A little story

When I originally posted this, I wrote out the whole story, and writing the story was actually the reason I found out what I’d done wrong.  But I didn’t like it, it took way to long to explain a typo.

 This is attempt #2.


For my first entry I planned on writing about a cool issue I discovered.  Instead, I’m writing about something stupid I did.

Here is what I was trying to accomplish:

1) Retain the system log for 90+ days by modifying the /etc/asl.conf file. Write the ttl for system.log as greater than 90 days.

The remediation action is to replace/edit the setting with

system.log mode=6040 format=bad rotate=utc compress file_max=5m ttl=90

2) Retaining app firewall.log for 90+ days. Again alter the /etc/asl.conf file, adding the setting

appfirewall.log mode=6040 format=ba rotate=utc compress file_max=5m ttl=90

3) Retain the auth.log, also for 90+ days. Edit the /etc/asl/com.apple.authd file. Add:

file /var/log/authd.log mode=6040 format=bsd rotate=utc compress file_max=5m ttl=90

4) Configure security auditing flags. Modify /etc/security/audit_control. On the line beginning with “flags” add the following, lo,ad,fd,fm,-all.

The file looked like this when finished:

I applied the above settings to a group of machines and suddenly discovered that if the user logged out or restarted, they couldn’t get back in.  Stuck on a black screen with the cursor.   Screen-sharing still worked (if looking at the black screen counts as working), SSH still worked, but that was it.

I used SSH to get into an affected machine and began undoing all the audit changes.  After I got all the machines back to normal, I started writing down my steps to try and see what happened.

And here’s the problem:

The Benchmark said to edit the audit_control file with the flags lo,ad,fd,fm,-all. My file looked like this:

I had added a space between that last comma after ‘fm’ and ‘-all’. I didn’t notice it until I went back to reference the Benchmark for this writeup and compared it to the files I was using.

And that’s my story. I removed the extra space, rebuilt the package and started testing it again. Everything works perfectly.  

TL;DR Spaces after commas may be appropriate for writers, but they can seriously mess up computers.

Update:  Check out this link for some technical details about why that audit change kept the machine from fully logging in.

Thanks rtrouton!

Leave a Reply

Your email address will not be published. Required fields are marked *