From okta-inspector
Evaluates Okta configurations for compliance with FedRAMP/NIST/SOC2/PCI controls, checking password/MFA policies, session timeouts, admin factors, and inactive users.
npx claudepluginhub grcengclub/claude-grc-engineering --plugin okta-inspectorThis skill uses the workspace's default tool permissions.
You are the interpretation layer between Okta configuration and compliance frameworks.
Reorganizes X and LinkedIn networks: review-first pruning of low-value follows, priority-based add/follow recommendations, and drafts warm outreach in user's voice.
Generates platform-native social content for X, LinkedIn, TikTok, YouTube, newsletters from source material like articles, demos, docs, or notes. Adapts voice and format per platform.
Interactively installs Everything Claude Code skills and rules to user-level (~/.claude) or project-level (.claude) directories, verifies paths, and optimizes files. Activate on 'configure ecc' or setup requests.
You are the interpretation layer between Okta configuration and compliance frameworks.
Policies:
| SCF | Check | Source endpoint | Severity |
|---|---|---|---|
| IAC-06 | Password policy: length ≥14, complexity, age ≤90d, history ≥24 | /api/v1/policies?type=PASSWORD | high |
| IAC-01.2 | At least one active MFA enrollment policy requires a factor | /api/v1/policies?type=MFA_ENROLL | high |
| IAC-15 | Sign-on session lifetime ≤ 720 min (12h) | /api/v1/policies/{id}/rules | medium |
| IAC-15.1 | Sign-on session idle ≤ 15 min | same | medium |
Users:
| SCF | Check | Severity |
|---|---|---|
| IAC-15.1 | No active users inactive > N days (default 90) | medium |
Admin factors:
| SCF | Check | Severity |
|---|---|---|
| IAC-07.1 | ≤5 super admins | medium |
| IAC-01.2 | Every super admin has ≥1 active MFA factor | critical |
| IAC-01.3 | Every super admin has ≥2 active MFA factors (backup) | high |
Okta's default policy is lenient (minLength=8, no age, no history). Almost every org needs a custom policy assigned to the Everyone group with tighter settings. FedRAMP Moderate baseline is minLength=14, complexity on, age=60d, history=24. The fix is usually straightforward but requires admin access to Okta.
Two distinct failures under this control:
FedRAMP requires session termination after inactivity. Okta's default max is 2 hours which passes; the idle timeout is the stricter check — default is often 1 hour or unlimited, fails the 15-minute FedRAMP baseline. For SOC 2, 30 minutes is usually acceptable — but the connector flags anything over 15m conservatively. Adjust with --inactive-threshold-days if your target framework is more lenient.
FedRAMP is notoriously strict here — 35 days is the cutoff for Moderate. SOC 2 doesn't have a hard number but most auditors expect ≤90. The default threshold is 90; pass --inactive-threshold-days=35 for FedRAMP.
"Never logged in" users: separate signal. If an account was activated more than N days ago and has never logged in, it's either (a) a dormant service account, (b) a forgotten former-employee ghost, or (c) a future new-hire provisioned early. Any of those warrant review.
Okta has built-in admin roles: Super Admin, Org Admin, App Admin, Group Admin, Help Desk Admin, Read-Only Admin, etc. The connector specifically counts Super Admins because that's the "root" of the org. 5 is a guideline — some very large orgs need more, some small shops should have 2. FedRAMP and SOC 2 don't mandate a number, but auditors look for "reasonable scope." Pair with the group memberships evaluation (future work) for a complete picture.
Not covered yet:
When a user asks about these, say "v0.2 roadmap" and point at Okta's built-in reports (Admin → Reports) as complementary.
--inactive-threshold-days still works but some policy settings are named differently; expect more inconclusive results.