PSARC/2009/636 Obsolete getacinfo(3bsm)

PSARC/2009/642 audit_control(4) EOL and removal
PSARC/2010/218 Audit subsystem Rights Profiles
PSARC/2010/220 svc:/system/auditset service
6875456 Solaris Audit configuration in SMF - phase 2 (PSARC/2009/636, PSARC/2009/642)
6942035 audit_binfile(5) leaves unfinished audit logs.
6942041 auditd(1) says "auditd refreshed" on startup.
6943275 audit_remote(5) leaks memory on audit service refresh
6955077 adt_get_mask_from_user() should regard _SC_GETPW_R_SIZE_MAX
6955117 $SRC/lib/libbsm/common/audit_ftpd.c shouldn't hardcode the lenght of usernames (8)
6956169 adt_audit_state() returns non-boolean values

--HG--
rename : usr/src/cmd/auditconfig/auditconfig_impl.h => usr/src/lib/libbsm/common/audit_policy.h
rename : usr/src/cmd/auditconfig/audit_scf.c => usr/src/lib/libbsm/common/audit_scf.c
rename : usr/src/cmd/auditconfig/audit_scf.h => usr/src/lib/libbsm/common/audit_scf.h

15 files changed, 258 insertions, 198 deletions

diff --git a/usr/src/lib/libsecdb/auth_attr.txt b/usr/src/lib/libsecdb/auth_attr.txt
index 718eaf7dd4..39ee87908d 100644
--- a/usr/src/lib/libsecdb/auth_attr.txt
+++ b/usr/src/lib/libsecdb/auth_attr.txt
@@ -37,9 +37,7 @@ solaris.admin.wusb.read:::Read Wireless USB Host and Device Information::help=WU
 solaris.admin.wusb.modify:::Add or delete information of Wireless USB Device::help=WUSBmodify.html
 solaris.admin.wusb.host:::Manage Wireless USB Host::help=WUSBhost.html
 #
-solaris.audit.:::Audit Management::help=AuditHeader.html
-solaris.audit.config:::Configure Auditing::help=AuditConfig.html
-solaris.audit.read:::Read Audit Trail::help=AuditRead.html
+solaris.audit.:::Audit System-wide Management::help=AuditHeader.html
 #
 solaris.device.:::Device Allocation::help=DevAllocHeader.html
 solaris.device.allocate:::Allocate Device::help=DevAllocate.html
@@ -124,6 +122,7 @@ solaris.smf.modify.dependency:::Modify Service Dependencies::help=SmfModifyDepen
 solaris.smf.modify.application:::Modify Application Type Properties::help=SmfModifyAppl.html
 solaris.smf.modify.framework:::Modify Framework Type Properties::help=SmfModifyFramework.html
 solaris.smf.manage.:::Manage All SMF Service States::help=SmfManageHeader.html
+solaris.smf.manage.audit:::Manage Audit Service States::help=SmfManageAudit.html
 solaris.smf.manage.autofs:::Manage Automount Service States::help=SmfAutofsStates.html
 solaris.smf.manage.bind:::Manage DNS Service States::help=BindStates.html
 solaris.smf.manage.coreadm:::Manage Coreadm Service States::help=SmfCoreadmStates.html
@@ -162,6 +161,7 @@ solaris.smf.manage.vt:::Manage Virtual Console Service States::help=SmfVtStates.
 solaris.smf.manage.wpa:::Manage WPA Service States::help=SmfWpaStates.html
 solaris.smf.manage.ndmp:::Manage NDMP Service States::help=SmfNDMPStates.html
 solaris.smf.value.:::Change Values of SMF Service Properties::help=SmfValueHeader.html
+solaris.smf.value.audit:::Configure the Audit Service::help=SmfValueAudit.html
 solaris.smf.value.coreadm:::Change Values of SMF Coreadm Properties::help=SmfValueCoreadm.html
 solaris.smf.value.discovery.printers.snmp:::Manage Network Attached Device Discovery Service Properties::help=SmfValueNADD.html
 solaris.smf.value.extended-accounting.flow:::Change Values of Flow Extended Accounting Service Properties::help=SmfValueExAcctFlow.html
diff --git a/usr/src/lib/libsecdb/common/mapfile-vers b/usr/src/lib/libsecdb/common/mapfile-vers
index b184473b9e..76b2a3692d 100644
--- a/usr/src/lib/libsecdb/common/mapfile-vers
+++ b/usr/src/lib/libsecdb/common/mapfile-vers
@@ -81,6 +81,7 @@ SYMBOL_VERSION SUNWprivate_1.1 {
 	_kva2str;
 	_kva_dup;
 	_kva_free;
+	_kva_free_value;
 	_new_kva;
 	_str2kva;
 	_enum_profs;
diff --git a/usr/src/lib/libsecdb/common/secdb.c b/usr/src/lib/libsecdb/common/secdb.c
index 0c8f9da2f2..e012d95ce0 100644
--- a/usr/src/lib/libsecdb/common/secdb.c
+++ b/usr/src/lib/libsecdb/common/secdb.c
@@ -49,7 +49,7 @@ kva_match(kva_t *kva, char *key)
 	kv_t	*data;
 
