The opinions expressed on this blog are purely mine

Looking for pam_exec.so on MacOS

2021-03-20

PAM

The other day I was looking for a reliable way to capture ssh session termination events on both Linux and MacOS. One method which I particularly liked and works perfectly on Linux is PAM session events. Look at the following script:

                    
// opt/event_handler.sh

#!/bin/bash
set -euo pipefail

if [[ ${PAM_TYPE} == "close_session" ]]; then
        // TODO: SOME ACTION
fi

Now add the following line to /etc/pam.d/sshd:

                    
session    optional    pam_exec.so quiet /opt/event_handler.sh

I was sad to realize that the above solution does not work on MacOS. Looking at sshd logs I saw these errors all over the place:

                    
sshd: (libpam.2.dylib) in openpam_load_module(): no pam_exec.so found

To confirm that pam_exec.so is indeed not present on my machine (Big Sur 11.2.1):

                    
$ sudo ls -la /usr/lib/pam |grep pam
-r--r--r--   1 root  wheel  139248 Jan  1  2020 pam_aks.so.2
-rwxr-xr-x   1 root  wheel   71392 Jan  1  2020 pam_deny.so.2
-r--r--r--   1 root  wheel  156896 Jan  1  2020 pam_env.so.2
-r--r--r--   1 root  wheel  138192 Jan  1  2020 pam_group.so.2
-r--r--r--   1 root  wheel  199184 Jan  1  2020 pam_krb5.so.2
-r--r--r--   1 root  wheel  138832 Jan  1  2020 pam_launchd.so.2
-r--r--r--   1 root  wheel  197664 Jan  1  2020 pam_localauthentication.so.2
-r--r--r--   1 root  wheel  144816 Jan  1  2020 pam_mount.so.2
-r--r--r--   1 root  wheel  137936 Jan  1  2020 pam_nologin.so.2
-r--r--r--   1 root  wheel  143952 Jan  1  2020 pam_ntlm.so.2
-r--r--r--   1 root  wheel  178624 Jan  1  2020 pam_opendirectory.so.2
-rwxr-xr-x   1 root  wheel   71392 Jan  1  2020 pam_permit.so.2
-r--r--r--   1 root  wheel  120688 Jan  1  2020 pam_rootok.so.2
-r--r--r--   1 root  wheel  138112 Jan  1  2020 pam_sacl.so.2
-r--r--r--   1 root  wheel  137488 Jan  1  2020 pam_self.so.2
-r--r--r--   1 root  wheel  268720 Jan  1  2020 pam_smartcard.so.2
-r--r--r--   1 root  wheel  215264 Jan  1  2020 pam_tid.so.2
-r--r--r--   1 root  wheel  121696 Jan  1  2020 pam_uwtmp.so.2

I have found no deprecation logs or any evidence if the exec module has ever worked on MacOS.

I have tried to compile this file for Darwin to be able to create a Shared Object. I've set up a timebox of 1 hour to finish this experiment, but as I was unable to succeed I have abandoned the whole idea.

openBSM / auditpipe

After my failed experiment with PAM, I wanted to concentrate on MacOS to find an alternative solution to my problem. I have stumbled across a blog which explores openBSM and auditpipeline. It is a fascinating read and a great work, but regrettably auditpipe is deprecated on the latest MacOS versions. Without exploring further, I've abandoned this idea too, which led me to System Extensions.

System Extensions

System Extensions are Apple's new, preferred way of fiddling with the Darwin kernel subsystem. Glancing over Endpoint Security API event types shows some promise. Apple provides a pretty low-level API, but implementing the stuff I need shouldn't be too hard. My only concern is that the Extension distribution seems tedious and there is a signing process in place. Yuck.

Conslusion

That is where I am at the moment. I may dive deep into System Extension in the upcoming weeks to implement a proper auditing tool for my use case. We will see, I'll keep you updated.