Files
A-Team-Security-Infra-Agent…/README.md

406 lines
13 KiB
Markdown

<p align="center">
<img src="logo.svg" alt="A-Team Security — Infrastructure & Security Agent Engineer" width="96" height="96">
</p>
<h1 align="center">A-Team Security — Infrastructure & Security Agent Engineer</h1>
<p align="center">
<strong>Oracle Cloud Infrastructure — CIS Foundations Benchmark 3.0 — AI-Powered Compliance Platform</strong>
</p>
<p align="center">
<img src="https://img.shields.io/badge/version-1.0-C74634?style=flat-square" alt="Version">
<img src="https://img.shields.io/badge/OCI-GenAI-C74634?style=flat-square" alt="OCI">
<img src="https://img.shields.io/badge/docker-compose-2496ED?style=flat-square" alt="Docker">
<img src="https://img.shields.io/badge/terraform-7B42BC?style=flat-square" alt="Terraform">
<img src="https://img.shields.io/badge/license-MIT-green?style=flat-square" alt="License">
</p>
---
## Overview
A-Team Security Agent is a self-hosted web application that automates **CIS Oracle Cloud Infrastructure Foundations Benchmark 3.0** compliance checks, powered by **OCI Generative AI** for intelligent analysis and an **MCP (Model Context Protocol)** server architecture for extensible task execution.
The platform combines security compliance scanning, AI-powered chat with **RAG (Retrieval-Augmented Generation)**, infrastructure exploration, and vector-based knowledge storage into a single, containerized solution with a **React 19 SPA** (TypeScript, Vite), **Oracle Dark Premium** theme (light/dark modes), **KPI dashboard** with compliance gauge, **i18n** (pt/en/es), and **Recharts** visualizations.
Distributed as pre-built Docker containers via **Oracle Container Registry (OCIR)** — no source code required.
---
## Features
### AI Chat Agent with RAG + MCP Tool Use
- **OCI Generative AI** integration via official SDK
- **RAG (Retrieval-Augmented Generation)**: queries ADB vector store for relevant context before generating responses
- **MCP Tool Use (Function Calling)**: GenAI models call tools from registered MCP servers during chat
- **Chat Memory Compaction**: automatic summarization when conversation exceeds token limit
- **Multimodal Chat**: upload images, PDFs, and text files for AI analysis
- 16 chat models + 3 embedding models across 5 providers: **Meta** (Llama 4), **Google** (Gemini 2.5), **OpenAI** (GPT-5.2/5.1/4.1/4o, o3/o4-mini), **xAI** (Grok 4/3)
### Terraform Agent (IaC)
- **AI-powered Terraform code generation** for OCI infrastructure provisioning
- **Workspace management**: create, plan, apply, destroy Terraform workspaces
- **14-point validation checklist**: cross-references, CIDRs, security lists, HCL syntax
- **Resource type validation**: ~937 OCI resource types with close-match suggestions
- **Prompt Generator**: dedicated sub-menu for AI-powered prompt generation
### OCI Account Explorer
- **36 resource types** across 9 categories (Compute, Networking, Storage, Database, Containers, Serverless, Observability, Security, IAM)
- **KPI stats bar**: real-time resource counts per category
- **Start/Stop** Compute Instances, Autonomous Databases, DB Systems, MySQL, Container Instances
- **Tree-view navigation** with resizable compartment panel
- **Multi-region support** with checkbox selection
### OCI CLI Terminal
- **Linux-style web terminal** for OCI CLI interaction
- **Tab autocomplete**, **OCID auto-lookup** (60+ resource types), **find by name/IP**
- Per-user command history, state persists across navigation
### OCI Services
- **Service Status**: auto-detect 6 security services per tenancy via OCI API
- **OCI Health**: real-time Oracle service health from 49 regions
### CIS Compliance Reports
- Oracle's official CIS engine (48 CIS + 11 OBP checks)
- **Multiple formats**: HTML, CSV, JSON, XLSX
- **Professional Compliance Report**: Oracle-format PDF/DOCX with RAG-powered remediation
- Real-time progress tracking with phase-based progress bar
### Built-in CIS MCP Server
- **12 granular tools** for per-section scanning (IAM, Networking, Compute, Logging, Storage, Assets)
- **Parallelized data collection** with session caching
### Embeddings & Knowledge Base
- **CIS PDF Chunker**: segments by recommendation, 7000-char chunks with overlap
- **Auto-detect embedding dimension** and model selection
- **Knowledge Base**: upload documents or import URLs
- **Consult Embeddings**: chat-like interface for vector Q&A
### Security
- **JWT + TOTP MFA** (Google Authenticator / Authy compatible)
- **Oracle IAM OIDC**: SSO via Oracle Identity Domains with JIT provisioning
- **RBAC** with 3 roles: Admin, User, Viewer
- **Fernet encryption** (AES) for credentials and sensitive settings
- **User isolation**: ownership checks, private reports, per-user embeddings
- **Force password change** on first login
- Rate limiting, audit logging, non-root container execution
### Theme & UI
- **Light/Dark mode** with Oracle Dark Premium design
- **KPI Dashboard**: compliance gauge, pass/fail cards, donut chart, bar chart
- **i18n**: Portuguese, English, Spanish (850+ keys)
- **20 pages**, code splitting, Zustand state persistence
---
## Deployment Options
The platform is distributed as a single Docker image available on **Oracle Container Registry (OCIR)**:
```
us-ashburn-1.ocir.io/idi1o0a010nx/oci-cis-agent:latest
```
Multi-architecture: `linux/amd64` + `linux/arm64`
---
### Option 1 — Local Docker (any machine)
Run on any machine with Docker installed (Linux, macOS, Windows).
