Appearance
Policy Integrity and Authorization Tests (HARD-POLICY)
Validate that policy integrity and authorization controls cannot be subverted.
Objectives
- Detect tampering and rollback attempts; verify fail-closed/offline posture.
- Enforce identity requirements to prevent path spoofing.
Canonical Tests
| ID | Threat / Scenario | Universal Procedure | Expected Outcome & Audit |
|---|---|---|---|
| HARD-POLICY-01 | Rename Attack | 1. Policy: Allow an app via targetPath only.2. Adversary renames a different binary to match the allowed filename. 3. Attempt launch. | Pass: Launch denied when identity requirements (for example, publisherCertificate or fileHash) are required and do not match.Audit: category: "authz", action: "deny", reason (identity failed), rule.id, integrity.hash. |
| HARD-POLICY-02 | Version Rollback | 1. Replace policy.json with an older valid/signed version.2. Reload/Restart Launcher. | Pass: Rollback detected; Launcher alerts/fails or requires approval path per posture; deployment version monotonicity enforced. Audit: category: "policy" (or authz), event indicates rollback/version drop, integrity.hash. |
| HARD-POLICY-03 | Offline Launch (Fail-Closed) | 1. Disconnect network/CRL path. 2. Launch app requiring revocation validation with revocationFallback: "fail-closed". | Pass: Launch denied when online checks unavailable. Audit: category: "authz", action: "deny", reason indicates revocation offline, rule.id, integrity.hash. |
| HARD-POLICY-04 | ABAC Context Deny | 1. Configure attribute constraint (for example, allowedGeos: ["US"]).2. Change context to violate attribute (for example, VPN to non‑US). 3. Launch. | Pass: Launch denied due to attribute mismatch. Audit: category: "authz", action: "deny", reason indicates attribute failure, rule.id, integrity.hash. |
| HARD-POLICY-05 | User Policy Cannot Override System Deny | 1. System policy denies App X. 2. User policy attempts to allow App X. 3. Launch. | Pass: Launch denied; system policy authoritative over user scope. Audit: category: "authz", action: "deny", rule.id, integrity.hash. |
| HARD-POLICY-06 | Invalid Policy JSON (Fail-Closed + LKG) | 1. Corrupt policy.json (syntax/signature).2. Reload/Restart. | |
| Pass: Invalid policy not loaded; deny posture maintained. If LKG exists, Launcher reverts to last known good. | |||
Audit: Event like Policy.Load.Failed, category: "policy", with integrity fields. | |||
| HARD-POLICY-07 | Reload Semantics (Retry) | 1. With invalid policy present, click Retry/Reload. 2. Replace with valid policy and Retry again. | Pass: While invalid, Launcher remains fail‑closed; upon valid policy, behavior resumes per policy. Audit: Load failure then success events; integrity.hash chain present. |
| HARD-POLICY-08 | Visibility Enforcement | 1. Configure visible allow apps and hidden/unauthorized apps.2. Open Applications and attempt launches. | Pass: Only allow+visible apps list and launch. Hidden apps do not list; unauthorized apps cannot launch.Audit: Denied launches produce authz action: "deny" with rule.id; listing omissions produce no launch events. |
| HARD-POLICY-09 | matchAny OR Semantics | 1. Configure matchAny with multiple matcher sets for an app.2. Attempt launch with each set satisfied vs none. | Pass: Launch allowed when any matcher set matches; denied when none match. Audit: authz allow/deny with rule.id, integrity.hash. |
| HARD-POLICY-10 | Priority & Tie‑Break | 1. Configure multiple allow policies that match the same executable with different priority (and same to test tiebreak by id). | Pass: Highest priority policy wins; ties break by policy id (alphabetical).Audit: authz events reflect winning rule.id/priority. |
| HARD-POLICY-11 | Runtime Isolation Flag Tamper | 1. Attempt to relax isolation via runtime/CLI flags (for example, disable network or data motion controls) outside of authorized policy channels. 2. Launch or reload policy. | Pass: Overrides are ignored or rejected; fail‑closed posture maintained; only policy‑authorized settings take effect. Audit: `category: "policy" |
| HARD-POLICY-CFG-01 | Template Required Vars | 1. Add a configuration template with required: true env vars.2. Attempt to create a user configuration omitting a required var. | Pass: Validation error; configuration cannot be saved/applied. Audit: Validation failure recorded where applicable; rule.id for validation policy, integrity.hash. |
| HARD-POLICY-CFG-02 | Template validationPattern | 1. Define validationPattern for an env var.2. Provide a non‑matching value. | Pass: Value rejected; configuration not applied. Audit: Validation failure; integrity chain present. |
| HARD-POLICY-CFG-03 | Unknown Keys Rejected | 1. Attempt to add keys not defined by the template. 2. Save/apply. | Pass: Unknown keys rejected (recommended posture). Audit: Validation failure where applicable. |
Evidence Requirements
- Audit category:
authz/policywith action/outcome and reason fields.
Troubleshooting
- Ensure policy signing configuration (thumbprints) is present when testing tamper/rollback.
- Validate that allow/deny precedence is understood for mixed system vs user policies.
Known Limitations & Negative Space
- Offline posture tests depend on enterprise PKI/CRL availability; simulate outages carefully to avoid false positives.
- ABAC examples are illustrative; tailor attributes and sources to specific identity provider mappings.
