406 lines
13 KiB
Markdown
406 lines
13 KiB
Markdown
<p align="center">
|
|
<img src="logo.svg" alt="A-Team Security — Infrastructure & Security Agent Engineer" width="96" height="96">
|
|
</p>
|
|
|
|
<h1 align="center">A-Team Security — Infrastructure & Security Agent Engineer</h1>
|
|
|
|
<p align="center">
|
|
<strong>Oracle Cloud Infrastructure — CIS Foundations Benchmark 3.0 — AI-Powered Compliance Platform</strong>
|
|
</p>
|
|
|
|
<p align="center">
|
|
<img src="https://img.shields.io/badge/version-1.0-C74634?style=flat-square" alt="Version">
|
|
<img src="https://img.shields.io/badge/OCI-GenAI-C74634?style=flat-square" alt="OCI">
|
|
<img src="https://img.shields.io/badge/docker-compose-2496ED?style=flat-square" alt="Docker">
|
|
<img src="https://img.shields.io/badge/terraform-7B42BC?style=flat-square" alt="Terraform">
|
|
<img src="https://img.shields.io/badge/license-MIT-green?style=flat-square" alt="License">
|
|
</p>
|
|
|
|
---
|
|
|
|
## Overview
|
|
|
|
A-Team Security Agent is a self-hosted web application that automates **CIS Oracle Cloud Infrastructure Foundations Benchmark 3.0** compliance checks, powered by **OCI Generative AI** for intelligent analysis and an **MCP (Model Context Protocol)** server architecture for extensible task execution.
|
|
|
|
The platform combines security compliance scanning, AI-powered chat with **RAG (Retrieval-Augmented Generation)**, infrastructure exploration, and vector-based knowledge storage into a single, containerized solution with a **React 19 SPA** (TypeScript, Vite), **Oracle Dark Premium** theme (light/dark modes), **KPI dashboard** with compliance gauge, **i18n** (pt/en/es), and **Recharts** visualizations.
|
|
|
|
Distributed as pre-built Docker containers via **Oracle Container Registry (OCIR)** — no source code required.
|
|
|
|
---
|
|
|
|
## Features
|
|
|
|
### AI Chat Agent with RAG + MCP Tool Use
|
|
- **OCI Generative AI** integration via official SDK
|
|
- **RAG (Retrieval-Augmented Generation)**: queries ADB vector store for relevant context before generating responses
|
|
- **MCP Tool Use (Function Calling)**: GenAI models call tools from registered MCP servers during chat
|
|
- **Chat Memory Compaction**: automatic summarization when conversation exceeds token limit
|
|
- **Multimodal Chat**: upload images, PDFs, and text files for AI analysis
|
|
- 16 chat models + 3 embedding models across 5 providers: **Meta** (Llama 4), **Google** (Gemini 2.5), **OpenAI** (GPT-5.2/5.1/4.1/4o, o3/o4-mini), **xAI** (Grok 4/3)
|
|
|
|
### Terraform Agent (IaC)
|
|
- **AI-powered Terraform code generation** for OCI infrastructure provisioning
|
|
- **Workspace management**: create, plan, apply, destroy Terraform workspaces
|
|
- **14-point validation checklist**: cross-references, CIDRs, security lists, HCL syntax
|
|
- **Resource type validation**: ~937 OCI resource types with close-match suggestions
|
|
- **Prompt Generator**: dedicated sub-menu for AI-powered prompt generation
|
|
|
|
### OCI Account Explorer
|
|
- **36 resource types** across 9 categories (Compute, Networking, Storage, Database, Containers, Serverless, Observability, Security, IAM)
|
|
- **KPI stats bar**: real-time resource counts per category
|
|
- **Start/Stop** Compute Instances, Autonomous Databases, DB Systems, MySQL, Container Instances
|
|
- **Tree-view navigation** with resizable compartment panel
|
|
- **Multi-region support** with checkbox selection
|
|
|
|
### OCI CLI Terminal
|
|
- **Linux-style web terminal** for OCI CLI interaction
|
|
- **Tab autocomplete**, **OCID auto-lookup** (60+ resource types), **find by name/IP**
|
|
- Per-user command history, state persists across navigation
|
|
|
|
### OCI Services
|
|
- **Service Status**: auto-detect 6 security services per tenancy via OCI API
|
|
- **OCI Health**: real-time Oracle service health from 49 regions
|
|
|
|
### CIS Compliance Reports
|
|
- Oracle's official CIS engine (48 CIS + 11 OBP checks)
|
|
- **Multiple formats**: HTML, CSV, JSON, XLSX
|
|
- **Professional Compliance Report**: Oracle-format PDF/DOCX with RAG-powered remediation
|
|
- Real-time progress tracking with phase-based progress bar
|
|
|
|
### Built-in CIS MCP Server
|
|
- **12 granular tools** for per-section scanning (IAM, Networking, Compute, Logging, Storage, Assets)
|
|
- **Parallelized data collection** with session caching
|
|
|
|
### Embeddings & Knowledge Base
|
|
- **CIS PDF Chunker**: segments by recommendation, 7000-char chunks with overlap
|
|
- **Auto-detect embedding dimension** and model selection
|
|
- **Knowledge Base**: upload documents or import URLs
|
|
- **Consult Embeddings**: chat-like interface for vector Q&A
|
|
|
|
### Security
|
|
- **JWT + TOTP MFA** (Google Authenticator / Authy compatible)
|
|
- **Oracle IAM OIDC**: SSO via Oracle Identity Domains with JIT provisioning
|
|
- **RBAC** with 3 roles: Admin, User, Viewer
|
|
- **Fernet encryption** (AES) for credentials and sensitive settings
|
|
- **User isolation**: ownership checks, private reports, per-user embeddings
|
|
- **Force password change** on first login
|
|
- Rate limiting, audit logging, non-root container execution
|
|
|
|
### Theme & UI
|
|
- **Light/Dark mode** with Oracle Dark Premium design
|
|
- **KPI Dashboard**: compliance gauge, pass/fail cards, donut chart, bar chart
|
|
- **i18n**: Portuguese, English, Spanish (850+ keys)
|
|
- **20 pages**, code splitting, Zustand state persistence
|
|
|
|
---
|
|
|
|
## Deployment Options
|
|
|
|
The platform is distributed as a single Docker image available on **Oracle Container Registry (OCIR)**:
|
|
|
|
```
|
|
us-ashburn-1.ocir.io/idi1o0a010nx/oci-cis-agent:latest
|
|
```
|
|
|
|
Multi-architecture: `linux/amd64` + `linux/arm64`
|
|
|
|
---
|
|
|
|
### Option 1 — Local Docker (any machine)
|
|
|
|
Run on any machine with Docker installed (Linux, macOS, Windows).
|
|
|
|
```bash
|
|
# 1. Login to OCIR
|
|
docker login us-ashburn-1.ocir.io
|
|
|
|
# 2. Configure
|
|
cp .env.example .env
|
|
# Edit .env: set APP_SECRET (openssl rand -hex 64)
|
|
|
|
# 3. Run
|
|
docker compose up -d
|
|
|
|
# 4. Access: http://localhost:8080
|
|
docker logs oci-cis-agent | grep "password"
|
|
```
|
|
|
|
Or with `docker run` (no compose file needed):
|
|
|
|
```bash
|
|
docker run -d \
|
|
--name oci-cis-agent \
|
|
-p 8080:8080 \
|
|
-v agent-data:/data \
|
|
-e APP_SECRET=$(openssl rand -hex 64) \
|
|
-e TZ=America/Sao_Paulo \
|
|
us-ashburn-1.ocir.io/idi1o0a010nx/oci-cis-agent:latest
|
|
```
|
|
|
|
---
|
|
|
|
### Option 2 — OCI Compute Instance (Terraform)
|
|
|
|
Production deployment on Oracle Cloud with Load Balancer, WAF, SSL, and persistent storage.
|
|
|
|
**Architecture:**
|
|
|
|
```
|
|
+--------------------------------------------------------------+
|
|
| Oracle Cloud |
|
|
| |
|
|
| +-----------------+ +--------------------------------+ |
|
|
| | | | | |
|
|
| | WAF Policy | | Private Subnet | |
|
|
| | (OWASP rules) | | | |
|
|
| +-----------------+ | +---------------------------+ | |
|
|
| | | | Compute Instance | | |
|
|
| +-----------------+ | | (ARM, Free Tier eligible) | | |
|
|
| | | | | | | |
|
|
| | Load Balancer |---->| | oci-cis-agent container | | |
|
|
| | (HTTPS / 443) | | | Block Volume (/data) | | |
|
|
| | Public Subnet | | | | | |
|
|
| | | | +---------------------------+ | |
|
|
| +-----------------+ +--------------------------------+ |
|
|
| |
|
|
+--------------------------------------------------------------+
|
|
```
|
|
|
|
**Setup:**
|
|
|
|
```bash
|
|
cd terraform
|
|
cp terraform.tfvars.example terraform.tfvars
|
|
# Edit terraform.tfvars with OCI credentials
|
|
```
|
|
|
|
**Deploy:**
|
|
|
|
```bash
|
|
terraform init
|
|
terraform plan
|
|
terraform apply
|
|
```
|
|
|
|
**Resources Created:**
|
|
|
|
| Resource | Description |
|
|
|----------|-------------|
|
|
| VCN | 10.0.0.0/16 with public/private subnets, gateways, security lists |
|
|
| Compute | VM.Standard.A1.Flex — 2 OCPU, 16GB RAM (ARM, Free Tier eligible) |
|
|
| Block Volume | 50GB persistent storage for application data |
|
|
| Load Balancer | Flexible 10-100 Mbps with SSL (self-signed or Let's Encrypt) |
|
|
| WAF | OWASP protection — XSS, SQL injection, path traversal + rate limiting |
|
|
| DNS | OCI DNS Zone + A record (conditional — when domain is configured) |
|
|
|
|
**Outputs:**
|
|
|
|
```bash
|
|
terraform output load_balancer_ip # Public IP address
|
|
terraform output app_url # Application URL
|
|
```
|
|
|
|
---
|
|
|
|
### Option 3 — OCI Container Instances
|
|
|
|
Run as a serverless container on OCI without managing VMs.
|
|
|
|
```bash
|
|
oci container-instances container-instance create \
|
|
--compartment-id <COMPARTMENT_OCID> \
|
|
--display-name "oci-cis-agent" \
|
|
--availability-domain <AD> \
|
|
--shape "CI.Standard.E4.Flex" \
|
|
--shape-config '{"ocpus": 2, "memoryInGBs": 16}' \
|
|
--containers '[{
|
|
"imageUrl": "us-ashburn-1.ocir.io/idi1o0a010nx/oci-cis-agent:latest",
|
|
"displayName": "agent",
|
|
"environmentVariables": {
|
|
"APP_SECRET": "<YOUR_SECRET>",
|
|
"TZ": "America/Sao_Paulo"
|
|
}
|
|
}]' \
|
|
--vnics '[{"subnetId": "<SUBNET_OCID>"}]' \
|
|
--image-pull-secrets '[{"registryEndpoint": "us-ashburn-1.ocir.io", "secretType": "BASIC", "username": "<OCIR_USER>", "password": "<AUTH_TOKEN>"}]'
|
|
```
|
|
|
|
---
|
|
|
|
### Option 4 — Kubernetes (OKE / any K8s cluster)
|
|
|
|
Deploy on Oracle Kubernetes Engine or any Kubernetes cluster.
|
|
|
|
```yaml
|
|
# Minimal deployment
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: oci-cis-agent
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app: oci-cis-agent
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: oci-cis-agent
|
|
spec:
|
|
containers:
|
|
- name: agent
|
|
image: us-ashburn-1.ocir.io/idi1o0a010nx/oci-cis-agent:latest
|
|
ports:
|
|
- containerPort: 8080
|
|
env:
|
|
- name: APP_SECRET
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: agent-secret
|
|
key: app-secret
|
|
- name: TZ
|
|
value: "America/Sao_Paulo"
|
|
volumeMounts:
|
|
- name: data
|
|
mountPath: /data
|
|
resources:
|
|
requests:
|
|
memory: "2Gi"
|
|
limits:
|
|
memory: "4Gi"
|
|
volumes:
|
|
- name: data
|
|
persistentVolumeClaim:
|
|
claimName: agent-data
|
|
imagePullSecrets:
|
|
- name: ocir-credentials
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: oci-cis-agent
|
|
spec:
|
|
type: LoadBalancer
|
|
ports:
|
|
- port: 443
|
|
targetPort: 8080
|
|
selector:
|
|
app: oci-cis-agent
|
|
```
|
|
|
|
---
|
|
|
|
### First Login
|
|
|
|
After any deployment option, check the container logs for the initial admin password:
|
|
|
|
```bash
|
|
docker logs oci-cis-agent | grep "password"
|
|
# or
|
|
kubectl logs deployment/oci-cis-agent | grep "password"
|
|
```
|
|
|
|
> You will be prompted to change the password on first login.
