2021-03-20
The other day I was looking for a reliable way to capture ssh session termination events on both Linux and MacOS. One method which I particularly liked and works perfectly on Linux is PAM session events. Look at the following script:
// opt/event_handler.sh
#!/bin/bash
set -euo pipefail
if [[ ${PAM_TYPE} == "close_session" ]]; then
// TODO: SOME ACTION
fi
Now add the following line to /etc/pam.d/sshd:
session optional pam_exec.so quiet /opt/event_handler.sh
I was sad to realize that the above solution does not work on MacOS. Looking at sshd logs I saw these errors all over the place:
sshd: (libpam.2.dylib) in openpam_load_module(): no pam_exec.so found
To confirm that pam_exec.so is indeed not present on my machine (Big Sur 11.2.1):
$ sudo ls -la /usr/lib/pam |grep pam
-r--r--r-- 1 root wheel 139248 Jan 1 2020 pam_aks.so.2
-rwxr-xr-x 1 root wheel 71392 Jan 1 2020 pam_deny.so.2
-r--r--r-- 1 root wheel 156896 Jan 1 2020 pam_env.so.2
-r--r--r-- 1 root wheel 138192 Jan 1 2020 pam_group.so.2
-r--r--r-- 1 root wheel 199184 Jan 1 2020 pam_krb5.so.2
-r--r--r-- 1 root wheel 138832 Jan 1 2020 pam_launchd.so.2
-r--r--r-- 1 root wheel 197664 Jan 1 2020 pam_localauthentication.so.2
-r--r--r-- 1 root wheel 144816 Jan 1 2020 pam_mount.so.2
-r--r--r-- 1 root wheel 137936 Jan 1 2020 pam_nologin.so.2
-r--r--r-- 1 root wheel 143952 Jan 1 2020 pam_ntlm.so.2
-r--r--r-- 1 root wheel 178624 Jan 1 2020 pam_opendirectory.so.2
-rwxr-xr-x 1 root wheel 71392 Jan 1 2020 pam_permit.so.2
-r--r--r-- 1 root wheel 120688 Jan 1 2020 pam_rootok.so.2
-r--r--r-- 1 root wheel 138112 Jan 1 2020 pam_sacl.so.2
-r--r--r-- 1 root wheel 137488 Jan 1 2020 pam_self.so.2
-r--r--r-- 1 root wheel 268720 Jan 1 2020 pam_smartcard.so.2
-r--r--r-- 1 root wheel 215264 Jan 1 2020 pam_tid.so.2
-r--r--r-- 1 root wheel 121696 Jan 1 2020 pam_uwtmp.so.2
I have found no deprecation logs or any evidence if the exec module has ever worked on MacOS.
I have tried to compile this file for Darwin to be able to create a Shared Object. I've set up a timebox of 1 hour to finish this experiment, but as I was unable to succeed I have abandoned the whole idea.
After my failed experiment with PAM, I wanted to concentrate on MacOS to find an alternative solution to my problem. I have stumbled across a blog which explores openBSM and auditpipeline. It is a fascinating read and a great work, but regrettably auditpipe is deprecated on the latest MacOS versions. Without exploring further, I've abandoned this idea too, which led me to System Extensions.
System Extensions are Apple's new, preferred way of fiddling with the Darwin kernel subsystem. Glancing over Endpoint Security API event types shows some promise. Apple provides a pretty low-level API, but implementing the stuff I need shouldn't be too hard. My only concern is that the Extension distribution seems tedious and there is a signing process in place. Yuck.
That is where I am at the moment. I may dive deep into System Extension in the upcoming weeks to implement a proper auditing tool for my use case. We will see, I'll keep you updated.