Skip to main content

Baz System

Introduction

Baz system provides a powerful toolset to help you ascertain the current state of your IT infrastructure and measure it against a desired state. This is achieved through a series of fine-grained tests that can be run on your infrastructure. In addition, the Baz system introduces a software engineering-style test-driven approach to system security by treating applications and hosts as programmable entities.

The basic idea of the solution is to run tests and ascertain if the aspects being tested match the desired state. In cases where the expectation doesn't match reality, tests fail. The difference between the states is recorded in a report. This exercise helps you see what's wrong today and how the environment evolves.

The primary programming language for test code in Baz is ECMAScript Version 6. Using full-fledged Turing complete language to describe the desired state of a complex environment means that all vagaries and complexities can be captured without resorting to glue scripts and other ad-hoc measures. Also, since ES6, i.e., JavaScript, is a widely used language, there is no need to learn a new language or new tools/IDEs.

With great power also comes great 'complexity.' So any typical IT infrastructure will have many entities, from servers to applications running in different environments - on-premises, data centers, cloud, etc. Writing code to connect to all these entities, and test their properties will get overwhelming quickly. Not to mention the different ways to authenticate, the myriad APIs to talk to each of these systems, the dark corners in their behaviors and property values, and add to it the effects when these systems talk to each other.

The Baz system solves this complexity with two principles:

  1. Actors - Actors represent an entity in the environment as an object in the ES6 environment. It has properties and methods, and abstract details required to communicate and authenticate with it. Actors could be hosts, Active Directory Domain Controller, or a SaaS service like Okta.
  2. Behavior-Driven Development (BDD) - The Baz system strives to keep test code as simple as possible and, in most cases, be a single line that denotes the expected behavior of one or more systems. Wrappers written around the popular chaijs library and the Actor system enable this.

Flow Diagram

baz-flow

Components

The system consists of the following entities -

bazcli

The CLI framework acts as an orchestrator for the solution. It manages all aspects of secure communication between entities of the solution. It also enables you to run the tests(assertions) and generates a report for further analysis and record-keeping.

Plugins

Plugins are an interface to applications and hosts in your environment for gathering data. They abstract out the complexity and nuances of communicating with these entities. They provide the know-how of authentication and communication with these entities and share the requested information through simple yet secure RPC APIs.

Actors

Actors represent an entity in the environment as an object in the ES6 environment. They enable assertions to authenticate and gather data from end applications through the plugin API.

Tests

Tests are the fundamental building block of the solution. They allow you to test a nuanced aspect of your environment in a defined context. For example,

  1. Verify access to Active Directory Domain Controller from the network to be limited to a defined list of accounts.
  2. Verify ThreatInsight configuration in Okta Identity System to be set to blocked.
  3. Verify that dormant accounts in Okta are disabled in Active Directory.

The policy input to tests varies for each test and entity, but generally, tests compare the actual versus desired state and report any deviations.

Collections

Collections are a grouping of tests that you can run in your environment. They enable you to test an aspect of your infrastructure. For example, the active directory collection allows you to test Active Directory group policies.

Report

Reports are a mechanism for you to analyze and record the state of the environment being tested. The reports are generated in CSV format with fields that help you understand the context and the result of tests.