 	if (kva == NULL || key == NULL) {
-		return ((char *)NULL);
+		return (NULL);
 	}
 	data = kva->data;
 	for (i = 0; i < kva->length; i++) {
@@ -58,7 +58,7 @@ kva_match(kva_t *kva, char *key)
 		}
 	}
 
-	return ((char *)NULL);
+	return (NULL);
 }
 
 /*
@@ -89,6 +89,32 @@ _kva_free(kva_t *kva)
 }
 
 /*
+ * _kva_free_value(): Free up memory (value) for all the occurrences of
+ * the given key.
+ */
+void
+_kva_free_value(kva_t *kva, char *key)
+{
+	int	ctr;
+	kv_t	*data;
+
+	if (kva == NULL) {
+		return;
+	}
+
+	ctr = kva->length;
+	data = kva->data;
+
+	while (ctr--) {
+		if (strcmp(data->key, key) == 0 && data->value != NULL) {
+			free(data->value);
+			data->value = NULL;
+		}
+		data++;
+	}
+}
+
+/*
  * new_kva(): Allocate a key-value array.
  */
 kva_t  *
@@ -97,11 +123,11 @@ _new_kva(int size)
 	kva_t	*new_kva;
 
 	if ((new_kva = (kva_t *)calloc(1, sizeof (kva_t))) == NULL) {
-		return ((kva_t *)NULL);
+		return (NULL);
 	}
 	if ((new_kva->data = (kv_t *)calloc(1, (size*sizeof (kv_t)))) == NULL) {
 		free(new_kva);
-		return ((kva_t *)NULL);
+		return (NULL);
 	}
 
 	return (new_kva);
@@ -132,7 +158,7 @@ _str2kva(char *s, char *ass, char *del)
 	    *s == '\0' ||
 	    *s == '\n' ||
 	    (strlen(s) <= 1)) {
-		return ((kva_t *)NULL);
+		return (NULL);
 	}
 	p = s;
 	while ((p = _strpbrk_escape(p, ass)) != NULL) {
@@ -147,12 +173,12 @@ _str2kva(char *s, char *ass, char *del)
 		size = m * KV_ADD_KEYS;
 	}
 	if ((nkva = _new_kva(size)) == NULL) {
-		return ((kva_t *)NULL);
+		return (NULL);
 	}
 	data = nkva->data;
 	nkva->length = 0;
 	if ((buf = strdup(s)) == NULL) {
-		return ((kva_t *)NULL);
+		return (NULL);
 	}
 	pair = _strtok_escape(buf, del, &last_pair);
 	do {
@@ -172,43 +198,34 @@ _str2kva(char *s, char *ass, char *del)
  * (buf). Use delimeter (del) to separate pairs.  Use assignment character
  * (ass) to separate keys and values.
  *
- * Return Values: 0  Success 1  Buffer too small 2  Out of memory
+ * Return Values: 0  Success 1  Buffer too small
  */
 int
 _kva2str(kva_t *kva, char *buf, int buflen, char *ass, char *del)
 {
 	int	i;
-	int	length = 0;
-	char	*tmp;
+	int	len;
+	int	off = 0;
 	kv_t	*data;
 
