When audit/BSM security auditing is turned on, console root (and other users) says: "login: could not calculate audit mask" and then refuses login. audit(8)/BSM(Basic Security Module) is an essential component for any modern security compliance framework so this will effect many users. See Ch 19 of the 2024 FreeBSD Handbook. I expect an initial audit mask isn't set in a preceding chain before the getty process accepts the login request but that is just a guess.
It appears this was due to older flags in /etc/security/audit_control If the old Solaris flags were added, specifically ua and pm, and since they aren't in /etc/security/audit_class, the audit mask isn't created and since it isn't created, root can't log in on the console. I think the login code should allow root to login in the case of a bad (or undefined) audit mask to prevent being locked out of a system. Perhaps the old Sun masks should be added to audit_class as: 0x00000000:ua:obsolete user administration class 0x00000000:pm:obsolete process modify class If someone else runs into this the fix is 1) fix the flags: in audit_control or 2) add the missing classes to audit_class as zeros and ensure the events you needed audited are in the flags: line This applies between 14.0 back to at least 11.X.
Christian, would you be able to look at this?