A-Team Security — Infrastructure & Security Agent Engineer

A-Team Security — Infrastructure & Security Agent Engineer

Oracle Cloud Infrastructure — CIS Foundations Benchmark 3.0 — AI-Powered Compliance Platform

Version OCI Docker Terraform License


Overview

A-Team Security Agent is a self-hosted web application that automates CIS Oracle Cloud Infrastructure Foundations Benchmark 3.0 compliance checks, powered by OCI Generative AI for intelligent analysis and an MCP (Model Context Protocol) server architecture for extensible task execution.

The platform combines security compliance scanning, AI-powered chat with RAG (Retrieval-Augmented Generation), infrastructure exploration, and vector-based knowledge storage into a single, containerized solution with a React 19 SPA (TypeScript, Vite), Oracle Dark Premium theme (light/dark modes), KPI dashboard with compliance gauge, i18n (pt/en/es), and Recharts visualizations.

Distributed as pre-built Docker containers via Oracle Container Registry (OCIR) — no source code required.


Features

AI Chat Agent with RAG + MCP Tool Use

  • OCI Generative AI integration via official SDK
  • RAG (Retrieval-Augmented Generation): queries ADB vector store for relevant context before generating responses
  • MCP Tool Use (Function Calling): GenAI models call tools from registered MCP servers during chat
  • Chat Memory Compaction: automatic summarization when conversation exceeds token limit
  • Multimodal Chat: upload images, PDFs, and text files for AI analysis
  • 16 chat models + 3 embedding models across 5 providers: Meta (Llama 4), Google (Gemini 2.5), OpenAI (GPT-5.2/5.1/4.1/4o, o3/o4-mini), xAI (Grok 4/3)

Terraform Agent (IaC)

  • AI-powered Terraform code generation for OCI infrastructure provisioning
  • Workspace management: create, plan, apply, destroy Terraform workspaces
  • 14-point validation checklist: cross-references, CIDRs, security lists, HCL syntax
  • Resource type validation: ~937 OCI resource types with close-match suggestions
  • Prompt Generator: dedicated sub-menu for AI-powered prompt generation

OCI Account Explorer

  • 36 resource types across 9 categories (Compute, Networking, Storage, Database, Containers, Serverless, Observability, Security, IAM)
  • KPI stats bar: real-time resource counts per category
  • Start/Stop Compute Instances, Autonomous Databases, DB Systems, MySQL, Container Instances
  • Tree-view navigation with resizable compartment panel
  • Multi-region support with checkbox selection

OCI CLI Terminal

  • Linux-style web terminal for OCI CLI interaction
  • Tab autocomplete, OCID auto-lookup (60+ resource types), find by name/IP
  • Per-user command history, state persists across navigation

OCI Services

  • Service Status: auto-detect 6 security services per tenancy via OCI API
  • OCI Health: real-time Oracle service health from 49 regions

CIS Compliance Reports

  • Oracle's official CIS engine (48 CIS + 11 OBP checks)
  • Multiple formats: HTML, CSV, JSON, XLSX
  • Professional Compliance Report: Oracle-format PDF/DOCX with RAG-powered remediation
  • Real-time progress tracking with phase-based progress bar

Built-in CIS MCP Server

  • 12 granular tools for per-section scanning (IAM, Networking, Compute, Logging, Storage, Assets)
  • Parallelized data collection with session caching

Embeddings & Knowledge Base

  • CIS PDF Chunker: segments by recommendation, 7000-char chunks with overlap
  • Auto-detect embedding dimension and model selection
  • Knowledge Base: upload documents or import URLs
  • Consult Embeddings: chat-like interface for vector Q&A

Security

  • JWT + TOTP MFA (Google Authenticator / Authy compatible)
  • Oracle IAM OIDC: SSO via Oracle Identity Domains with JIT provisioning
  • RBAC with 3 roles: Admin, User, Viewer
  • Fernet encryption (AES) for credentials and sensitive settings
  • User isolation: ownership checks, private reports, per-user embeddings
  • Force password change on first login
  • Rate limiting, audit logging, non-root container execution

Theme & UI

  • Light/Dark mode with Oracle Dark Premium design
  • KPI Dashboard: compliance gauge, pass/fail cards, donut chart, bar chart
  • i18n: Portuguese, English, Spanish (850+ keys)
  • 20 pages, code splitting, Zustand state persistence

Deployment Options

The platform is distributed as a single Docker image available on Oracle Container Registry (OCIR):

us-ashburn-1.ocir.io/idi1o0a010nx/oci-cis-agent:latest

Multi-architecture: linux/amd64 + linux/arm64


Option 1 — Local Docker (any machine)

Run on any machine with Docker installed (Linux, macOS, Windows).

