Stats
Actions
Tags
'%20stop-opacity%3D'0.16'%2F%3E%3Cstop%20offset%3D'1'%20stop-color%3D'rgb(200%2C90%2C60)'%20stop-opacity%3D'0.03'%2F%3E%3C%2FlinearGradient%3E%3C%2Fdefs%3E%3Crect%20width%3D'320'%20height%3D'200'%20fill%3D'url(%23g)'%2F%3E%3Ccircle%20cx%3D'250'%20cy%3D'56'%20r%3D'92'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.06'%2F%3E%3Ccircle%20cx%3D'64'%20cy%3D'172'%20r%3D'58'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.05'%2F%3E%3C%2Fsvg%3E)
From oci-administrator
Manages OCI security and compliance operations: Cloud Guard targets and findings, Vault/KMS secrets (read, rotate, base64-decode), WAF policies with attack rules, Security Zones, Audit queries, compliance scanning, IAM policy review, and secrets redaction.
How this skill is triggered — by the user, by Claude, or both
Slash command
/oci-administrator:oci-security-complianceThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Administrator workflows for OCI security posture and compliance. All CLI goes
Administrator workflows for OCI security posture and compliance. All CLI goes
through oci_cli; mutations through run_mutating / confirm; read before
write; idempotent by display name (treat 409 as exists).
Deep reference: ../../references/security-compliance.md
Safety contract: ../../references/tenancy-safety.md
./scripts/oci_preflight.sh -c <COMPARTMENT_OCID> # prove the tenancy + compartment
python3 scripts/kb_lookup.py "your symptom words" security # check known fixes
If the resolved tenancy/compartment name is not the one you expect, stop.
| You want to… | Go to |
|---|---|
| Triage findings | Cloud Guard → problem list |
| Read / rotate a secret | Vault/KMS section (base64 decode!) |
| Block web attacks | WAF (ensure BLOCK, attach to LB) |
| Preventive guardrails | Security Zones recipe |
| "Who changed what" | Audit event list over a window |
| Score against a framework | Compliance scanner → normalize Findings |
| Tighten over-broad grants | scripts/iam_audit.py |
| Stop secrets reaching git | scripts/redact.py --check |
| Task | Sequence |
|---|---|
| Triage & fix a finding | cloud-guard problem list (ACTIVE, subtree) → identify the resource + compartment → remediate in the owning domain → re-list to confirm the problem clears |
| Block web attacks | web-app-firewall-policy get (confirm action is BLOCK, not OBSERVE — KB-004) → web-app-firewall create attaching the policy to the LB → replay a test request → expect 403 |
| Score against a framework | run the compliance scan (env carries auth) → redact.py the findings → prioritize CRITICAL/HIGH → remediate → re-scan |
| Rotate a leaked secret | secret-bundle get to confirm current value (KB-005, base64) → secret update-base64 (new version, never in place) → update consumers → redact.py --check before commit |
Read a Vault secret (KB-005 — decode base64):
oci_cli secrets secret-bundle get --secret-id <SECRET_OCID> \
--query 'data."secret-bundle-content".content' --raw-output | base64 --decode
Rotate a secret (add a version, never edit in place):
run_mutating "rotate secret" \
oci_cli vault secret update-base64 --secret-id <SECRET_OCID> \
--secret-content-content "$(printf %s "$NEW_VALUE" | base64)"
WAF with BLOCK rules (KB-004 — OBSERVE only logs):
oci_cli waf web-app-firewall-policy list --compartment-id <COMPARTMENT_OCID> \
--display-name edge-waf --query 'data.items[0].id' --raw-output # reuse if present
run_mutating "attach WAF to LB" \
oci_cli waf web-app-firewall create --compartment-id <COMPARTMENT_OCID> \
--policy-id <POLICY_OCID> --load-balancer-id <LB_OCID>
# verify action is BLOCK
oci_cli waf web-app-firewall-policy get --web-app-firewall-policy-id <POLICY_OCID> \
--query 'data.actions[].type'
Cloud Guard open problems:
oci_cli cloud-guard problem list --compartment-id <COMPARTMENT_OCID> \
--compartment-id-in-subtree true --lifecycle-state ACTIVE --all
Run a CIS scan (env carries auth; normalize + redact output):
OCI_AUTH_MODE="$(resolve_auth_mode)" OCI_REGION="$OCI_REGION" \
OCI_TENANCY_OCID="$TENANCY_OCID" OCI_CONFIG_PROFILE="$OCI_CLI_PROFILE" \
<scanner-cli> scan --framework cis-1.2 --output json \
| python3 scripts/redact.py > findings.json
Redact before commit (pre-commit gate):
python3 scripts/redact.py --check <file> # exit 1 if OCID/IP/fingerprint/key/secret found
OCI_SKILLS_DRY_RUN=true prints mutations; confirm guards destructive ops.redact.py.manage all-resources. Test Security Zone
recipes in non-prod first.KB-<n> entry to references/KB.md.oci flags. Fetch the exact command shape first:
python3 scripts/oci_cli_help.py <service> <op>.Finding: WAF policy 'edge-waf' attached to LB but action is OBSERVE.
Evidence: waf ...policy get → data.actions[].type == "OBSERVE" (redacted).
Action: Set protection action to BLOCK; confirm LB references this policy.
Verification: Re-run policy get → action "BLOCK"; replay test request → 403.
KB: KB-004 (WAF policy not blocking after attach).
Cloud Guard · Vault / KMS · WAF. Full list in the security-compliance reference.
Open Knowledge Format grounding — every doc link here is registered and liveness-checked in the oracle-docs.md index (the pack's single source of truth). When extending this skill to build an OCI customer solution, cite the most specific official page through that index so every claim stays verifiable; the non-official MCP gateway is never a source of truth.
npx claudepluginhub adibirzu/oci-skills --plugin oci-administratorBlocks Edit/Write/Bash actions until Claude investigates importers, data schemas, and user instructions. Improves output quality by forcing concrete facts before edits.