--- title: "Block Legacy Unix Shells and Interpreters | Security Cookbook" description: "Block csh, tcsh, and ksh execution to reduce attack surface, forcing attackers off rarely-monitored legacy shells onto auditable bash and zsh." doc_version: "1" last_updated: "2026-05-22" canonical: "https://northpole.security/cookbook/block-legacy-shells" --- [Back](https://northpole.security/cookbook) ### Idea macOS is built on Unix foundations that are over 20 years old. It still includes many legacy shells and interpreters from its Unix roots that are rarely used in modern environments but can be abused by attackers. Legacy shells and interpreters that can be safely blocked in most environments: - csh (C Shell) - Ancient shell from BSD Unix - tcsh (Enhanced C Shell) - Slightly improved version of csh - ksh (Korn Shell) - Legacy AT&T Unix shell - zsh (Z Shell) - Powerful but often unused in corporate environments if standardized on bash - Legacy scripting interpreters (old Perl, Python 2.7, etc.) Modern macOS environments typically standardize on bash or zsh as the default shell. The legacy shells provide additional attack surface without providing value, especially in managed corporate environments. Attackers may use these legacy shells because: - They're less monitored than standard shells - They may bypass shell-specific security policies - They provide alternative paths for command execution - Security teams may not think to audit them By blocking these legacy interpreters, you reduce the attack surface and force attackers to use more visible, heavily monitored tools. ### Solutions ExecutionBlock csh Block csh execution Signing ID platform:com.apple.csh Policy BLOCKLIST Custom Message Legacy C Shell is not permitted. Please contact IT if you need shell access. ExecutionBlock tcsh Block tcsh execution Signing ID platform:com.apple.tcsh Policy BLOCKLIST Custom Message Legacy tcsh is not permitted. Please contact IT if you need shell access. ExecutionBlock Korn Shell Block ksh execution Signing ID platform:com.apple.ksh Policy BLOCKLIST Custom Message Korn Shell is not permitted. Please use bash or zsh. ExecutionBlock All Legacy Shells (Comprehensive) Block multiple legacy shells by path Paths - • /bin/csh - • /bin/tcsh - • /bin/ksh Policy BLOCKLIST Custom Message Legacy Unix shells are not permitted. Please use bash (/bin/bash) or zsh (/bin/zsh). Contact IT for assistance. ### Mitre Attack Tactics [Execution](https://attack.mitre.org/tactics/TA0002/)[Defense Impairment](https://attack.mitre.org/tactics/TA0112/) Techniques [T1059.004: Unix Shell](https://attack.mitre.org/techniques/T1059/004/)[T1685: Disable or Modify Tools](https://attack.mitre.org/techniques/T1685/) ### Tags shellslegacy-softwareattack-surface-reductiondefense-evasion ### Deployment Notes Before deploying these rules, audit your environment to ensure no legitimate use of these shells: 1. Search for scripts with shebangs pointing to legacy shells: ``` find / -type f -exec head -1 {} \; 2>/dev/null | grep -E '^#!/bin/(csh|tcsh|ksh)' ``` 2. Check user default shells: ``` dscl . -list /Users UserShell | grep -E '(csh|tcsh|ksh)' ``` 3. Review automation scripts and cron jobs If you find legitimate usage: - Migrate scripts to bash or zsh - Change user default shells to bash/zsh - Add exceptions for specific users/machines using Workshop tags Best practice: Deploy in audit mode first to identify any unexpected usage before blocking. ### False Positive Guidance Most modern macOS environments don't use these legacy shells. However, you may encounter: - Old scripts with csh/tcsh shebangs (rare but possible) - Unix "gray beards" who prefer csh for interactive use - Legacy automation that hasn't been updated - Third-party software that calls legacy shells Mitigation strategies: - Provide clear error messages directing users to IT support - Offer assistance migrating scripts to bash/zsh - Use Workshop tags to exempt specific power users who demonstrate need - Create approval workflows for legitimate use cases ### Testing Instructions 1. Try to run legacy shells: - `csh` (should be blocked) - `tcsh` (should be blocked) - `ksh` (should be blocked) 2. Verify modern shells work: - `bash` (should work) - `zsh` (should work) - `sh` (should work - this is typically a symlink to bash) 3. Test script execution: - Create test script with `#!/bin/csh` shebang (should be blocked) - Same script with `#!/bin/bash` (should work) 4. Check error messages are helpful and direct users to IT ### Detection Methods Monitor Santa execution events for blocked attempts to run legacy shells. This is a high-signal alert since legitimate use is rare. Investigation steps: - Identify who attempted to use the legacy shell - Determine if it was interactive use or script execution - Check parent process (was it called from another script?) - Review if this is legitimate work or potential malicious activity Pattern to watch for: Repeated attempts to use multiple different legacy shells may indicate an attacker probing for available execution paths. ### Resources [Unix Shell ComparisonTake a look](https://en.wikipedia.org/wiki/Comparison_of_command_shells)[MITRE ATT&CK - Unix ShellTake a look](https://attack.mitre.org/techniques/T1059/004/) ### Related Rules [ Discovery PreventionExecution #### Block dscl Password Validation Block infostealers from validating stolen passwords with dscl -authonly using a Workshop CEL rule that stops the credential check at the source. ](https://northpole.security/cookbook/block-dscl-authonly) ## Sitemap - [Home](https://northpole.security/index.md) - [Workshop](https://northpole.security/workshop.md) - [Santa](https://northpole.security/santa.md) - [Features](https://northpole.security/features.md) - [Cookbook](https://northpole.security/cookbook.md) - [Docs](https://northpole.security/docs.md) - [Blog](https://northpole.security/blog.md) - [Glossary](https://northpole.security/glossary.md) - [About](https://northpole.security/about.md) - [Contact](https://northpole.security/contact.md)