Skip to content

Policy Integrity and Authorization Tests (HARD-POLICY)

Validate that policy integrity and authorization controls cannot be subverted.

Objectives

  • Detect tampering and rollback attempts; verify fail-closed/offline posture.
  • Enforce identity requirements to prevent path spoofing.

Canonical Tests

IDThreat / ScenarioUniversal ProcedureExpected Outcome & Audit
HARD-POLICY-01Rename Attack1. Policy: Allow an app via targetPath only.
2. Adversary renames a different binary to match the allowed filename.
3. Attempt launch.
Pass: Launch denied when identity requirements (for example, publisherCertificate or fileHash) are required and do not match.
Audit: category: "authz", action: "deny", reason (identity failed), rule.id, integrity.hash.
HARD-POLICY-02Version Rollback1. Replace policy.json with an older valid/signed version.
2. Reload/Restart Launcher.
Pass: Rollback detected; Launcher alerts/fails or requires approval path per posture; deployment version monotonicity enforced.
Audit: category: "policy" (or authz), event indicates rollback/version drop, integrity.hash.
HARD-POLICY-03Offline Launch (Fail-Closed)1. Disconnect network/CRL path.
2. Launch app requiring revocation validation with revocationFallback: "fail-closed".
Pass: Launch denied when online checks unavailable.
Audit: category: "authz", action: "deny", reason indicates revocation offline, rule.id, integrity.hash.
HARD-POLICY-04ABAC Context Deny1. Configure attribute constraint (for example, allowedGeos: ["US"]).
2. Change context to violate attribute (for example, VPN to non‑US).
3. Launch.
Pass: Launch denied due to attribute mismatch.
Audit: category: "authz", action: "deny", reason indicates attribute failure, rule.id, integrity.hash.
HARD-POLICY-05User Policy Cannot Override System Deny1. System policy denies App X.
2. User policy attempts to allow App X.
3. Launch.
Pass: Launch denied; system policy authoritative over user scope.
Audit: category: "authz", action: "deny", rule.id, integrity.hash.
HARD-POLICY-06Invalid Policy JSON (Fail-Closed + LKG)1. Corrupt policy.json (syntax/signature).
2. Reload/Restart.
Pass: Invalid policy not loaded; deny posture maintained. If LKG exists, Launcher reverts to last known good.

Audit: Event like Policy.Load.Failed, category: "policy", with integrity fields.
HARD-POLICY-07Reload Semantics (Retry)1. With invalid policy present, click Retry/Reload.
2. Replace with valid policy and Retry again.
Pass: While invalid, Launcher remains fail‑closed; upon valid policy, behavior resumes per policy.
Audit: Load failure then success events; integrity.hash chain present.
HARD-POLICY-08Visibility Enforcement1. Configure visible allow apps and hidden/unauthorized apps.
2. Open Applications and attempt launches.
Pass: Only allow+visible apps list and launch. Hidden apps do not list; unauthorized apps cannot launch.
Audit: Denied launches produce authz action: "deny" with rule.id; listing omissions produce no launch events.
HARD-POLICY-09matchAny OR Semantics1. Configure matchAny with multiple matcher sets for an app.
2. Attempt launch with each set satisfied vs none.
Pass: Launch allowed when any matcher set matches; denied when none match.
Audit: authz allow/deny with rule.id, integrity.hash.
HARD-POLICY-10Priority & Tie‑Break1. Configure multiple allow policies that match the same executable with different priority (and same to test tiebreak by id).Pass: Highest priority policy wins; ties break by policy id (alphabetical).
Audit: authz events reflect winning rule.id/priority.
HARD-POLICY-11Runtime Isolation Flag Tamper1. Attempt to relax isolation via runtime/CLI flags (for example, disable network or data motion controls) outside of authorized policy channels.
2. Launch or reload policy.
Pass: Overrides are ignored or rejected; fail‑closed posture maintained; only policy‑authorized settings take effect.
Audit: `category: "policy"
HARD-POLICY-CFG-01Template Required Vars1. Add a configuration template with required: true env vars.
2. Attempt to create a user configuration omitting a required var.
Pass: Validation error; configuration cannot be saved/applied.
Audit: Validation failure recorded where applicable; rule.id for validation policy, integrity.hash.
HARD-POLICY-CFG-02Template validationPattern1. Define validationPattern for an env var.
2. Provide a non‑matching value.
Pass: Value rejected; configuration not applied.
Audit: Validation failure; integrity chain present.
HARD-POLICY-CFG-03Unknown Keys Rejected1. Attempt to add keys not defined by the template.
2. Save/apply.
Pass: Unknown keys rejected (recommended posture).
Audit: Validation failure where applicable.

Evidence Requirements

  • Audit category: authz/policy with action/outcome and reason fields.

Troubleshooting

  • Ensure policy signing configuration (thumbprints) is present when testing tamper/rollback.
  • Validate that allow/deny precedence is understood for mixed system vs user policies.

Known Limitations & Negative Space

  • Offline posture tests depend on enterprise PKI/CRL availability; simulate outages carefully to avoid false positives.
  • ABAC examples are illustrative; tailor attributes and sources to specific identity provider mappings.