|
|
|
|
---
|
|
|
|
## Configuration Guide
|
|
|
|
### Step 1 — OCI Credentials
|
|
|
|
Navigate to **OCI Credentials** tab and add:
|
|
|
|
| Field | Description |
|
|
|-------|-------------|
|
|
| Tenancy Name | Friendly name (e.g., `my-company`) |
|
|
| OCID Tenancy | `ocid1.tenancy.oc1..xxxxx` |
|
|
| OCID User | `ocid1.user.oc1..xxxxx` |
|
|
| Fingerprint | `aa:bb:cc:dd:ee:ff:...` |
|
|
| Region | `sa-saopaulo-1`, `us-ashburn-1`, etc. |
|
|
| Compartment OCID | `ocid1.compartment.oc1..xxxxx` |
|
|
| Private Key | `.pem` file |
|
|
|
|
Click **Test** to validate the connection.
|
|
|
|
### Step 2 — GenAI Model
|
|
|
|
1. Select the **OCI Credential** created in Step 1
|
|
2. Choose a **model** from the catalog (16 models across 5 providers)
|
|
3. Adjust parameters (temperature, max_tokens, etc.)
|
|
|
|
### Step 3 — ADB Vector + RAG (Optional)
|
|
|
|
For persistent vector storage and RAG-powered chat:
|
|
|
|
1. Add DSN (from tnsnames.ora)
|
|
2. Set credentials and upload Wallet ZIP
|
|
3. Select an **Embedding Model**
|
|
4. Register vector tables
|
|
|
|
### Step 4 — MCP Servers (Optional)
|
|
|
|
Register MCP servers for extended AI task execution:
|
|
|
|
| Type | Use Case |
|
|
|------|----------|
|
|
| `stdio` | Local Python scripts |
|
|
| `SSE` | Remote HTTP servers |
|
|
| `module` | Upload `.py` files directly |
|
|
|
|
---
|
|
|
|
## OCI IAM Policies
|
|
|
|
```
|
|
Allow group <group-name> to use generative-ai-family in compartment <compartment-name>
|
|
Allow group <group-name> to read all-resources in tenancy
|
|
Allow group <group-name> to inspect compartments in tenancy
|
|
Allow group <group-name> to inspect autonomous-databases in compartment <compartment-name>
|
|
Allow group <group-name> to read virtual-network-family in compartment <compartment-name>
|
|
Allow group <group-name> to read instance-family in compartment <compartment-name>
|
|
Allow group <group-name> to read objectstorage-namespaces in tenancy
|
|
Allow group <group-name> to read buckets in compartment <compartment-name>
|
|
```
|
|
|
|
---
|
|
|
|
## Environment Variables
|
|
|
|
| Variable | Required | Default | Description |
|
|
|----------|----------|---------|-------------|
|
|
| `OCIR_REGION` | Yes | — | OCI region for container registry |
|
|
| `OCIR_NAMESPACE` | Yes | — | OCIR tenancy namespace |
|
|
| `APP_SECRET` | Yes | — | 64-byte hex key for JWT/encryption (`openssl rand -hex 64`) |
|
|
| `JWT_EXPIRY_HOURS` | No | `12` | Token expiry in hours |
|
|
| `PORT` | No | `8080` | Frontend port |
|
|
| `CORS_ORIGINS` | No | — | Allowed origins (comma-separated) |
|
|
| `TZ` | No | `America/Sao_Paulo` | Timezone |
|
|
|
|
---
|
|
|
|
## Troubleshooting
|
|
|
|
**Cannot pull images from OCIR:**
|
|
Verify your `docker login` credentials and that the OCIR repositories exist in your namespace.
|
|
|
|
**Backend health check fails:**
|
|
Check logs: `docker compose logs backend`. Ensure `APP_SECRET` is set in `.env`.
|
|
|
|
**ADB connection fails (`DPY-6005`):**
|
|
Ensure the wallet ZIP contains `tnsnames.ora` and `ewallet.pem`. The DSN must match a service name in `tnsnames.ora`.
|
|
|
|
**GenAI returns 401/403:**
|
|
Verify the IAM policy `Allow group ... to use generative-ai-family in compartment ...` exists.
|
|
|
|
---
|
|
|
|
## License
|
|
|
|
MIT
|
|
|
|
---
|
|
|
|
<p align="center">
|
|
<sub>Built for Oracle Cloud Infrastructure security compliance by LAD A-Team</sub>
|
|
</p>
|