PAM Security & Hardening

This skill helps you audit, harden, and detect backdoors in Linux Pluggable Authentication Modules (PAM) configurations.

When to Use This Skill

• Auditing PAM configurations for security issues
• Detecting PAM-based backdoors or credential harvesters
• Hardening authentication on Linux systems
• Investigating suspicious login behavior
• Post-exploitation security assessments
• Penetration testing authentication systems

Quick Start

# Run the PAM security audit
./scripts/pam-audit.sh

# Check for backdoored PAM modules
./scripts/pam-backdoor-check.sh

Understanding PAM

PAM Realms

auth

account

password

session

PAM Controls

required

requisite

sufficient

optional

Detection & Triage

1. Spot Alien PAM Objects

find /{lib,usr/lib,usr/local/lib}{,64}/security -type f -printf '%p %s %M %u:%g %TY-%Tm-%Td\n' | grep -E 'pam_|libselinux'

2. Verify Package Integrity

# RHEL/CentOS
rpm -V pam

# Debian/Ubuntu
debsums -s libpam-modules

3. Identify Non-Packaged Modules

for f in /{lib,usr/lib,usr/local/lib}{,64}/security/*.so; do
    dpkg -S "$f" >/dev/null 2>&1 || echo "UNPACKAGED: $f"
done

4. Check for Suspicious Config Edits

grep -R "pam_.*\.so" /etc/pam.d/ | grep -E 'plg|selinux|custom|exec'

Common Backdoor Techniques

Technique 1: Trojanized pam_unix.so

Attackers replace the legitimate

pam_unix.so

• Captures credentials to a hidden log file
• Implements magic password bypass
• Maintains original functionality to avoid detection

Detection:

• Compare MD5/SHA256 against distro package
• Check for unexpected file modifications
• Look for world-writable permissions in

  /lib/security/

Technique 2: pam_exec Persistence

Adding

pam_exec.so

/etc/pam.d/sshd

# Suspicious entry
session optional pam_exec.so quiet /usr/local/bin/.ssh_hook.sh

Detection:

• Audit all

  pam_exec

  entries in PAM configs
• Verify executables exist and are legitimate
• Check for hidden scripts in unusual locations

Hardening Recommendations

1. File Permissions

# PAM libraries should be owned by root:root with 644 permissions
chmod 644 /lib/security/pam_*.so
chown root:root /lib/security/pam_*.so

2. Audit Rules

# Add to /etc/audit/rules.d/
-w /lib/security/pam_unix.so -p wa -k pam-backdoor
-w /etc/pam.d/ -p wa -k pam-config-changes

3. Regular Integrity Checks

# Schedule periodic checks
crontab -e
# Add: 0 6 * * * /usr/local/bin/pam-integrity-check.sh

4. PAM Configuration Best Practices

• Use

  required

  instead of

  sufficient

  for critical auth modules
• Avoid

  pam_exec

  unless absolutely necessary
• Keep PAM configs minimal and well-documented
• Test changes in a staging environment first

Reference Files

• scripts/pam-audit.sh

  - Comprehensive PAM security audit

• scripts/pam-backdoor-check.sh

  - Backdoor detection script

Related Skills

• SSH hardening
• Linux privilege escalation detection
• System integrity monitoring

References

• PAM Linux Documentation
• Palo Alto Unit42 – PAM Backdoor Analysis