SOC2 requires demonstrable controls. OpenClaw's default config is secure, but not audit-ready. This guide locks it down for evidence collection and access logging.

Core changes are in `/etc/openclaw/config.hcl`. The following Ansible tasks implement the necessary controls.

```yaml
- name: Apply SOC2-hardened OpenClaw config
copy:
dest: /etc/openclaw/config.hcl
content: |
# Enable detailed audit logging for user and data access
audit_log_level = "detailed"
audit_log_path = "/var/log/openclaw/audit.log"
log_retention_days = 365

# Enforce session timeout and MFA
session_inactivity_timeout = "15m"
require_mfa_for_all_users = true

# Restrict data processing to defined regions
data_processing_region = "us-east-1"

# Disable verbose debug logging in production
debug = false

# Encrypt all internal data at rest
internal_data_encryption = true
encryption_key_source = "kms"

# Limit internal API exposure
api_listen_address = "127.0.0.1:9090"
```

Post-deployment, run these verification commands and retain the output for auditors.

```bash
# Verify config syntax
openclaw validate-config

# Check audit log is operational
sudo tail -f /var/log/openclaw/audit.log

# Confirm no debug endpoints are exposed
sudo netstat -tlnp | grep openclaw
```

Key points:
* The audit log must be shipped to your SIEM.
* The `encryption_key_source` requires additional KMS configuration not shown here.
* Combine this with our existing IronClaw host baselines.
* Test session timeout behavior before the audit.