Local user login fails suddenly in RHEL 7 with an error "PAM unable to dlopen /usr/lib64/security/pam_unix.so" when McAfee agent is running
Environment
- Red Hat Enterprise Linux 7
- PAM
- McAfee
- Trend Micro
Issue
-
Local user login started failing suddenly in RHEL 7 and an error below could be observed in
/var/log/secure:PAM adding faulty module: /usr/lib64/security/pam_unix.so PAM unable to dlopen(/usr/lib64/security/pam_unix.so): /usr/lib64/security/pam_unix.so: cannot open shared object file: No such file or directory
Resolution
-
Remove/Disable McAfee Agent from server:
# rpm -e --force McAfeeVSEForLinuxThis step is important otherwise McAfee may remove the pam_unix.so library file again.
-
Reinstall PAM Package:
# yum reinstall pamIf system is inaccessible, reinstall pam package in Rescue environment. Reference: How to install or re-install a package in rescue mod.
-
Then try to login.
Root Cause
-
Red Hat has been made aware recently of incidents where McAfee Endpoint Security is flagging
/usr/lib64/security/pam_unix.soas malware, and deleting it, which renders systems inaccessible. -
This has been identified by McAfee as a false positive, and McAfee is working on a remediation. For more information from McAfee, Refer False positive detection occurs in Endpoint Security for Linux Threat Prevention with MEDDAT 4893 or V2 DAT 10270.
NOTE : In one of the situations, it was observed that, the similar issue was caused by Trend Micro anti-virus. After disabling the Trend Micro manually as per Manually deactivate, stop, or start the agent and re-installing the pam package helped.
Disclaimer : Links contained herein to an external website(s) are provided for convenience only. Red Hat has not reviewed the links and is not responsible for the content or its availability. The inclusion of any link to an external website does not imply endorsement by Red Hat of the website or their entities, products or services. You agree that Red Hat is not responsible or liable for any loss or expenses that may result due to your use of (or reliance on) the external site or content.
Diagnostic Steps
- Below error is observed in
/var/log/secure
Mar 1 08:40:01 example.com sshd[1808]: PAM unable to dlopen(/usr/lib64/security/pam_unix.so): /usr/lib64/security/pam_unix.so: cannot open shared object file: No such file or directory
Mar 1 08:40:01 example.com sshd[1809]: PAM adding faulty module: /usr/lib64/security/pam_unix.so
- The removal of
pam_unix.sofile is recorded in/var/log/messages:
$ cat messages | grep pam_unix
Feb 27 11:03:01 example.com mfetpd: CEF:0|McAfee LLC|McAfee Endpoint Security for Linux Threat Prevention|10.7.5.98|3021|OASManager|7|deviceProcessName=/opt/McAfee/ens/tp/bin/mfetpd msg=Infection caught File Name: /usr/lib64/security/pam_unix.so File Size: 57720 Infection Name: LINUX/Miner.aw Virus Type: Trojan File Md5 Hash: d5b9a1845152d8ad2b91af044ff16d0b Time: 1645941781 Process Name: /usr/sbin/crond User Name: root Profile Type: 1 rt=2022-Feb-27 11:03:01
- Check if file
/usr/lib64/security/pam_unix.soexists
ls -l /usr/lib64/security/pam_unix.so
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments