--- title: "Prevent PAM Configuration Tampering | Security Cookbook" description: "Block writes to /etc/pam.d/ except by system installers, stopping attackers from planting PAM backdoors that capture authentication on macOS." doc_version: "1" last_updated: "2026-05-22" canonical: "https://northpole.security/cookbook/prevent-pam-bypass" --- [Back](https://northpole.security/cookbook) ### Idea Pluggable Authentication Modules (PAM) handles authentication in macOS, and it makes for an easy way to get a backdoor. An attacker can create a dylib and add its path to any of the auth rule configs in `/etc/pam.d/` to run any code they want. A Santa file access rule can prevent modification to the `/etc/pam.d/` directory, and by setting the rule type to "Paths with Allowed Process," only the specified processes can access it. We allow all processes to read the file, of course, but block any attempts to write to it, even as root. ### Solutions File AccessProtect PAM Configuration Restrict write access to PAM configuration directory Path Prefixes - • /private/etc/pam.d Processes - • Signing ID:platform:com.apple.installer - • Signing ID:platform:com.apple.softwareupdated Options Rule Type:PathsWithAllowedProcesses Allow Read Access:true Audit Only:false Custom Message Modification of PAM configuration is not allowed ### Mitre Attack Tactics [Persistence](https://attack.mitre.org/tactics/TA0003/)[Defense Impairment](https://attack.mitre.org/tactics/TA0112/)[Credential Access](https://attack.mitre.org/tactics/TA0006/) Techniques [T1556.003: Pluggable Authentication Modules](https://attack.mitre.org/techniques/T1556/003/) ### Tags pampersistence ### Deployment Notes This rule allows all processes to read PAM configs but blocks writes except from system processes. This prevents attackers from adding malicious PAM modules. ### Resources [The Evil Bit: PAM PersistenceTake a look](https://theevilbit.github.io/beyond/beyond_0005/) ## Sitemap - [Home](https://northpole.security/index.md) - [Workshop](https://northpole.security/workshop.md) - [Santa](https://northpole.security/santa.md) - [Features](https://northpole.security/features.md) - [Cookbook](https://northpole.security/cookbook.md) - [Docs](https://northpole.security/docs.md) - [Blog](https://northpole.security/blog.md) - [Glossary](https://northpole.security/glossary.md) - [About](https://northpole.security/about.md) - [Contact](https://northpole.security/contact.md)