Bug 276777

Summary: Enabling BSM/audit security can prevent root login
Product: Base System Reporter: Tim Hogard <thogard>
Component: standardsAssignee: freebsd-standards (Nobody) <standards>
Status: Open ---    
Severity: Affects Many People CC: brueffer, csjp, emaste, markj
Priority: ---    
Version: 13.2-RELEASE   
Hardware: amd64   
OS: Any   

Description Tim Hogard 2024-02-02 12:53:26 UTC 
When audit/BSM security auditing is turned on, console root (and other users) says:
"login: could not calculate audit mask" 
and then refuses login.

audit(8)/BSM(Basic Security Module) is an essential component for any modern security compliance framework so this will effect many users. See Ch 19 of the 2024 FreeBSD Handbook.

I expect an initial audit mask isn't set in a preceding chain before the getty process accepts the login request but that is just a guess.
Comment 1 Tim Hogard 2024-02-06 00:33:54 UTC 
It appears this was due to older flags in /etc/security/audit_control
If the old Solaris flags were added, specifically ua and pm, and since they aren't in /etc/security/audit_class, the audit mask isn't created and since it isn't created, root can't log in on the console.

I think the login code should allow root to login in the case of a bad (or undefined) audit mask to prevent being locked out of a system.

Perhaps the old Sun masks should be added to audit_class as:
0x00000000:ua:obsolete user administration class
0x00000000:pm:obsolete process modify class

If someone else runs into this the fix is 1) fix the flags: in audit_control or 2) add the missing classes to audit_class as zeros and ensure the events you needed audited are in the flags: line

This applies between 14.0 back to at least 11.X.
Comment 2 Mark Johnston freebsd_committer freebsd_triage 2024-02-09 19:32:39 UTC 
Christian, would you be able to look at this?