- Alerts are not generated.
- Watchlists are not running.
- Cron jobs owned by user "cb" are not executing.
- No corn log entries appear in /var/log/cb/job-runner/job-runner.log
- /var/log/cron error:
Feb 19 14:32:01 cbr01 crond[15462]: (cb) PAM ERROR (Permission denied)
Feb 19 14:32:01 cbr01 crond[15462]: (cb) FAILED to authorize user with PAM (Permission denied)
- tail -10 /var/log/audit/audit.log shows PAM errors accessing cron job to run watchlists:
type=LOGIN msg=audit(1548232981.265:413306): pid=13522 uid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 old-auid=4294967295 auid=0 tty=(none) old-ses=4294967295 ses=49464 res=1
type=USER_START msg=audit(1548232981.278:413307): pid=13522 uid=0 auid=0 ses=49464 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_REFR msg=audit(1548232981.279:413308): pid=13522 uid=0 auid=0 ses=49464 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_localuser,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_DISP msg=audit(1548232983.761:413309): pid=13522 uid=0 auid=0 ses=49464 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_localuser,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_END msg=audit(1548232983.764:413310): pid=13522 uid=0 auid=0 ses=49464 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=AVC msg=audit(1548232991.028:413311): avc: denied { search } for pid=13576 comm="df" name="/" dev="0:39" ino=96 scontext=system_u:system_r:rabbitmq_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir
type=AVC msg=audit(1548232991.028:413311): avc: denied { read } for pid=13576 comm="df" name="rabbit@CB-SERVER-CLUSTER-HEAD-NODE" dev="0:39" ino=21299 scontext=system_u:system_r:rabbitmq_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir
type=AVC msg=audit(1548232991.028:413311): avc: denied { open } for pid=13576 comm="df" path="/var/cb_data/data/rabbitmq/mnesia/rabbit@CB-SERVER-CLUSTER-HEAD-NODE" dev="0:39" ino=21299 scontext=system_u:system_r:rabbitmq_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir
type=SYSCALL msg=audit(1548232991.028:413311): arch=c000003e syscall=2 success=yes exit=3 a0=7ffdf8f1b90f a1=100 a2=2283380 a3=7ffdf8f195a0 items=0 ppid=13575 pid=13576 auid=4294967295 uid=994 gid=990 euid=994 suid=994 fsuid=994 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="df" exe="/usr/bin/df" subj=system_u:system_r:rabbitmq_t:s0 key=(null)