Carbon Black cron jobs are not running due to PAM authentication module
Version This solution applies to all Carbon Black versions.
The cron jobs (from the cron tab file /etc/cron.d/cb) are not running at all. These processes provide core functionality of the product, and are necessary for tagging events for Watchlists, Feeds, collecting performance statistics, and other critical functions.
The following message may be observed in the /var/log/cron log file:
May 10 04:35:01 <My_CB_server> crond: (cb) FAILED to authorize user with PAM (Permission denied)
Note: The user referenced above is "cb", which all cron jobs run as on the system.
Cause Root cause is due to system configuration forcing all users to use the PAM authentication module.
To workaround the PAM permission issue, add the following line to the /etc/security/access.conf file to allow the "cb" User access to the crond service. It is suggested to add it just below the line that references "root" for organizational reasons: