Local user login fails suddenly in RHEL 7 with an error "PAM unable to dlopen /usr/lib64/security/pam_unix.so" when McAfee agent is running

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 7
  • PAM
  • McAfee
  • Trend Micro

Issue

  • Local user login started failing suddenly in RHEL 7 and an error below could be observed in /var/log/secure:

    PAM adding faulty module: /usr/lib64/security/pam_unix.so
    PAM unable to dlopen(/usr/lib64/security/pam_unix.so): /usr/lib64/security/pam_unix.so: cannot open shared object file: No such file or directory
    

Resolution

  1. Remove/Disable McAfee Agent from server:

    # rpm -e --force McAfeeVSEForLinux
    

    This step is important otherwise McAfee may remove the pam_unix.so library file again.

  2. Reinstall PAM Package:

     # yum reinstall pam
    

    If system is inaccessible, reinstall pam package in Rescue environment. Reference: How to install or re-install a package in rescue mod.

  3. Then try to login.

Root Cause

NOTE : In one of the situations, it was observed that, the similar issue was caused by Trend Micro anti-virus. After disabling the Trend Micro manually as per Manually deactivate, stop, or start the agent and re-installing the pam package helped.

Disclaimer : Links contained herein to an external website(s) are provided for convenience only. Red Hat has not reviewed the links and is not responsible for the content or its availability. The inclusion of any link to an external website does not imply endorsement by Red Hat of the website or their entities, products or services. You agree that Red Hat is not responsible or liable for any loss or expenses that may result due to your use of (or reliance on) the external site or content.

Diagnostic Steps

  • Below error is observed in /var/log/secure
Mar  1 08:40:01 example.com sshd[1808]: PAM unable to dlopen(/usr/lib64/security/pam_unix.so): /usr/lib64/security/pam_unix.so: cannot open shared object file: No such file or directory
Mar  1 08:40:01 example.com sshd[1809]: PAM adding faulty module: /usr/lib64/security/pam_unix.so
  • The removal of pam_unix.so file is recorded in /var/log/messages:
$ cat messages | grep pam_unix
Feb 27 11:03:01 example.com mfetpd: CEF:0|McAfee LLC|McAfee Endpoint Security for Linux Threat Prevention|10.7.5.98|3021|OASManager|7|deviceProcessName=/opt/McAfee/ens/tp/bin/mfetpd msg=Infection caught File Name: /usr/lib64/security/pam_unix.so File Size: 57720 Infection Name: LINUX/Miner.aw Virus Type: Trojan File Md5 Hash: d5b9a1845152d8ad2b91af044ff16d0b Time: 1645941781 Process Name: /usr/sbin/crond User Name: root Profile Type: 1 rt=2022-Feb-27 11:03:01
  • Check if file /usr/lib64/security/pam_unix.so exists
ls -l /usr/lib64/security/pam_unix.so

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

2 Comments

Hi, But what is that "Solution Unverified".

McAfee the bane of all sysadmins.