bazc | Automate Security Misconfiguration Detection

Test your infrastructure with Baz system

Test security configuration, IAM policies, and compliance.
Focus on writing test logic, and leave the rest to us.

Why not ad-hoc scripts?

Security Risks

Developing quick scripts generally leads to hardcoded secrets, insecure communication, and information leakage, putting sensitive information at risk.

Difficult Integrations

Integrating them with other applications and tools requires a considerable learning curve. Each new integration feels like starting from zero.

Maintainability

Quick-fix programs are hard to maintain in a changing environment, and limited documentation makes them less useful over time.

Script tests quickly in JavaScript

Example - Test "Access this computer from the network" configuration for a Windows server.

1. Configure
2. Write
3. Execute
4. Review

Define Windows server configuration in win.toml file.

[win.params]
domain = 'corp.bazc.com'
username = 'corp\freddy'
password = 'secret://secret.windows.password'
ca_certs = 'file:///home/freddy/shared/CA.pem'

Write your test case in gpo.js.

function setup() {
}

/**
* @description Access this computer from the network
* @severity Normal
* @group UserRightsAssignment
*/
function testSeNetworkLogonRight() {
  const allowedUsersList = [
    'CORP\freddy',
    'NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS',
  ]

  let serverRSoP = win.GetServerRSoP('Srv2.corp.bazc.com');
  verify(allowedUserList,
  "SeNetworkLogonRight not in accordance with policy").
  to.have.deep.include.members(serverRSoP.RSoP.UserRightsAssignment.SeNetworkLogonRight);
}

function tear_down() {
}

Execute on the CLI - Ubuntu, RHEL or WSL2

bazcli test --actors win.toml --output=report.csv gpo.js --loglevel=2

CLI Output

Setting up Assertions..

Running Assertions..
1. testSeNetworkLogonRight:
2023-04-01T16:22:01+05:30 WRN ../../../../../../../../usr/local/go/src/reflect/value.go:584 > AssertionError:
SeNetworkLogonRight not in accordance with policy: expected [ 'CORP\freddy', 'NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS' ]
to be a superset of [ 'CORP\freddy', 'NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS', 'Remote Management Users' ]
Status: Failed
Tear Down..

Tests complete.

Overall results:
100.00% (1) failed, 0.00% (0) skipped, 0.00% (0) passed.

Detailed CSV report generated at: /home/freddy/test/report.csv

Review the report in report.csv.

run_id	report_name	time	test_name	pass	error_message	group	description	severity
2741689365	baz-test-2023_04_01_16_21	2023-04-01T16:22:01+05:30	testSeNetworkLogonRight	false	SeNetworkLogonRight not in accordance with policy : expected [ 'CORP\freddy', 'NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS' ] to be a superset of [ 'CORP\freddy', 'NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS', 'Remote Management Users' ]	UserRightsAssignment	Access this computer from the network	Normal

We could easily externalize the policy and the server list. In fact, the Active Directory test collection does this and a lot more, using CIS Windows Server 2022 benchmark as a reference policy. Try it out yourself.

Why Baz system?

Get done...Fast

Simple APIs to get data without worrying about protocols.

See API behaviour by running them in Baz shell.

Easy-to-read APIs from BDD/TDD assertions library.

Pull ready-to-use test cases from the community.

Easy path...Secure

Makes secure the easy path with simple configurations.

Secure mechanism to pass secrets, so no more hardcoded surprises.

Data segregation between entities of the service.

Increase coverage...Evolve

Start from where you are, and fix what you can with initial tests.

Easily add & extend test cases as the system evolves.

Learn & collaborate with others through test cases.

Right tool...for the right audience

Present findings visually with a detailed CSV report.

Easily maintain configurations in TOML files.

Easy-to-read, print, and debug test cases with inbuilt capabilities.

Meet Freddy, the security engineer in 91 seconds.