 	if (kva == NULL) {
 		return (0);
 	}
+
+	buf[0] = '\0';
 	data = kva->data;
+
 	for (i = 0; i < kva->length; i++) {
 		if (data[i].value != NULL) {
-			length += 2 + strlen(data[i].value);
-		}
-	}
-	if (length > buflen) {
-		return (1);
-	}
-	(void) memset(buf, 0, buflen);
-	if ((tmp = (char *)malloc(buflen)) == NULL) {
-		return (2);
-	}
-	for (i = 0; i < kva->length; i++) {
-		if (data[i].value != NULL) {
-			if (snprintf(tmp, buflen, "%s%s%s%s",
-			    data[i].key, ass, data[i].value, del) >= buflen) {
-				free((void *)tmp);
-				return (0);
+			len = snprintf(buf + off, buflen - off, "%s%s%s%s",
+			    data[i].key, ass, data[i].value, del);
+			if (len < 0 || len + off >= buflen) {
+				return (1);
 			}
-			(void) strcat(buf, tmp);
+			off += len;
 		}
 	}
-	free((void *)tmp);
+
 	return (0);
 }
 
@@ -240,15 +257,15 @@ _kva_dup(kva_t *old_kva)
 	int	size;
 	kv_t	*old_data;
 	kv_t	*new_data;
-	kva_t 	*nkva = (kva_t *)NULL;
+	kva_t 	*nkva = NULL;
 
 	if (old_kva == NULL) {
-		return ((kva_t *)NULL);
+		return (NULL);
 	}
 	old_data = old_kva->data;
 	size = old_kva->length;
 	if ((nkva = _new_kva(size)) == NULL) {
-		return ((kva_t *)NULL);
+		return (NULL);
 	}
 	new_data = nkva->data;
 	nkva->length = old_kva->length;
@@ -309,10 +326,10 @@ _argv_to_csl(char **strings)
 {
 	int len = 0;
 	int i = 0;
-	char *newstr = (char *)NULL;
+	char *newstr = NULL;
 
 	if (strings == NULL)
-		return ((char *)NULL);
+		return (NULL);
 	for (i = 0; strings[i] != NULL; i++) {
 		len += strlen(strings[i]) + 1;
 	}
@@ -325,7 +342,7 @@ _argv_to_csl(char **strings)
 		newstr[len-1] = NULL;
 		return (newstr);
 	} else
-		return ((char *)NULL);
+		return (NULL);
 }
 
 
@@ -335,10 +352,10 @@ _csl_to_argv(char *csl)
 	int len = 0;
 	int ncommas = 0;
 	int i = 0;
-	char **spc = (char **)NULL;
-	char *copy = (char *)NULL;
+	char **spc = NULL;
+	char *copy = NULL;
 	char *pc;
-	char *lasts = (char *)NULL;
+	char *lasts = NULL;
 
 	len = strlen(csl);
 	for (i = 0; i < len; i++) {
@@ -346,7 +363,7 @@ _csl_to_argv(char *csl)
 			ncommas++;
 	}
 	if ((spc = (char **)malloc((ncommas + 2) * sizeof (char *))) == NULL) {
-		return ((char **)NULL);
+		return (NULL);
 	}
 	copy = strdup(csl);
 	for (pc = strtok_r(copy, ",", &lasts), i = 0; pc != NULL;
@@ -378,12 +395,14 @@ print_kva(kva_t *kva)
 	kv_t	*data;
 
