Taxonomy
Last updated
Last updated
Moving forward, we are natively rebuilding BastionZero’s technology as Cloudflare’s service.
Target
A machine we connect to.
Environment
A group of targets that can be accessed simultaneously. Environments are uniquely named and each user requests explicit access to each environment via a policy attached to their account.
Connection
A terminal to a target. You can have multiple connections (i.e., terminals) to a single target in a given space.
Policy
A triplestore statement (subject, verb, object) where the subject is the user/group, the verb is the type of access allowed, and the object is the target/environment.
Session recording
A video recording of a user or group shell session from the web app or zli.
zli
BastionZero's command line interface tool, also known as the zero-trust command line interface
BastionZero web app
BastionZero's web UI for connecting to targets, monitoring logs and session recordings, authoring policies, managing users, creating environments. This can be found at cloud.bastionzero.com.
Agent
Add a new target
When we input the configuration information for a target, for instance its IP address, SSH key, alias, etc.
Added target
A target for which we have already stored the configuration information, for instance its IP address, SSH key, alias etc.
Connect to a target
Open a terminal to a target.
Find a target
When the end user wants to search through the saved targets in order to find a known target.
Reconnect to a target
When a target that is already in a space has gone offline, and we want to see if the target is back online so that we can shell into that target.
Lost connection
When a server goes offline while the terminal is open.
Autodiscovered targets
Targets with the bz-agent installed.
Provisioning ID
User/organization’s GUID in BastionZero system.
Provisioning secret
Mechanism of linking autodiscovery target to account ID.
Manual targets
Ones that are configured by hand/API.
Command history
A collection of a user's previous commands.
Connection event
An event log of some state change to the connection (see events below), includes metadata about the connection (space, target, user, time).
Connection history
A collection of a user's previous connections (i.e., what targets they attached to).
User event history
Actions taken by user (i.e., policy changes, targets added/removed, user invites).
Connection event: opened
A connection has been initiated by the backend but no frontend connection has been made yet.
Connection event: inactive
A connection has been opened by a user and left in a space with no other users reading/writing to it.
Connection event: active
A connection is being viewed by a user.
Connection event: disconnect
The backend connection has been dropped for some reason. The backend will attempt to reconnect.
Connection event: connect
The backend has connected to the target or has reconnected within the same terminal.
Connection event: closed
Final state. The connection has been terminated from the backend.
Connection table
Table of all connections made and the current state they are in (it is a function of connection events).
Allow (allowed)
When a policy check passes (i.e., Alice was allowed access to ENV via POLICY)
Deny (denied)
When a policy check fails (i.e., Alice was denied access to ENV). Policy checks by default deny until a successful policy is found.
Installed on targets to enable MrZAP and target autodiscovery. These agents are built from the . Two unique agents are built from the single open-source project, a docker container hosted on dockerhub and used for k8s targets and a systemD executable used for servers, VMs, and containers.