On a RHEL based system where a STIG has been implemented and where Centrify DirectAudit is also installed with the CentrifyDC agent, when trying to login to system or when logged in as root and trying to su
to another user, it fails with the following error:
failed to execute /bin/cdax/bash: operation not permitted
The STIG requirement for "fapolicyd"
is causing the issue and appears to be blocking Centrify related paths and commands.Resolution:
can be set to permissive, disabled, or updated to include Centrify file paths and then restart CentrifyDC.
- To set to fapolicyd to permissive:
- As root or root equivalent user, edit the /etc/fapolicyd/fapolicyd.conf, and set permissive=1, save file and then reload fapolicyd using system commands, systemctl restart fapolicyd
- To add the Centrify file paths to the fapolicyd, the fapolicyd-cli utility can be used with options similar to below, run as root or root equivalent user:
- fapolicyd-cli --file add <path to file>
fapolicyd-cli --file add /bin/cdax/
fapolicyd-cli --file add /usr/share/centrifydc/
- Then run fapolicyd-cli --update
- To disable the fapolicyd, as root or root equivalent user, use system commands
- systemctl stop fapolicyd
- systemctl disable fapolicyd
- Restart CentrifyDC agent.
- /usr/share/centrifydc/bin/centrifydc restart
Please contact RedHat for further support for questions and recommendations on fapolicyd and how to modify the fapolicyd settings.
is enabled without any of the above changes after non-root user is logged in to the system, library errors may also be seen when trying to run Centrify commands.
For more information, see Knowledge Base Article: KB-50826: libeda.so.0 Cannot Open Shared Object File