A-Team Security — Infrastructure & Security Agent Engineer

A-Team Security — Infrastructure & Security Agent Engineer

Oracle Cloud Infrastructure — CIS Foundations Benchmark 3.0 — AI-Powered Compliance Platform

Version OCI Docker Terraform License

--- ## Overview A-Team Security Agent is a self-hosted web application that automates **CIS Oracle Cloud Infrastructure Foundations Benchmark 3.0** compliance checks, powered by **OCI Generative AI** for intelligent analysis and an **MCP (Model Context Protocol)** server architecture for extensible task execution. The platform combines security compliance scanning, AI-powered chat with **RAG (Retrieval-Augmented Generation)**, infrastructure exploration, and vector-based knowledge storage into a single, containerized solution with a **React 19 SPA** (TypeScript, Vite), **Oracle Dark Premium** theme (light/dark modes), **KPI dashboard** with compliance gauge, **i18n** (pt/en/es), and **Recharts** visualizations. Distributed as pre-built Docker containers via **Oracle Container Registry (OCIR)** — no source code required. --- ## Features ### AI Chat Agent with RAG + MCP Tool Use - **OCI Generative AI** integration via official SDK - **RAG (Retrieval-Augmented Generation)**: queries ADB vector store for relevant context before generating responses - **MCP Tool Use (Function Calling)**: GenAI models call tools from registered MCP servers during chat - **Chat Memory Compaction**: automatic summarization when conversation exceeds token limit - **Multimodal Chat**: upload images, PDFs, and text files for AI analysis - 16 chat models + 3 embedding models across 5 providers: **Meta** (Llama 4), **Google** (Gemini 2.5), **OpenAI** (GPT-5.2/5.1/4.1/4o, o3/o4-mini), **xAI** (Grok 4/3) ### Terraform Agent (IaC) - **AI-powered Terraform code generation** for OCI infrastructure provisioning - **Workspace management**: create, plan, apply, destroy Terraform workspaces - **14-point validation checklist**: cross-references, CIDRs, security lists, HCL syntax - **Resource type validation**: ~937 OCI resource types with close-match suggestions - **Prompt Generator**: dedicated sub-menu for AI-powered prompt generation ### OCI Account Explorer - **36 resource types** across 9 categories (Compute, Networking, Storage, Database, Containers, Serverless, Observability, Security, IAM) - **KPI stats bar**: real-time resource counts per category - **Start/Stop** Compute Instances, Autonomous Databases, DB Systems, MySQL, Container Instances - **Tree-view navigation** with resizable compartment panel - **Multi-region support** with checkbox selection ### OCI CLI Terminal - **Linux-style web terminal** for OCI CLI interaction - **Tab autocomplete**, **OCID auto-lookup** (60+ resource types), **find by name/IP** - Per-user command history, state persists across navigation ### OCI Services - **Service Status**: auto-detect 6 security services per tenancy via OCI API - **OCI Health**: real-time Oracle service health from 49 regions ### CIS Compliance Reports - Oracle's official CIS engine (48 CIS + 11 OBP checks) - **Multiple formats**: HTML, CSV, JSON, XLSX - **Professional Compliance Report**: Oracle-format PDF/DOCX with RAG-powered remediation - Real-time progress tracking with phase-based progress bar ### Built-in CIS MCP Server - **12 granular tools** for per-section scanning (IAM, Networking, Compute, Logging, Storage, Assets) - **Parallelized data collection** with session caching ### Embeddings & Knowledge Base - **CIS PDF Chunker**: segments by recommendation, 7000-char chunks with overlap - **Auto-detect embedding dimension** and model selection - **Knowledge Base**: upload documents or import URLs - **Consult Embeddings**: chat-like interface for vector Q&A ### Security - **JWT + TOTP MFA** (Google Authenticator / Authy compatible) - **Oracle IAM OIDC**: SSO via Oracle Identity Domains with JIT provisioning - **RBAC** with 3 roles: Admin, User, Viewer - **Fernet encryption** (AES) for credentials and sensitive settings - **User isolation**: ownership checks, private reports, per-user embeddings - **Force password change** on first login - Rate limiting, audit logging, non-root container execution ### Theme & UI - **Light/Dark mode** with Oracle Dark Premium design - **KPI Dashboard**: compliance gauge, pass/fail cards, donut chart, bar chart - **i18n**: Portuguese, English, Spanish (850+ keys) - **20 pages**, code splitting, Zustand state persistence --- ## Deployment Options The platform is distributed as a single Docker image available on **Oracle Container Registry (OCIR)**: ``` us-ashburn-1.ocir.io/idi1o0a010nx/oci-cis-agent:latest ``` Multi-architecture: `linux/amd64` + `linux/arm64` --- ### Option 1 — Local Docker (any machine) Run on any machine with Docker installed (Linux, macOS, Windows). ```bash # 1. Login to OCIR docker login us-ashburn-1.ocir.io # 2. Configure cp .env.example .env # Edit .env: set APP_SECRET (openssl rand -hex 64) # 3. Run docker compose up -d # 4. Access: http://localhost:8080 docker logs oci-cis-agent | grep "password" ``` Or with `docker run` (no compose file needed): ```bash docker run -d \ --name oci-cis-agent \ -p 8080:8080 \ -v agent-data:/data \ -e APP_SECRET=$(openssl rand -hex 64) \ -e TZ=America/Sao_Paulo \ us-ashburn-1.ocir.io/idi1o0a010nx/oci-cis-agent:latest ``` --- ### Option 2 — OCI Compute Instance (Terraform) Production deployment on Oracle Cloud with Load Balancer, WAF, SSL, and persistent storage. **Architecture:** ``` +--------------------------------------------------------------+ | Oracle Cloud | | | | +-----------------+ +--------------------------------+ | | | | | | | | | WAF Policy | | Private Subnet | | | | (OWASP rules) | | | | | +-----------------+ | +---------------------------+ | | | | | | Compute Instance | | | | +-----------------+ | | (ARM, Free Tier eligible) | | | | | | | | | | | | | Load Balancer |---->| | oci-cis-agent container | | | | | (HTTPS / 443) | | | Block Volume (/data) | | | | | Public Subnet | | | | | | | | | | +---------------------------+ | | | +-----------------+ +--------------------------------+ | | | +--------------------------------------------------------------+ ``` **Setup:** ```bash cd terraform cp terraform.tfvars.example terraform.tfvars # Edit terraform.tfvars with OCI credentials ``` **Deploy:** ```bash terraform init terraform plan terraform apply ``` **Resources Created:** | Resource | Description | |----------|-------------| | VCN | 10.0.0.0/16 with public/private subnets, gateways, security lists | | Compute | VM.Standard.A1.Flex — 2 OCPU, 16GB RAM (ARM, Free Tier eligible) | | Block Volume | 50GB persistent storage for application data | | Load Balancer | Flexible 10-100 Mbps with SSL (self-signed or Let's Encrypt) | | WAF | OWASP protection — XSS, SQL injection, path traversal + rate limiting | | DNS | OCI DNS Zone + A record (conditional — when domain is configured) | **Outputs:** ```bash terraform output load_balancer_ip # Public IP address terraform output app_url # Application URL ``` --- ### Option 3 — OCI Container Instances Run as a serverless container on OCI without managing VMs. ```bash oci container-instances container-instance create \ --compartment-id \ --display-name "oci-cis-agent" \ --availability-domain \ --shape "CI.Standard.E4.Flex" \ --shape-config '{"ocpus": 2, "memoryInGBs": 16}' \ --containers '[{ "imageUrl": "us-ashburn-1.ocir.io/idi1o0a010nx/oci-cis-agent:latest", "displayName": "agent", "environmentVariables": { "APP_SECRET": "", "TZ": "America/Sao_Paulo" } }]' \ --vnics '[{"subnetId": ""}]' \ --image-pull-secrets '[{"registryEndpoint": "us-ashburn-1.ocir.io", "secretType": "BASIC", "username": "", "password": ""}]' ``` --- ### Option 4 — Kubernetes (OKE / any K8s cluster) Deploy on Oracle Kubernetes Engine or any Kubernetes