[Bug 276777] Enabling BSM/audit security can prevent root login

From: <bugzilla-noreply_at_freebsd.org>
Date: Tue, 06 Feb 2024 00:33:54 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=276777

--- Comment #1 from Tim Hogard <thogard@abnormal.com> ---
It appears this was due to older flags in /etc/security/audit_control
If the old Solaris flags were added, specifically ua and pm, and since they
aren't in /etc/security/audit_class, the audit mask isn't created and since it
isn't created, root can't log in on the console.

I think the login code should allow root to login in the case of a bad (or
undefined) audit mask to prevent being locked out of a system.

Perhaps the old Sun masks should be added to audit_class as:
0x00000000:ua:obsolete user administration class
0x00000000:pm:obsolete process modify class

If someone else runs into this the fix is 1) fix the flags: in audit_control or
2) add the missing classes to audit_class as zeros and ensure the events you
needed audited are in the flags: line

This applies between 14.0 back to at least 11.X.

-- 
You are receiving this mail because:
You are the assignee for the bug.