- Red Hat Enterprise Linux 7
- Trend Micro
Local user login started failing suddenly in RHEL 7 and an error below could be observed in
PAM adding faulty module: /usr/lib64/security/pam_unix.so PAM unable to dlopen(/usr/lib64/security/pam_unix.so): /usr/lib64/security/pam_unix.so: cannot open shared object file: No such file or directory
Remove/Disable McAfee Agent from server:
# rpm -e --force McAfeeVSEForLinux
This step is important otherwise McAfee may remove the pam_unix.so library file again.
Reinstall PAM Package:
# yum reinstall pam
If system is inaccessible, reinstall pam package in Rescue environment. Reference: How to install or re-install a package in rescue mod.
Then try to login.
Red Hat has been made aware recently of incidents where McAfee Endpoint Security is flagging
/usr/lib64/security/pam_unix.soas malware, and deleting it, which renders systems inaccessible.
This has been identified by McAfee as a false positive, and McAfee is working on a remediation. For more information from McAfee, Refer False positive detection occurs in Endpoint Security for Linux Threat Prevention with MEDDAT 4893 or V2 DAT 10270.
NOTE : In one of the situations, it was observed that, the similar issue was caused by
Trend Micro anti-virus. After disabling the
Trend Micro manually as per Manually deactivate, stop, or start the agent and re-installing the
pam package helped.
Disclaimer : Links contained herein to an external website(s) are provided for convenience only. Red Hat has not reviewed the links and is not responsible for the content or its availability. The inclusion of any link to an external website does not imply endorsement by Red Hat of the website or their entities, products or services. You agree that Red Hat is not responsible or liable for any loss or expenses that may result due to your use of (or reliance on) the external site or content.
- Below error is observed in
Mar 1 08:40:01 example.com sshd: PAM unable to dlopen(/usr/lib64/security/pam_unix.so): /usr/lib64/security/pam_unix.so: cannot open shared object file: No such file or directory Mar 1 08:40:01 example.com sshd: PAM adding faulty module: /usr/lib64/security/pam_unix.so
- The removal of
pam_unix.sofile is recorded in
$ cat messages | grep pam_unix Feb 27 11:03:01 example.com mfetpd: CEF:0|McAfee LLC|McAfee Endpoint Security for Linux Threat Prevention|10.7.5.98|3021|OASManager|7|deviceProcessName=/opt/McAfee/ens/tp/bin/mfetpd msg=Infection caught File Name: /usr/lib64/security/pam_unix.so File Size: 57720 Infection Name: LINUX/Miner.aw Virus Type: Trojan File Md5 Hash: d5b9a1845152d8ad2b91af044ff16d0b Time: 1645941781 Process Name: /usr/sbin/crond User Name: root Profile Type: 1 rt=2022-Feb-27 11:03:01
- Check if file
ls -l /usr/lib64/security/pam_unix.so
- Red Hat Enterprise Linux for x86_64
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.