11 KiB
A-Team Security — Infrastructure & Security Agent Engineer
Oracle Cloud Infrastructure — CIS Foundations Benchmark 3.0 — AI-Powered Compliance Platform
Overview
A-Team Security Agent is a self-hosted web application that automates CIS Oracle Cloud Infrastructure Foundations Benchmark 3.0 compliance checks, powered by OCI Generative AI for intelligent analysis and an MCP (Model Context Protocol) server architecture for extensible task execution.
The platform combines security compliance scanning, AI-powered chat with RAG (Retrieval-Augmented Generation), infrastructure exploration, and vector-based knowledge storage into a single, containerized solution with a React 19 SPA (TypeScript, Vite), Oracle Dark Premium theme (light/dark modes), KPI dashboard with compliance gauge, i18n (pt/en/es), and Recharts visualizations.
Distributed as pre-built Docker containers via Oracle Container Registry (OCIR) — no source code required.
Features
AI Chat Agent with RAG + MCP Tool Use
- OCI Generative AI integration via official SDK
- RAG (Retrieval-Augmented Generation): queries ADB vector store for relevant context before generating responses
- MCP Tool Use (Function Calling): GenAI models call tools from registered MCP servers during chat
- Chat Memory Compaction: automatic summarization when conversation exceeds token limit
- Multimodal Chat: upload images, PDFs, and text files for AI analysis
- 16 chat models + 3 embedding models across 5 providers: Meta (Llama 4), Google (Gemini 2.5), OpenAI (GPT-5.2/5.1/4.1/4o, o3/o4-mini), xAI (Grok 4/3)
Terraform Agent (IaC)
- AI-powered Terraform code generation for OCI infrastructure provisioning
- Workspace management: create, plan, apply, destroy Terraform workspaces
- 14-point validation checklist: cross-references, CIDRs, security lists, HCL syntax
- Resource type validation: ~937 OCI resource types with close-match suggestions
- Prompt Generator: dedicated sub-menu for AI-powered prompt generation
OCI Account Explorer
- 36 resource types across 9 categories (Compute, Networking, Storage, Database, Containers, Serverless, Observability, Security, IAM)
- KPI stats bar: real-time resource counts per category
- Start/Stop Compute Instances, Autonomous Databases, DB Systems, MySQL, Container Instances
- Tree-view navigation with resizable compartment panel
- Multi-region support with checkbox selection
OCI CLI Terminal
- Linux-style web terminal for OCI CLI interaction
- Tab autocomplete, OCID auto-lookup (60+ resource types), find by name/IP
- Per-user command history, state persists across navigation
OCI Services
- Service Status: auto-detect 6 security services per tenancy via OCI API
- OCI Health: real-time Oracle service health from 49 regions
CIS Compliance Reports
- Oracle's official CIS engine (48 CIS + 11 OBP checks)
- Multiple formats: HTML, CSV, JSON, XLSX
- Professional Compliance Report: Oracle-format PDF/DOCX with RAG-powered remediation
- Real-time progress tracking with phase-based progress bar
Built-in CIS MCP Server
- 12 granular tools for per-section scanning (IAM, Networking, Compute, Logging, Storage, Assets)
- Parallelized data collection with session caching
Embeddings & Knowledge Base
- CIS PDF Chunker: segments by recommendation, 7000-char chunks with overlap
- Auto-detect embedding dimension and model selection
- Knowledge Base: upload documents or import URLs
- Consult Embeddings: chat-like interface for vector Q&A
Security
- JWT + TOTP MFA (Google Authenticator / Authy compatible)
- Oracle IAM OIDC: SSO via Oracle Identity Domains with JIT provisioning
- RBAC with 3 roles: Admin, User, Viewer
- Fernet encryption (AES) for credentials and sensitive settings
- User isolation: ownership checks, private reports, per-user embeddings
- Force password change on first login
- Rate limiting, audit logging, non-root container execution
Theme & UI
- Light/Dark mode with Oracle Dark Premium design
- KPI Dashboard: compliance gauge, pass/fail cards, donut chart, bar chart
- i18n: Portuguese, English, Spanish (850+ keys)
- 20 pages, code splitting, Zustand state persistence
Quick Start
Prerequisites
- Docker and Docker Compose v2
- Access to the OCI Container Registry (OCIR)
1. Configure
cp .env.example .env
Edit .env:
OCIR_REGION=us-ashburn-1
OCIR_NAMESPACE=your_namespace
APP_SECRET=<generate with: openssl rand -hex 64>
2. Login to OCIR
docker login ${OCIR_REGION}.ocir.io
- Username:
<namespace>/<username>or<namespace>/oracleidentitycloudservice/<email> - Password: Auth Token (generate in OCI Console > Profile > Auth Tokens)
3. Run
docker compose up -d
4. Access
Open http://localhost:8080
The initial admin password is generated automatically and displayed in the backend logs:
docker compose logs backend | grep "password"
You will be prompted to change the password on first login.
