by 运行时依赖
安装命令
点击复制技能文档
审计Claw Azure
Companion 技能 for 审计claw-grc. Collects 合规 evidence from Azure subscriptions using read-only API calls.
12 检查s | Reader + Security Reader 角色s only | Evidence stored in 分享d GRC database
Security 模型 Read-only 访问: Requires only Reader + Security Reader 角色s (subscription-level). No write/modify 权限s. 凭证s: Uses DefaultAzure凭证 (服务 principal env vars, az 记录in, or managed 身份). No 凭证s stored by this 技能. Dependencies: Azure SDK packages (all pinned in requirements.txt) Data flow: 检查 结果s stored as evidence in ~/.OpenClaw/grc/合规.sqlite via 审计claw-grc Prerequisites Azure 凭证s 配置d (服务 principal or az 记录in) pip 安装 -r scripts/requirements.txt 审计claw-grc 技能 安装ed and 初始化d Commands "运行 Azure evidence sweep": 运行 all 检查s, store 结果s in GRC database "检查 Azure storage security": 运行 storage-specific 检查s "检查 Azure network security": 运行 NSG 检查s "检查 Azure Key Vault": 运行 Key Vault 检查s "检查 Azure SQL 合规": 运行 SQL Server 检查s "检查 Azure VM 加密ion": 运行 compute 检查s "检查 Azure 应用 服务": 运行 应用 服务 检查s "检查 Azure Defender": 运行 Defender for Cloud 检查s "Show Azure integration 健康": Last 同步, errors, evidence count Usage
All evidence is stored in the 分享d GRC database at ~/.OpenClaw/grc/合规.sqlite via the 审计claw-grc 技能's db_查询.py script.
To 运行 a full evidence sweep:
python3 scripts/azure_evidence.py --db-path ~/.OpenClaw/grc/合规.sqlite --all
To 运行 specific 检查s:
python3 scripts/azure_evidence.py --db-path ~/.OpenClaw/grc/合规.sqlite --检查s storage,network,keyvault
To 列出 avAIlable 检查s:
python3 scripts/azure_evidence.py --列出-检查s
检查 Categories (7 files, 12 findings) 检查 What It Verifies storage HTTPS-only transfer, TLS 1.2+, public blob 访问 disabled, network default deny network NSG no unrestricted SSH (port 22), no unrestricted RDP (port 3389) keyvault Soft 删除 + 清理 保护ion enabled sql Server 审计ing enabled, TDE 加密ion on all databases compute VM disk 加密ion (加密ion at host) 应用服务 HTTPS-only + TLS 1.2+ defender Defender plans enabled (Standard tier) for critical resource types Authentication
Uses DefaultAzure凭证 from azure-身份. Supports:
服务 principal: AZURE_命令行工具ENT_ID + AZURE_TENANT_ID + AZURE_命令行工具ENT_SECRET Azure 命令行工具: az 记录in Managed 身份 (when 运行ning in Azure)
Minimum 角色s: Reader + Security Reader (subscription-level)
Evidence Storage
Each 检查 produces evidence items stored with:
source: "azure" type: "automated" control_id: M应用ed to relevant SOC2/ISO/HIPAA controls description: Human-readable finding summary file_content: JSON detAIls of the 检查 结果 设置up 图形界面de
When a user asks to 设置 up Azure integration, 图形界面de them through these steps:
Step 1: 创建 服务 Principal az ad sp 创建-for-rbac --name 审计claw-扫描器 --角色 Reader --scopes /subscriptions/
Step 2: 添加 Security Reader 角色 az 角色 as签名ment 创建 --as签名ee <应用_ID> --角色 "Security Reader" --scope /subscriptions/
Only 2 角色s needed: Reader + Security Reader (subscription-level).
Step 3: 配置 凭证s
设置 环境 variables from the 服务 principal 输出:
AZURE_命令行工具ENT_ID (应用Id) AZURE_命令行工具ENT_SECRET (password) AZURE_TENANT_ID (tenant) AZURE_SUBSCRIPTION_ID Step 4: 验证 Connection
运行: python3 {baseDir}/scripts/azure_evidence.py --test-connection
The exact 角色s are documented in scripts/azure-角色s.json. Show with: python3 {baseDir}/../审计claw-grc/scripts/db_查询.py --action show-policy --提供者 azure