cluster. ```yaml # Minimal deployment apiVersion: apps/v1 kind: Deployment metadata: name: oci-cis-agent spec: replicas: 1 selector: matchLabels: app: oci-cis-agent template: metadata: labels: app: oci-cis-agent spec: containers: - name: agent image: us-ashburn-1.ocir.io/idi1o0a010nx/oci-cis-agent:latest ports: - containerPort: 8080 env: - name: APP_SECRET valueFrom: secretKeyRef: name: agent-secret key: app-secret - name: TZ value: "America/Sao_Paulo" volumeMounts: - name: data mountPath: /data resources: requests: memory: "2Gi" limits: memory: "4Gi" volumes: - name: data persistentVolumeClaim: claimName: agent-data imagePullSecrets: - name: ocir-credentials --- apiVersion: v1 kind: Service metadata: name: oci-cis-agent spec: type: LoadBalancer ports: - port: 443 targetPort: 8080 selector: app: oci-cis-agent ``` --- ### First Login After any deployment option, check the container logs for the initial admin password: ```bash docker logs oci-cis-agent | grep "password" # or kubectl logs deployment/oci-cis-agent | grep "password" ``` > You will be prompted to change the password on first login. --- ## Configuration Guide ### Step 1 — OCI Credentials Navigate to **OCI Credentials** tab and add: | Field | Description | |-------|-------------| | Tenancy Name | Friendly name (e.g., `my-company`) | | OCID Tenancy | `ocid1.tenancy.oc1..xxxxx` | | OCID User | `ocid1.user.oc1..xxxxx` | | Fingerprint | `aa:bb:cc:dd:ee:ff:...` | | Region | `sa-saopaulo-1`, `us-ashburn-1`, etc. | | Compartment OCID | `ocid1.compartment.oc1..xxxxx` | | Private Key | `.pem` file | Click **Test** to validate the connection. ### Step 2 — GenAI Model 1. Select the **OCI Credential** created in Step 1 2. Choose a **model** from the catalog (16 models across 5 providers) 3. Adjust parameters (temperature, max_tokens, etc.) ### Step 3 — ADB Vector + RAG (Optional) For persistent vector storage and RAG-powered chat: 1. Add DSN (from tnsnames.ora) 2. Set credentials and upload Wallet ZIP 3. Select an **Embedding Model** 4. Register vector tables ### Step 4 — MCP Servers (Optional) Register MCP servers for extended AI task execution: | Type | Use Case | |------|----------| | `stdio` | Local Python scripts | | `SSE` | Remote HTTP servers | | `module` | Upload `.py` files directly | --- ## OCI IAM Policies ``` Allow group to use generative-ai-family in compartment Allow group to read all-resources in tenancy Allow group to inspect compartments in tenancy Allow group to inspect autonomous-databases in compartment Allow group to read virtual-network-family in compartment Allow group to read instance-family in compartment Allow group to read objectstorage-namespaces in tenancy Allow group to read buckets in compartment ``` --- ## Environment Variables | Variable | Required | Default | Description | |----------|----------|---------|-------------| | `OCIR_REGION` | Yes | — | OCI region for container registry | | `OCIR_NAMESPACE` | Yes | — | OCIR tenancy namespace | | `APP_SECRET` | Yes | — | 64-byte hex key for JWT/encryption (`openssl rand -hex 64`) | | `JWT_EXPIRY_HOURS` | No | `12` | Token expiry in hours | | `PORT` | No | `8080` | Frontend port | | `CORS_ORIGINS` | No | — | Allowed origins (comma-separated) | | `TZ` | No | `America/Sao_Paulo` | Timezone | --- ## Troubleshooting **Cannot pull images from OCIR:** Verify your `docker login` credentials and that the OCIR repositories exist in your namespace. **Backend health check fails:** Check logs: `docker compose logs backend`. Ensure `APP_SECRET` is set in `.env`. **ADB connection fails (`DPY-6005`):** Ensure the wallet ZIP contains `tnsnames.ora` and `ewallet.pem`. The DSN must match a service name in `tnsnames.ora`. **GenAI returns 401/403:** Verify the IAM policy `Allow group ... to use generative-ai-family in compartment ...` exists. --- ## License MIT ---

Built for Oracle Cloud Infrastructure security compliance by LAD A-Team