Deploy on OCI (Terraform)
For production deployment on Oracle Cloud Infrastructure with Load Balancer, WAF, and SSL.
Architecture
+--------------------------------------------------------------+
| Oracle Cloud |
| |
| +-----------------+ +--------------------------------+ |
| | | | | |
| | WAF Policy | | Private Subnet | |
| | (OWASP rules) | | | |
| +-----------------+ | +---------------------------+ | |
| | | | Compute Instance | | |
| +-----------------+ | | (ARM, Free Tier eligible) | | |
| | | | | | | |
| | Load Balancer |---->| | Backend (FastAPI :8000) | | |
| | (HTTPS / 443) | | | Frontend (nginx :80) | | |
| | Public Subnet | | | Block Volume (/data) | | |
| | | | +---------------------------+ | |
| +-----------------+ +--------------------------------+ |
| |
+--------------------------------------------------------------+
Setup
cd terraform
cp terraform.tfvars.example terraform.tfvars
Edit terraform.tfvars with your OCI credentials and configuration.
Deploy
terraform init
terraform plan
terraform apply
Resources Created
| Resource | Description |
|---|---|
| VCN | 10.0.0.0/16 with public/private subnets, gateways, security lists |
| Compute | VM.Standard.A1.Flex — 2 OCPU, 16GB RAM (ARM, Free Tier eligible) |
| Block Volume | 50GB persistent storage for application data |
| Load Balancer | Flexible 10-100 Mbps with SSL (self-signed or Let's Encrypt) |
| WAF | OWASP protection — XSS, SQL injection, path traversal + rate limiting |
| OCIR | 2 private container repositories (backend + frontend) |
| DNS | OCI DNS Zone + A record (conditional — when domain is configured) |
Outputs
After terraform apply:
terraform output load_balancer_ip # Public IP address
terraform output app_url # Application URL
terraform output ocir_backend_url # Backend image URL
terraform output ocir_frontend_url # Frontend image URL
Configuration Guide
Step 1 — OCI Credentials
Navigate to OCI Credentials tab and add:
| Field | Description |
|---|---|
| Tenancy Name | Friendly name (e.g., my-company) |
| OCID Tenancy | ocid1.tenancy.oc1..xxxxx |
| OCID User | ocid1.user.oc1..xxxxx |
| Fingerprint | aa:bb:cc:dd:ee:ff:... |
| Region | sa-saopaulo-1, us-ashburn-1, etc. |
| Compartment OCID | ocid1.compartment.oc1..xxxxx |
| Private Key | .pem file |
Click Test to validate the connection.
Step 2 — GenAI Model
- Select the OCI Credential created in Step 1
- Choose a model from the catalog (16 models across 5 providers)
- Adjust parameters (temperature, max_tokens, etc.)
Step 3 — ADB Vector + RAG (Optional)
For persistent vector storage and RAG-powered chat:
- Add DSN (from tnsnames.ora)
- Set credentials and upload Wallet ZIP
- Select an Embedding Model
- Register vector tables
Step 4 — MCP Servers (Optional)
Register MCP servers for extended AI task execution:
| Type | Use Case |
|---|---|
stdio |
Local Python scripts |
SSE |
Remote HTTP servers |
module |
Upload .py files directly |
OCI IAM Policies
Allow group <group-name> to use generative-ai-family in compartment <compartment-name>
Allow group <group-name> to read all-resources in tenancy
Allow group <group-name> to inspect compartments in tenancy
Allow group <group-name> to inspect autonomous-databases in compartment <compartment-name>
Allow group <group-name> to read virtual-network-family in compartment <compartment-name>
Allow group <group-name> to read instance-family in compartment <compartment-name>
Allow group <group-name> to read objectstorage-namespaces in tenancy
Allow group <group-name> to read buckets in compartment <compartment-name>
Environment Variables
| Variable | Required | Default | Description |
|---|---|---|---|
OCIR_REGION |
Yes | — | OCI region for container registry |
OCIR_NAMESPACE |
Yes | — | OCIR tenancy namespace |
APP_SECRET |
Yes | — | 64-byte hex key for JWT/encryption (openssl rand -hex 64) |
JWT_EXPIRY_HOURS |
No | 12 |
Token expiry in hours |
PORT |
No | 8080 |
Frontend port |
CORS_ORIGINS |
No | — | Allowed origins (comma-separated) |
TZ |
No | America/Sao_Paulo |
Timezone |
Troubleshooting
Cannot pull images from OCIR:
Verify your docker login credentials and that the OCIR repositories exist in your namespace.
Backend health check fails:
Check logs: docker compose logs backend. Ensure APP_SECRET is set in .env.
ADB connection fails (DPY-6005):
Ensure the wallet ZIP contains tnsnames.ora and ewallet.pem. The DSN must match a service name in tnsnames.ora.
GenAI returns 401/403:
Verify the IAM policy Allow group ... to use generative-ai-family in compartment ... exists.
License
MIT
Built for Oracle Cloud Infrastructure security compliance by LAD A-Team