# 1. Login to OCIR
docker login us-ashburn-1.ocir.io

# 2. Configure
cp .env.example .env
# Edit .env: set APP_SECRET (openssl rand -hex 64)

# 3. Run
docker compose up -d

# 4. Access: http://localhost:8080
docker logs oci-cis-agent | grep "password"

Or with docker run (no compose file needed):

docker run -d \
  --name oci-cis-agent \
  -p 8080:8080 \
  -v agent-data:/data \
  -e APP_SECRET=$(openssl rand -hex 64) \
  -e TZ=America/Sao_Paulo \
  us-ashburn-1.ocir.io/idi1o0a010nx/oci-cis-agent:latest

Option 2 — OCI Compute Instance (Terraform)

Production deployment on Oracle Cloud with Load Balancer, WAF, SSL, and persistent storage.

Architecture:

+--------------------------------------------------------------+
|                       Oracle Cloud                           |
|                                                              |
|  +-----------------+     +--------------------------------+  |
|  |                 |     |                                |  |
|  |  WAF Policy     |     |  Private Subnet               |  |
|  |  (OWASP rules)  |     |                                |  |
|  +-----------------+     |  +---------------------------+ |  |
|          |               |  | Compute Instance          | |  |
|  +-----------------+     |  | (ARM, Free Tier eligible) | |  |
|  |                 |     |  |                           | |  |
|  |  Load Balancer  |---->|  |  oci-cis-agent container  | |  |
|  |  (HTTPS / 443)  |     |  |  Block Volume (/data)    | |  |
|  |  Public Subnet  |     |  |                           | |  |
|  |                 |     |  +---------------------------+ |  |
|  +-----------------+     +--------------------------------+  |
|                                                              |
+--------------------------------------------------------------+

Setup:

cd terraform
cp terraform.tfvars.example terraform.tfvars
# Edit terraform.tfvars with OCI credentials

Deploy:

terraform init
terraform plan
terraform apply

Resources Created:

Resource Description
VCN 10.0.0.0/16 with public/private subnets, gateways, security lists
Compute VM.Standard.A1.Flex — 2 OCPU, 16GB RAM (ARM, Free Tier eligible)
Block Volume 50GB persistent storage for application data
Load Balancer Flexible 10-100 Mbps with SSL (self-signed or Let's Encrypt)
WAF OWASP protection — XSS, SQL injection, path traversal + rate limiting
DNS OCI DNS Zone + A record (conditional — when domain is configured)

Outputs:

terraform output load_balancer_ip     # Public IP address
terraform output app_url              # Application URL

Option 3 — OCI Container Instances

Run as a serverless container on OCI without managing VMs.

oci container-instances container-instance create \
  --compartment-id <COMPARTMENT_OCID> \
  --display-name "oci-cis-agent" \
  --availability-domain <AD> \
  --shape "CI.Standard.E4.Flex" \
  --shape-config '{"ocpus": 2, "memoryInGBs": 16}' \
  --containers '[{
    "imageUrl": "us-ashburn-1.ocir.io/idi1o0a010nx/oci-cis-agent:latest",
    "displayName": "agent",
    "environmentVariables": {
      "APP_SECRET": "<YOUR_SECRET>",
      "TZ": "America/Sao_Paulo"
    }
  }]' \
  --vnics '[{"subnetId": "<SUBNET_OCID>"}]' \
  --image-pull-secrets '[{"registryEndpoint": "us-ashburn-1.ocir.io", "secretType": "BASIC", "username": "<OCIR_USER>", "password": "<AUTH_TOKEN>"}]'

Option 4 — Kubernetes (OKE / any K8s cluster)

Deploy on Oracle Kubernetes Engine or any Kubernetes cluster.

