Skip to main content
ethantroy
  1. Projects/
  2. Audit Tools/

Okta Inspector

··2 mins·
Security Tools Compliance Tools Okta FedRAMP DISA-STIG IRAP ISMAP SOC2 PCI-DSS Python Multi-Framework
Ethan Troy
Author
Ethan Troy
hacker & writer
Hugging Face
Table of Contents

What It Does
#

Pulls 40+ types of Okta configuration data via API and evaluates them against 6 compliance frameworks automatically. Handles pagination, rate limiting, and generates structured compliance reports with an executive summary.

85% of checks are fully automated. The remaining 15% require manual verification and are flagged in the output.

GitHub Repository Thumbnail
ethanolivertroy/okta-inspector

Python
8
1

Frameworks
#

FrameworkScopeControls
FedRAMP (NIST 800-53)U.S. Federal IAM20+ controls (AC, AU, IA, SC, SI families)
DISA STIG V1R1DoD security24 requirements (19 fully automated)
IRAP (ISM)Australian GovernmentInformation Security Manual controls
Essential EightAustralian Cyber Security CentreMitigation strategies assessment
ISMAP (ISO 27001:2013)Japanese GovernmentCloud service security controls
SOC 2Trust ServicesCC6 controls evaluated
PCI-DSS 4.0Payment cardRequirements 7 + 8 (access control, auth)

Plus a general security best practices assessment that applies regardless of framework.

Usage
#

pip install requests

./okta-audit.py -d your-org.okta.com -t YOUR_API_TOKEN

Options:

-d, --domain        Okta domain (e.g., your-org.okta.com)
-t, --token         API token (SSWS or OAuth 2.0 with --oauth)
-o, --output-dir    Custom output directory
--max-pages         Max pages per API call (default: 10)
--oauth             Use OAuth 2.0 instead of SSWS token

Also available as a Bash script (okta-audit.sh) if you prefer.

Output
#

Generates a structured output directory with three sections:

core_data/ - Raw API responses (25+ JSON files covering sign-on policies, password policies, authenticators, and more).

analysis/ - Processed data (session analysis, password policy analysis, inactive user detection, certificate/PIV/CAC auth verification).

compliance/ - Reports per framework:

  • Executive summary with key findings
  • Unified compliance matrix mapping controls across all frameworks
  • DISA STIG checklist with automated check results
  • IRAP, ISMAP, and Essential Eight assessment reports
  • FIPS 140-2/140-3 cryptographic compliance report
  • Quick reference guide

Related#

  • myctrl.tools - Security controls reference for mapping across frameworks
  • Wilma - Similar approach applied to AWS Bedrock security

Disclaimer
#

Not affiliated with Okta. Verify critical findings against official documentation.

Related