Prevent PAM Configuration Tampering
Block writes to /etc/pam.d/ except by system installers, stopping attackers from planting PAM backdoors that capture authentication on macOS.
Idea
Pluggable Authentication Modules (PAM) handles authentication in macOS, and it makes for an easy way to get a backdoor. An attacker can create a dylib and add its path to any of the auth rule configs in /etc/pam.d/ to run any code they want. A Santa file access rule can prevent modification to the /etc/pam.d/ directory, and by setting the rule type to "Paths with Allowed Process," only the specified processes can access it. We allow all processes to read the file, of course, but block any attempts to write to it, even as root.
Solutions
- Path Prefixes
- •
- Processes
- •Signing ID:
- •Signing ID:
- •
- Options
- Rule Type:Allow Read Access:Audit Only:
- Custom Message
Mitre Attack
Tags
Deployment Notes
This rule allows all processes to read PAM configs but blocks writes except from system processes. This prevents attackers from adding malicious PAM modules.