什么是 AuditClaw Azure？

AuditClaw Azure 是专为 auditclaw-grc 框架设计的配套技能，支持在 Microsoft Azure 订阅中实现自动化安全审计。通过利用一组 12 项只读检查，该技能可以识别存储、网络、身份和计算资源中的配置差距。作为 Openclaw Skills 生态系统的一部分，它简化了 SOC2、ISO 27001 和 HIPAA 等监管框架所需的证据收集流程。

该技能通过仅要求“读者”和“安全读者”角色来优先考虑安全性，确保不会对您的云环境进行任何修改。它与集中式数据库无缝集成，允许安全团队在无需人工干预的情况下保持持续的合规态势。

下载入口:https://github.com/openclaw/skills/tree/main/skills/mailnike/auditclaw-azure

安装与下载

1. ClawHub CLI

从源直接安装技能的最快方式。

2. 手动安装

将技能文件夹复制到以下位置之一

优先级：工作区 > 本地 > 内置

3. 提示词安装

将此提示词复制到 OpenClaw 即可自动安装。

AuditClaw Azure 应用场景

• Azure 环境中 SOC2、ISO 或 HIPAA 审计的自动化证据收集。
• 持续监控 Azure 存储安全性，包括 TLS 版本和公共访问设置。
• 识别网络安全组 (NSG) 中不受限制的 SSH 或 RDP 访问。
• 验证 Key Vault 保护设置和 SQL Server 加密状态。
• 审计关键订阅资源中的 Microsoft Defender for Cloud 覆盖范围。

1. 该技能使用 DefaultAzureCredential 初始化，通过服务主体、Azure CLI 或托管标识进行身份验证。
2. 调用后，脚本将执行涵盖七个主要 Azure 服务类别的 12 项针对性检查。
3. 收集的元数据和安全发现结果将被解析为标准化的 JSON 格式。
4. 结果将自动推送至共享的 Openclaw Skills GRC 数据库 (compliance.sqlite)。
5. 详细报告将映射到特定的控制 ID，以便在审计审查期间轻松检索。

AuditClaw Azure 配置指南

要开始使用 Openclaw Skills 库中的此条目，请执行以下步骤：

1. 安装依赖项：

pip install -r scripts/requirements.txt

2. 创建具有“读者”访问权限的 Azure 服务主体：

az ad sp create-for-rbac --name auditclaw-scanner --role Reader --scopes /subscriptions/

3. 分配“安全读者”角色以进行全面扫描：

az role assignment create --assignee  --role "Security Reader" --scope /subscriptions/

4. 使用生成的凭据（客户端 ID、密钥、租户 ID 和订阅 ID）配置您的环境。

AuditClaw Azure 数据架构与分类体系

数据组织在本地 SQLite 数据库中，确保所有 Openclaw Skills 证据都集中管理。架构包括：

name: auditclaw-azure
description: Azure compliance evidence collection for auditclaw-grc. 12 read-only checks across storage, NSG, Key Vault, SQL, compute, App Service, and Defender for Cloud.
version: 1.0.1
user-invocable: true
homepage: https://www.auditclaw.ai
source: https://github.com/avansaber/auditclaw-azure
metadata: {"openclaw":{"type":"executable","install":{"pip":"scripts/requirements.txt"},"requires":{"bins":["python3"],"env":["AZURE_SUBSCRIPTION_ID","AZURE_CLIENT_ID","AZURE_CLIENT_SECRET","AZURE_TENANT_ID"]}}}

AuditClaw Azure

Companion skill for auditclaw-grc. Collects compliance evidence from Azure subscriptions using read-only API calls.

12 checks | Reader + Security Reader roles only | Evidence stored in shared GRC database

Security Model

• Read-only access: Requires only Reader + Security Reader roles (subscription-level). No write/modify permissions.
• Credentials: Uses DefaultAzureCredential (service principal env vars, az login, or managed identity). No credentials stored by this skill.
• Dependencies: Azure SDK packages (all pinned in requirements.txt)
• Data flow: Check results stored as evidence in ~/.openclaw/grc/compliance.sqlite via auditclaw-grc

Prerequisites

• Azure credentials configured (service principal or az login)
• pip install -r scripts/requirements.txt
• auditclaw-grc skill installed and initialized

Commands

• "Run Azure evidence sweep": Run all checks, store results in GRC database
• "Check Azure storage security": Run storage-specific checks
• "Check Azure network security": Run NSG checks
• "Check Azure Key Vault": Run Key Vault checks
• "Check Azure SQL compliance": Run SQL Server checks
• "Check Azure VM encryption": Run compute checks
• "Check Azure App Service": Run App Service checks
• "Check Azure Defender": Run Defender for Cloud checks
• "Show Azure integration health": Last sync, errors, evidence count

Usage

All evidence is stored in the shared GRC database at ~/.openclaw/grc/compliance.sqlite via the auditclaw-grc skill's db_query.py script.

To run a full evidence sweep:

python3 scripts/azure_evidence.py --db-path ~/.openclaw/grc/compliance.sqlite --all

To run specific checks:

python3 scripts/azure_evidence.py --db-path ~/.openclaw/grc/compliance.sqlite --checks storage,network,keyvault

To list available checks:

python3 scripts/azure_evidence.py --list-checks

Check Categories (7 files, 12 findings)

Authentication

Uses DefaultAzureCredential from azure-identity. Supports:

• Service principal: AZURE_CLIENT_ID + AZURE_TENANT_ID + AZURE_CLIENT_SECRET
• Azure CLI: az login
• Managed identity (when running in Azure)

Minimum roles: Reader + Security Reader (subscription-level)

Evidence Storage

Each check produces evidence items stored with:

• source: "azure"
• type: "automated"
• control_id: Mapped to relevant SOC2/ISO/HIPAA controls
• description: Human-readable finding summary
• file_content: JSON details of the check result

Setup Guide

When a user asks to set up Azure integration, guide them through these steps:

Step 1: Create Service Principal

az ad sp create-for-rbac --name auditclaw-scanner --role Reader --scopes /subscriptions/

Step 2: Add Security Reader Role

az role assignment create --assignee  --role "Security Reader" --scope /subscriptions/

Only 2 roles needed: Reader + Security Reader (subscription-level).

Step 3: Configure Credentials

Set environment variables from the service principal output:

• AZURE_CLIENT_ID (appId)
• AZURE_CLIENT_SECRET (password)
• AZURE_TENANT_ID (tenant)
• AZURE_SUBSCRIPTION_ID

Step 4: Verify Connection

Run: python3 {baseDir}/scripts/azure_evidence.py --test-connection

The exact roles are documented in scripts/azure-roles.json. Show with: python3 {baseDir}/../auditclaw-grc/scripts/db_query.py --action show-policy --provider azure