "access": "DENY" }
        }
      }
    ]
  }'
```

### 步骤 5:实施持续态势监控

设置实时监控设备合规状态变化。

```python
#!/usr/bin/env python3
"""实时监控设备态势合规漂移。"""

import requests
import time
import json
from datetime import datetime, timezone

CROWDSTRIKE_BASE = "https://api.crowdstrike.com"
INTUNE_BASE = "https://graph.microsoft.com/v1.0"

def get_cs_token(client_id: str, client_secret: str) -> str:
    resp = requests.post(f"{CROWDSTRIKE_BASE}/oauth2/token", data={
        "client_id": client_id,
        "client_secret": client_secret
    })
    return resp.json()["access_token"]

def get_low_zta_devices(token: str, threshold: int = 50) -> list:
    resp = requests.get(
        f"{CROWDSTRIKE_BASE}/zero-trust-assessment/queries/assessments/v1",
        headers={"Authorization": f"Bearer {token}"},
        params={"filter": f"assessment.overall:<{threshold}", "limit": 100}
    )
    return resp.json().get("resources", [])

def get_intune_noncompliant(token: str) -> list:
    resp = requests.get(
        f"{INTUNE_BASE}/deviceManagement/managedDevices",
        headers={"Authorization": f"Bearer {token}"},
        params={
            "$filter": "complianceState eq 'noncompliant'",
            "$select": "id,deviceName,userPrincipalName,complianceState,lastSyncDateTime,operatingSystem"
        }
    )
    return resp.json().get("value", [])

def check_posture_drift(cs_token: str, intune_token: str):
    print(f"\n[{datetime.now(timezone.utc).isoformat()}] 设备态势检查")
    print("=" * 60)

    low_zta = get_low_zta_devices(cs_token, threshold=50)
    print(f"CrowdStrike ZTA < 50:{len(low_zta)} 台设备")

    noncompliant = get_intune_noncompliant(intune_token)
    print(f"Intune 不合规:{len(noncompliant)} 台设备")

    for device in noncompliant[:10]:
        print(f"  - {device['deviceName']} ({device['userPrincipalName']}): "
              f"{device['complianceState']} | 上次同步:{device['lastSyncDateTime']}")

    return {"low_zta_count": len(low_zta), "noncompliant_count": len(noncompliant)}
```

## 核心概念

| 术语 | 定义 |
|------|------|
| 设备态势(Device Posture)| 在授予访问权限前评估的端点安全属性集合(操作系统版本、加密、EDR 状态、补丁级别)|
| CrowdStrike ZTA 评分 | CrowdStrike Falcon 根据操作系统信号和传感器配置计算端点安全态势的数值评分(1-100)|
| 设备合规策略 | MDM 定义的规则,指定设备必须满足的最低安全要求(加密、PIN、操作系统版本)|
| 条件访问(Conditional Access)| 在允许访问前评估用户身份、设备合规性、位置和风险的策略引擎(Entra ID、Okta)|
| 设备信任(Device Trust)| 验证端点已托管、已注册且满足安全基线,然后将其视为受信任设备 |
| 态势漂移(Posture Drift)| 设备安全态势随时间退化(补丁过期、加密被禁用),应触发访问撤销 |

## 工具与系统

- **CrowdStrike Falcon ZTA**:基于操作系统和传感器安全信号的实时端点态势评分
- **Microsoft Intune**:执行设备合规策略并向 Entra ID 条件访问报告的 MDM 平台
- **Jamf Pro**:适用于 macOS 和 iOS 端点的 Apple 设备管理,含合规规则
- **Microsoft Entra ID 条件访问**:使用 Intune 合规性和风险信号进行访问决策的策略引擎
- **Okta 设备信任**:与 CrowdStrike、Chrome Enterprise 和 MDM 平台集成的设备保障策略
- **Cloudflare 设备态势**:基于 WARP 客户端的磁盘加密、操作系统版本和第三方 EDR 态势检查

## 常见场景

### 场景:为 2000 台 Windows 和 macOS 端点强制执行设备合规

**场景背景**:一家拥有 2000 台端点(70% Windows、30% macOS)的医疗公司必须在允许访问患者数据系统前强制执行符合 HIPAA 的设备态势。设备由 Intune(Windows)和 Jamf(macOS)管理,所有端点均已部署 CrowdStrike Falcon。

**方法**:
1. 在 Intune 中定义 Windows 合规策略:BitLocker、Secure Boot、TPM、Defender 已启用,操作系统 >= 10.0.19045
2. 在 Jamf 中定义 macOS 合规策略:FileVault、Gatekeeper、SIP、防火墙,操作系统 >= 14.0
3. 配置 CrowdStrike ZTA 阈值:通用应用 >= 70,患者数据系统 >= 85
4. 创建 Entra ID 条件访问策略,要求所有云应用使用合规设备 + MFA
5. 为新不合规设备配置 24 小时宽限期,在封锁前提供修复时间
6. 为 IT 设置每周合规报告,显示不合规设备和修复措施
7. 通过 Intune 实施自动化修复:推送 BitLocker 启用、部署待处理补丁

**常见陷阱**:宽限期必须足够长以便 IT 修复,但又要足够短以限制风险敞口。CrowdStrike ZTA 评分可能随传感器更新而波动;初始阶段避免设置过于激进的阈值。BYOD 设备可能缺乏 MDM 注册;为未托管设备提供功能受限的单独浏览器访问路径。

## 输出格式

