Version
This solution applies to all Carbon Black versions.

Issue

The cron jobs (from the cron tab file /etc/cron.d/cb) are not running at all. These processes provide core functionality of the product, and are necessary for tagging events for Watchlists, Feeds, collecting performance statistics, and other critical functions.

Symptoms

The following message may be observed in the /var/log/cron log file:

May 10 04:35:01 <My_CB_server> crond[22036]: (cb) FAILED to authorize user with PAM (Permission denied)

Note: The user referenced above is "cb", which all cron jobs run as on the system.

Cause
Root cause is due to system configuration forcing all users to use the PAM authentication module.

Solution

To workaround the PAM permission issue, add the following line to the /etc/security/access.conf file to allow the "cb" User access to the crond service. It is suggested to add it just below the line that references "root" for organizational reasons:

+ : cb : crond :0 tty1 tty2 tty3 tty4 tty5 tty6

Then restart the crond service:

service crond restart