```bash
# 1. Login to OCIR
docker login us-ashburn-1.ocir.io
# 2. Configure
cp .env.example .env
# Edit .env: set APP_SECRET (openssl rand -hex 64)
# 3. Run
docker compose up -d
# 4. Access: http://localhost:8080
docker logs oci-cis-agent | grep "password"
```
Or with `docker run` (no compose file needed):
```bash
docker run -d \
--name oci-cis-agent \
-p 8080:8080 \
-v agent-data:/data \
-e APP_SECRET=$(openssl rand -hex 64) \
-e TZ=America/Sao_Paulo \
us-ashburn-1.ocir.io/idi1o0a010nx/oci-cis-agent:latest
```
---
### Option 2 — OCI Compute Instance (Terraform)
Production deployment on Oracle Cloud with Load Balancer, WAF, SSL, and persistent storage.
**Architecture:**
```
+--------------------------------------------------------------+
| Oracle Cloud |
| |
| +-----------------+ +--------------------------------+ |
| | | | | |
| | WAF Policy | | Private Subnet | |
| | (OWASP rules) | | | |
| +-----------------+ | +---------------------------+ | |
| | | | Compute Instance | | |
| +-----------------+ | | (ARM, Free Tier eligible) | | |
| | | | | | | |
| | Load Balancer |---->| | oci-cis-agent container | | |
| | (HTTPS / 443) | | | Block Volume (/data) | | |
| | Public Subnet | | | | | |
| | | | +---------------------------+ | |
| +-----------------+ +--------------------------------+ |
| |
+--------------------------------------------------------------+
```
**Setup:**
```bash
cd terraform
cp terraform.tfvars.example terraform.tfvars
# Edit terraform.tfvars with OCI credentials
```
**Deploy:**
```bash
terraform init
terraform plan
terraform apply
```
**Resources Created:**
| Resource | Description |
|----------|-------------|
| VCN | 10.0.0.0/16 with public/private subnets, gateways, security lists |
| Compute | VM.Standard.A1.Flex — 2 OCPU, 16GB RAM (ARM, Free Tier eligible) |
| Block Volume | 50GB persistent storage for application data |
| Load Balancer | Flexible 10-100 Mbps with SSL (self-signed or Let's Encrypt) |
| WAF | OWASP protection — XSS, SQL injection, path traversal + rate limiting |
| DNS | OCI DNS Zone + A record (conditional — when domain is configured) |
**Outputs:**
```bash
terraform output load_balancer_ip # Public IP address
terraform output app_url # Application URL
```
---
### Option 3 — OCI Container Instances
Run as a serverless container on OCI without managing VMs.
```bash
oci container-instances container-instance create \
--compartment-id <COMPARTMENT_OCID> \
--display-name "oci-cis-agent" \
--availability-domain <AD> \
--shape "CI.Standard.E4.Flex" \
--shape-config '{"ocpus": 2, "memoryInGBs": 16}' \
--containers '[{
"imageUrl": "us-ashburn-1.ocir.io/idi1o0a010nx/oci-cis-agent:latest",
"displayName": "agent",
"environmentVariables": {
"APP_SECRET": "<YOUR_SECRET>",
"TZ": "America/Sao_Paulo"
}
}]' \
--vnics '[{"subnetId": "<SUBNET_OCID>"}]' \
--image-pull-secrets '[{"registryEndpoint": "us-ashburn-1.ocir.io", "secretType": "BASIC", "username": "<OCIR_USER>", "password": "<AUTH_TOKEN>"}]'
```
---
### Option 4 — Kubernetes (OKE / any K8s cluster)
Deploy on Oracle Kubernetes Engine or any Kubernetes cluster.