 	if (kva == NULL) {
-		printf("  (empty)\n");
+		(void) printf("  (empty)\n");
 		return;
 	}
 	data = kva->data;
 	for (i = 0; i < kva->length; i++) {
-		printf("  %s = %s\n", data[i].key, data[i].value);
+		(void) printf("  %s = %s\n",
+		    data[i].key != NULL ? data[i].key : "NULL",
+		    data[i].value != NULL ? data[i].value : "NULL");
 	}
 }
 #endif  /* DEBUG */
diff --git a/usr/src/lib/libsecdb/exec_attr.txt b/usr/src/lib/libsecdb/exec_attr.txt
index 01b3479945..034afd84b6 100644
--- a/usr/src/lib/libsecdb/exec_attr.txt
+++ b/usr/src/lib/libsecdb/exec_attr.txt
@@ -27,15 +27,11 @@
 #
 #
 All:suser:cmd:::*:
-Audit Control:suser:cmd:::/etc/security/bsmconv:uid=0
-Audit Control:suser:cmd:::/etc/security/bsmunconv:uid=0
-Audit Control:solaris:cmd:::/usr/sbin/audit:privs=sys_audit,file_dac_read,proc_owner
-Audit Control:suser:cmd:::/usr/sbin/audit:euid=0
-Audit Control:suser:cmd:::/usr/sbin/auditconfig:euid=0
-Audit Control:suser:cmd:::/usr/sbin/auditd:uid=0
-Audit Review:suser:cmd:::/usr/sbin/auditreduce:euid=0
-Audit Review:suser:cmd:::/usr/sbin/auditstat:euid=0
-Audit Review:suser:cmd:::/usr/sbin/praudit:euid=0
+Audit Control:solaris:cmd:::/usr/sbin/audit:privs=proc_owner,sys_audit
+Audit Configuration:solaris:::/usr/sbin/auditconfig:privs=sys_audit
+Audit Review:solaris:cmd:::/usr/sbin/auditreduce:euid=0
+Audit Review:solaris:cmd:::/usr/sbin/auditstat:privs=proc_audit
+Audit Review:solaris:cmd:::/usr/sbin/praudit:privs=file_dac_read
 Contract Observer:solaris:cmd:::/usr/bin/ctwatch:\
 	privs=contract_event,contract_observer
 Cron Management:suser:cmd:::/usr/bin/crontab:euid=0
diff --git a/usr/src/lib/libsecdb/help/auths/AuditConfig.html b/usr/src/lib/libsecdb/help/auths/AuditConfig.html
deleted file mode 100644
index f5e942fd28..0000000000
--- a/usr/src/lib/libsecdb/help/auths/AuditConfig.html
+++ /dev/null
@@ -1,45 +0,0 @@
-<HTML>
-<!--
-    Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
-    Use is subject to license terms.
-
-    CDDL HEADER START
-
-    The contents of this file are subject to the terms of the
-    Common Development and Distribution License, Version 1.0 only
-    (the "License").  You may not use this file except in compliance
-    with the License.
-
-    You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
-    or http://www.opensolaris.org/os/licensing.
-    See the License for the specific language governing permissions
-    and limitations under the License.
-
-    When distributing Covered Code, include this CDDL HEADER in each
-    file and include the License file at usr/src/OPENSOLARIS.LICENSE.
-    If applicable, add the following below this CDDL HEADER, with the
-    fields enclosed by brackets "[]" replaced with your own identifying
-    information: Portions Copyright [yyyy] [name of copyright owner]
-
-    CDDL HEADER END
--->
-<!-- SCCS keyword
-#pragma ident	"%Z%%M%	%I%	%E% SMI"
--->
-
-<HEAD>
-<!--
-META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"
--->
-<!-- 
-META NAME="GENERATOR" CONTENT="Mozilla/4.02 [en] (X11; U; SunOS 5.6 sun4u) [Netscape]"
--->
-</HEAD>
-<BODY>
-When Configure Auditing is in the Authorizations Included column, it grants the authorization to configure the auditing attributes

-for specific users, files, and machines.
-<p>
-If Configure Auditing is grayed, then you are not entitled to Add or Remove this authorization. 
-<BR>&nbsp;
-</BODY>
-</HTML>
diff --git a/usr/src/lib/libsecdb/help/auths/AuditHeader.html b/usr/src/lib/libsecdb/help/auths/AuditHeader.html
index 7e249606ae..ce44fb98f6 100644
--- a/usr/src/lib/libsecdb/help/auths/AuditHeader.html
+++ b/usr/src/lib/libsecdb/help/auths/AuditHeader.html
@@ -1,14 +1,12 @@
-<HTML>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
+"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
 <!--
-    Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
-    Use is subject to license terms.
-
     CDDL HEADER START
 
     The contents of this file are subject to the terms of the
-    Common Development and Distribution License, Version 1.0 only
-    (the "License").  You may not use this file except in compliance
-    with the License.
+    Common Development and Distribution License (the "License").
+    You may not use this file except in compliance with the License.
 