```
设备态势评估报告
==================================================
组织:HealthCorp
报告日期:2026-02-23
托管设备总数:2,000

平台合规情况:
  Windows(1,400 台设备):
    合规:              1,302(93.0%)
    不合规:               98(7.0%)
    主要问题:缺失补丁(45)、BitLocker 已禁用(23)

  macOS(600 台设备):
    合规:                567(94.5%)
    不合规:               33(5.5%)
    主要问题:操作系统过旧(18)、FileVault 已禁用(8)

CROWDSTRIKE ZTA 评分:
  平均评分:              78.4
  设备 >= 85(关键级):  1,456(72.8%)
  设备 >= 70(标准级):  1,812(90.6%)
  设备 < 50(已封锁):      34(1.7%)

条件访问影响(过去 7 天):
  总登录尝试:           45,678
  因态势被封锁:            312(0.7%)
  24 小时内已修复:         289(92.6%)
  仍不合规:                 23

态势漂移告警:
  加密已禁用:               5
  EDR 传感器已停止:          3
  操作系统已降级:            1
```

Related Skills

performing-wireless-security-assessment-with-kismet

9
from killvxk/cybersecurity-skills-zh

使用 Kismet 通过被动射频监控进行无线网络安全评估,检测流氓接入点(Rogue AP)、隐藏 SSID、弱加密和未授权客户端。

performing-threat-landscape-assessment-for-sector

9
from killvxk/cybersecurity-skills-zh

通过分析威胁行为者定向攻击模式、常见攻击向量和行业特定漏洞,开展行业特定威胁态势评估,为组织风险管理提供决策依据

performing-ssl-tls-security-assessment

9
from killvxk/cybersecurity-skills-zh

使用 sslyze Python 库评估 SSL/TLS 服务器配置,评估加密套件、证书链、协议版本、HSTS 头部,以及 Heartbleed 和 ROBOT 等已知漏洞。

performing-scada-hmi-security-assessment

9
from killvxk/cybersecurity-skills-zh

对 SCADA 人机界面(HMI, Human-Machine Interface)系统进行安全评估,识别基于 Web 的 HMI、瘦客户端配置、认证机制以及 HMI 与 PLC 之间通信信道中的漏洞,符合 IEC 62443 和 NIST SP 800-82 指南要求。

performing-privilege-escalation-assessment

9
from killvxk/cybersecurity-skills-zh

在已入侵的 Linux 和 Windows 系统上执行权限提升评估,识别从低权限访问到 root 或 SYSTEM 级别控制的路径。 测试人员枚举错误配置、存在漏洞的服务、内核漏洞、SUID 二进制文件、未加引号的服务路径和凭据存储, 以演示初始入侵的完整影响。适用于权限提升测试、本地漏洞利用、后渗透提权或操作系统级安全评估等请求场景。

performing-power-grid-cybersecurity-assessment

9
from killvxk/cybersecurity-skills-zh

本技能涵盖对电力电网基础设施进行网络安全评估,包括发电设施、输电变电站、配电系统和能源管理系统(EMS)控制中心。涉及NERC CIP合规性验证、变电站自动化安全、IEC 61850协议分析、同步相量(PMU)网络安全,以及Industroyer/CrashOverride等攻击所展示的针对电网运营的独特威胁格局。

performing-physical-intrusion-assessment

9
from killvxk/cybersecurity-skills-zh

通过尾随、门禁卡克隆、锁具绕过和流氓设备部署,执行授权的物理渗透测试,以评估设施安全控制措施的有效性。

performing-ot-vulnerability-assessment-with-claroty

9
from killvxk/cybersecurity-skills-zh

本技能涵盖使用Claroty xDome平台在OT环境中执行漏洞评估,实现全面资产发现、风险评分、漏洞关联和修复优先级排序。内容涉及通过流量分析进行被动漏洞识别、OT设备安全主动查询、与CVE数据库和ICS-CERT公告集成,以及考虑运营影响和补偿控制措施的基于风险的优先级排序。

performing-ot-network-security-assessment

9
from killvxk/cybersecurity-skills-zh

本技能涵盖对运营技术(OT)网络(包括SCADA系统、DCS架构和工业控制系统通信路径)进行全面安全评估。内容涉及Purdue参考模型各层、识别IT/OT融合风险、评估区域间防火墙规则,以及映射工业协议流量(Modbus、DNP3、OPC UA、EtherNet/IP),以检测关键基础设施中的错误配置、未授权连接和攻击面。

performing-oil-gas-cybersecurity-assessment

9
from killvxk/cybersecurity-skills-zh

本技能涵盖针对石油和天然气设施(包括上游探采、中游管道运输和下游炼化分销)进行网络安全评估。内容涉及控制管道运营的SCADA系统、炼厂过程控制DCS、危险工艺安全仪表系统、无人井口现场RTU,以及对API 1164、TSA管道安全指令、IEC 62443和NIST网络安全框架关键基础设施合规性评估。

performing-nist-csf-maturity-assessment

9
from killvxk/cybersecurity-skills-zh

NIST 网络安全框架(CSF)2.0 于 2024 年 2 月发布,通过六个核心功能提供管理网络安全风险的综合分类体系:治理、识别、保护、检测、响应和恢复。本技能涵盖对 CSF 进行成熟度评估。

performing-mobile-device-forensics-with-cellebrite

9
from killvxk/cybersecurity-skills-zh

使用 Cellebrite UFED 和开源工具获取和分析移动设备数据,提取通信记录、位置数据和应用程序制品。