# Minimal deployment
apiVersion: apps/v1
kind: Deployment
metadata:
  name: oci-cis-agent
spec:
  replicas: 1
  selector:
    matchLabels:
      app: oci-cis-agent
  template:
    metadata:
      labels:
        app: oci-cis-agent
    spec:
      containers:
      - name: agent
        image: us-ashburn-1.ocir.io/idi1o0a010nx/oci-cis-agent:latest
        ports:
        - containerPort: 8080
        env:
        - name: APP_SECRET
          valueFrom:
            secretKeyRef:
              name: agent-secret
              key: app-secret
        - name: TZ
          value: "America/Sao_Paulo"
        volumeMounts:
        - name: data
          mountPath: /data
        resources:
          requests:
            memory: "2Gi"
          limits:
            memory: "4Gi"
      volumes:
      - name: data
        persistentVolumeClaim:
          claimName: agent-data
      imagePullSecrets:
      - name: ocir-credentials
---
apiVersion: v1
kind: Service
metadata:
  name: oci-cis-agent
spec:
  type: LoadBalancer
  ports:
  - port: 443
    targetPort: 8080
  selector:
    app: oci-cis-agent

First Login

After any deployment option, check the container logs for the initial admin password:

docker logs oci-cis-agent | grep "password"
# or
kubectl logs deployment/oci-cis-agent | grep "password"

You will be prompted to change the password on first login.


Configuration Guide

Step 1 — OCI Credentials

Navigate to OCI Credentials tab and add:

Field Description
Tenancy Name Friendly name (e.g., my-company)
OCID Tenancy ocid1.tenancy.oc1..xxxxx
OCID User ocid1.user.oc1..xxxxx
Fingerprint aa:bb:cc:dd:ee:ff:...
Region sa-saopaulo-1, us-ashburn-1, etc.
Compartment OCID ocid1.compartment.oc1..xxxxx
Private Key .pem file

Click Test to validate the connection.

Step 2 — GenAI Model

  1. Select the OCI Credential created in Step 1
  2. Choose a model from the catalog (16 models across 5 providers)
  3. Adjust parameters (temperature, max_tokens, etc.)

Step 3 — ADB Vector + RAG (Optional)

For persistent vector storage and RAG-powered chat:

  1. Add DSN (from tnsnames.ora)
  2. Set credentials and upload Wallet ZIP
  3. Select an Embedding Model
  4. Register vector tables

Step 4 — MCP Servers (Optional)

Register MCP servers for extended AI task execution:

Type Use Case
stdio Local Python scripts
SSE Remote HTTP servers
module Upload .py files directly

OCI IAM Policies

Allow group <group-name> to use generative-ai-family in compartment <compartment-name>
Allow group <group-name> to read all-resources in tenancy
Allow group <group-name> to inspect compartments in tenancy
Allow group <group-name> to inspect autonomous-databases in compartment <compartment-name>
Allow group <group-name> to read virtual-network-family in compartment <compartment-name>
Allow group <group-name> to read instance-family in compartment <compartment-name>
Allow group <group-name> to read objectstorage-namespaces in tenancy
Allow group <group-name> to read buckets in compartment <compartment-name>

Environment Variables

Variable Required Default Description
OCIR_REGION Yes OCI region for container registry
OCIR_NAMESPACE Yes OCIR tenancy namespace
APP_SECRET Yes 64-byte hex key for JWT/encryption (openssl rand -hex 64)
JWT_EXPIRY_HOURS No 12 Token expiry in hours
PORT No 8080 Frontend port
CORS_ORIGINS No Allowed origins (comma-separated)
TZ No America/Sao_Paulo Timezone

Troubleshooting

Cannot pull images from OCIR: Verify your docker login credentials and that the OCIR repositories exist in your namespace.

Backend health check fails: Check logs: docker compose logs backend. Ensure APP_SECRET is set in .env.

ADB connection fails (DPY-6005): Ensure the wallet ZIP contains tnsnames.ora and ewallet.pem. The DSN must match a service name in tnsnames.ora.

GenAI returns 401/403: Verify the IAM policy Allow group ... to use generative-ai-family in compartment ... exists.


License

MIT


Built for Oracle Cloud Infrastructure security compliance by LAD A-Team

Description
No description provided
Readme 2.4 MiB
Languages
HCL 84.4%
Smarty 15.6%