Block Legacy Unix Shells and Interpreters

macOS is built on Unix foundations that are over 20 years old. It still includes many legacy shells and interpreters from its Unix roots that are rarely used in modern environments but can be abused by attackers.

Legacy shells and interpreters that can be safely blocked in most environments:

• csh (C Shell) - Ancient shell from BSD Unix
• tcsh (Enhanced C Shell) - Slightly improved version of csh
• ksh (Korn Shell) - Legacy AT&T Unix shell
• zsh (Z Shell) - Powerful but often unused in corporate environments if standardized on bash
• Legacy scripting interpreters (old Perl, Python 2.7, etc.)

Modern macOS environments typically standardize on bash or zsh as the default shell. The legacy shells provide additional attack surface without providing value, especially in managed corporate environments.

Attackers may use these legacy shells because:

• They're less monitored than standard shells
• They may bypass shell-specific security policies
• They provide alternative paths for command execution
• Security teams may not think to audit them

By blocking these legacy interpreters, you reduce the attack surface and force attackers to use more visible, heavily monitored tools.

Before deploying these rules, audit your environment to ensure no legitimate use of these shells:

1. Search for scripts with shebangs pointing to legacy shells:

   find / -type f -exec head -1 {} \; 2>/dev/null | grep -E '^#!/bin/(csh|tcsh|ksh)'
   

2. Check user default shells:

   dscl . -list /Users UserShell | grep -E '(csh|tcsh|ksh)'
   

3. Review automation scripts and cron jobs

If you find legitimate usage:

• Migrate scripts to bash or zsh
• Change user default shells to bash/zsh
• Add exceptions for specific users/machines using Workshop tags

Best practice: Deploy in audit mode first to identify any unexpected usage before blocking.

Most modern macOS environments don't use these legacy shells. However, you may encounter:

• Old scripts with csh/tcsh shebangs (rare but possible)
• Unix "gray beards" who prefer csh for interactive use
• Legacy automation that hasn't been updated
• Third-party software that calls legacy shells

Mitigation strategies:

• Provide clear error messages directing users to IT support
• Offer assistance migrating scripts to bash/zsh
• Use Workshop tags to exempt specific power users who demonstrate need
• Create approval workflows for legitimate use cases

1. Try to run legacy shells:

   • csh (should be blocked)
   • tcsh (should be blocked)
   • ksh (should be blocked)

2. Verify modern shells work:

   • bash (should work)
   • zsh (should work)
   • sh (should work - this is typically a symlink to bash)

3. Test script execution:

   • Create test script with #!/bin/csh shebang (should be blocked)
   • Same script with #!/bin/bash (should work)

4. Check error messages are helpful and direct users to IT

Monitor Santa execution events for blocked attempts to run legacy shells. This is a high-signal alert since legitimate use is rare.

Investigation steps:

• Identify who attempted to use the legacy shell
• Determine if it was interactive use or script execution
• Check parent process (was it called from another script?)
• Review if this is legitimate work or potential malicious activity

Pattern to watch for: Repeated attempts to use multiple different legacy shells may indicate an attacker probing for available execution paths.