```yaml
# Minimal deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: oci-cis-agent
spec:
replicas: 1
selector:
matchLabels:
app: oci-cis-agent
template:
metadata:
labels:
app: oci-cis-agent
spec:
containers:
- name: agent
image: us-ashburn-1.ocir.io/idi1o0a010nx/oci-cis-agent:latest
ports:
- containerPort: 8080
env:
- name: APP_SECRET
valueFrom:
secretKeyRef:
name: agent-secret
key: app-secret
- name: TZ
value: "America/Sao_Paulo"
volumeMounts:
- name: data
mountPath: /data
resources:
requests:
memory: "2Gi"
limits:
memory: "4Gi"
volumes:
- name: data
persistentVolumeClaim:
claimName: agent-data
imagePullSecrets:
- name: ocir-credentials
---
apiVersion: v1
kind: Service
metadata:
name: oci-cis-agent
spec:
type: LoadBalancer
ports:
- port: 443
targetPort: 8080
selector:
app: oci-cis-agent
```
---
### First Login
After any deployment option, check the container logs for the initial admin password:
```bash
docker logs oci-cis-agent | grep "password"
# or
kubectl logs deployment/oci-cis-agent | grep "password"
```
> You will be prompted to change the password on first login.
---
## Configuration Guide
### Step 1 — OCI Credentials
Navigate to **OCI Credentials** tab and add:
| Field | Description |
|-------|-------------|
| Tenancy Name | Friendly name (e.g., `my-company`) |
| OCID Tenancy | `ocid1.tenancy.oc1..xxxxx` |
| OCID User | `ocid1.user.oc1..xxxxx` |
| Fingerprint | `aa:bb:cc:dd:ee:ff:...` |
| Region | `sa-saopaulo-1`, `us-ashburn-1`, etc. |
| Compartment OCID | `ocid1.compartment.oc1..xxxxx` |
| Private Key | `.pem` file |
Click **Test** to validate the connection.
### Step 2 — GenAI Model
1. Select the **OCI Credential** created in Step 1
2. Choose a **model** from the catalog (16 models across 5 providers)
3. Adjust parameters (temperature, max_tokens, etc.)
### Step 3 — ADB Vector + RAG (Optional)
For persistent vector storage and RAG-powered chat:
1. Add DSN (from tnsnames.ora)
2. Set credentials and upload Wallet ZIP
3. Select an **Embedding Model**
4. Register vector tables
### Step 4 — MCP Servers (Optional)
Register MCP servers for extended AI task execution:
| Type | Use Case |
|------|----------|
| `stdio` | Local Python scripts |
| `SSE` | Remote HTTP servers |
| `module` | Upload `.py` files directly |
---
## OCI IAM Policies
```
Allow group <group-name> to use generative-ai-family in compartment <compartment-name>
Allow group <group-name> to read all-resources in tenancy
Allow group <group-name> to inspect compartments in tenancy
Allow group <group-name> to inspect autonomous-databases in compartment <compartment-name>
Allow group <group-name> to read virtual-network-family in compartment <compartment-name>
Allow group <group-name> to read instance-family in compartment <compartment-name>
Allow group <group-name> to read objectstorage-namespaces in tenancy
Allow group <group-name> to read buckets in compartment <compartment-name>
```
---
## Environment Variables
| Variable | Required | Default | Description |
|----------|----------|---------|-------------|
| `OCIR_REGION` | Yes | — | OCI region for container registry |
| `OCIR_NAMESPACE` | Yes | — | OCIR tenancy namespace |
| `APP_SECRET` | Yes | — | 64-byte hex key for JWT/encryption (`openssl rand -hex 64`) |
| `JWT_EXPIRY_HOURS` | No | `12` | Token expiry in hours |
| `PORT` | No | `8080` | Frontend port |
| `CORS_ORIGINS` | No | — | Allowed origins (comma-separated) |
| `TZ` | No | `America/Sao_Paulo` | Timezone |
---
## Troubleshooting
**Cannot pull images from OCIR:**
Verify your `docker login` credentials and that the OCIR repositories exist in your namespace.
**Backend health check fails:**
Check logs: `docker compose logs backend`. Ensure `APP_SECRET` is set in `.env`.
**ADB connection fails (`DPY-6005`):**
Ensure the wallet ZIP contains `tnsnames.ora` and `ewallet.pem`. The DSN must match a service name in `tnsnames.ora`.
**GenAI returns 401/403:**
Verify the IAM policy `Allow group ... to use generative-ai-family in compartment ...` exists.
---
## License
MIT
---
<p align="center">
<sub>Built for Oracle Cloud Infrastructure security compliance by LAD A-Team</sub>
</p>