Companion skill for auditclaw-grc. Collects compliance evidence from Google Workspace and Okta identity providers using read-only API calls.
8 checks | Read-only API access | Evidence stored in shared GRC database
admin.directory.user.readonly scope only. Okta uses okta.users.read, okta.factors.read, okta.policies.read scopes only. No write/modify permissions.~/.openclaw/grc/compliance.sqlite via auditclaw-grcpip install -r scripts/requirements.txtGOOGLE_WORKSPACE_SA_KEY: Path to service account JSON fileGOOGLE_WORKSPACE_ADMIN_EMAIL: Super admin email to impersonateOKTA_ORG_URL: Okta organization URL (e.g., https://mycompany.okta.com)OKTA_API_TOKEN: Okta API tokenAll evidence is stored in the shared GRC database at ~/.openclaw/grc/compliance.sqlite
via the auditclaw-grc skill's db_query.py script.
To run a full evidence sweep (all configured providers):
python3 scripts/idp_evidence.py --db-path ~/.openclaw/grc/compliance.sqlite --all
To run checks for a specific provider:
python3 scripts/idp_evidence.py --db-path ~/.openclaw/grc/compliance.sqlite --provider google
python3 scripts/idp_evidence.py --db-path ~/.openclaw/grc/compliance.sqlite --provider okta
To run specific checks:
python3 scripts/idp_evidence.py --db-path ~/.openclaw/grc/compliance.sqlite --checks google_mfa,okta_mfa
| Check | Provider | What It Verifies |
|---|---|---|
| ------- | ---------- | ----------------- |
| google_mfa | Google Workspace | All active users have 2SV enrolled + enforced |
| google_admins | Google Workspace | Super admin count 2-4, all with 2SV |
| google_inactive | Google Workspace | No active users with lastLoginTime > 90 days |
| google_passwords | Google Workspace | All users have passwordStrength == "STRONG" |
| okta_mfa | Okta | All active users have at least 1 MFA factor enrolled |
| okta_passwords | Okta | Password policy: minLength>=12, history>=5, maxAttempts<=5, maxAge<=90 |
| okta_inactive | Okta | No active users with lastLogin > 90 days |
| okta_sessions | Okta | MFA required, session lifetime <= 12h, idle <= 1h |
Each check produces evidence items stored with:
source: "idp"type: "automated"control_id: Mapped to relevant SOC2/ISO/NIST/HIPAA controlsdescription: Human-readable finding summaryfile_content: JSON details of the check resultAuditClaw supports two identity providers. Configure one or both.
Step 1: Enable Admin SDK API
Go to Google Cloud Console → APIs & Services → Library → Enable "Admin SDK API"
Step 2: Create Service Account
IAM & Admin → Service Accounts → Create. Enable domain-wide delegation.
Step 3: Grant OAuth Scopes
In Google Admin → Security → API controls → Domain-wide delegation, add the service account with:
https://www.googleapis.com/auth/admin.directory.user.readonlyhttps://www.googleapis.com/auth/admin.reports.audit.readonlyStep 4: Set Environment Variables
Step 1: Create API Token
Okta Admin → Security → API → Tokens → Create Token. Name: auditclaw-scanner
Step 2: Required Permissions
The token inherits the creating admin's permissions. Needs read access to: users, factors, policies.
Scopes: okta.users.read, okta.factors.read, okta.policies.read
Step 3: Set Environment Variables
Run: python3 {baseDir}/scripts/idp_evidence.py --test-connection
The exact permissions are documented in scripts/idp-permissions.json. Show with:
python3 {baseDir}/../auditclaw-grc/scripts/db_query.py --action show-policy --provider idp
共 1 个版本