     You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
     or http://www.opensolaris.org/os/licensing.
@@ -22,16 +20,17 @@
     information: Portions Copyright [yyyy] [name of copyright owner]
 
     CDDL HEADER END
+
+    Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
 -->
-<!-- SCCS keyword
-#pragma ident	"%Z%%M%	%I%	%E% SMI"
--->
-<!-- 
-   <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
-   <META NAME="GENERATOR" CONTENT="Mozilla/4.02 [en] (X11; U; SunOS 5.6 sun4u) [Netscape]">
--->
-<BODY>
-Audit Management Authorization Help
-<BR>&nbsp;
-</BODY>
-</HTML>
+<head>
+<title>solaris.audit.</title>
+<meta http-equiv="content-type" content="text/html;charset=iso-8859-1" />
+</head>
+
+<body>
+<p>
+	Audit System-wide Management Authorization Help
+</p>
+</body>
+</html>
diff --git a/usr/src/lib/libsecdb/help/auths/AuditRead.html b/usr/src/lib/libsecdb/help/auths/AuditRead.html
deleted file mode 100644
index dd5aa4d1c4..0000000000
--- a/usr/src/lib/libsecdb/help/auths/AuditRead.html
+++ /dev/null
@@ -1,43 +0,0 @@
-<HTML>
-<!--
-    Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
-    Use is subject to license terms.
-
-    CDDL HEADER START
-
-    The contents of this file are subject to the terms of the
-    Common Development and Distribution License, Version 1.0 only
-    (the "License").  You may not use this file except in compliance
-    with the License.
-
-    You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
-    or http://www.opensolaris.org/os/licensing.
-    See the License for the specific language governing permissions
-    and limitations under the License.
-
-    When distributing Covered Code, include this CDDL HEADER in each
-    file and include the License file at usr/src/OPENSOLARIS.LICENSE.
-    If applicable, add the following below this CDDL HEADER, with the
-    fields enclosed by brackets "[]" replaced with your own identifying
-    information: Portions Copyright [yyyy] [name of copyright owner]
-
-    CDDL HEADER END
--->
-<!-- SCCS keyword
-#pragma ident	"%Z%%M%	%I%	%E% SMI"
--->
-<HEAD>
-<!--
-META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"
--->
-<!-- 
-META NAME="GENERATOR" CONTENT="Mozilla/4.02 [en] (X11; U; SunOS 5.6 sun4u) [Netscape]"
--->
-</HEAD>
-<BODY>
-When Read Audit Trail is in the Authorizations Included column, it grants the authorization to read the audit trail.
-<p>
-If Read Audit Trail is grayed, then you are not entitled to Add or Remove this authorization. 
-<BR>&nbsp;
-</BODY>
-</HTML>
diff --git a/usr/src/lib/libsecdb/help/auths/Makefile b/usr/src/lib/libsecdb/help/auths/Makefile
index 4166b9e15c..3822013c57 100644
--- a/usr/src/lib/libsecdb/help/auths/Makefile
+++ b/usr/src/lib/libsecdb/help/auths/Makefile
@@ -28,9 +28,7 @@
 include ../../../../Makefile.master
 
 HTMLENTS = \
-	AuditConfig.html \
 	AuditHeader.html \
-	AuditRead.html \
 	DevAllocHeader.html \
 	DevAllocate.html \
 	DevConfig.html \
@@ -79,6 +77,7 @@ HTMLENTS = \
 	SmfInetdStates.html \
 	SmfIPsecStates.html \
 	SmfLocationStates.html \
+	SmfManageAudit.html \
 	SmfManageHeader.html \
 	SmfManageHotplug.html \
 	SmfMDNSStates.html \
@@ -97,6 +96,7 @@ HTMLENTS = \
 	SmfSendmailStates.html \
 	SmfSshStates.html \
 	SmfSyslogStates.html \
+	SmfValueAudit.html \
 	SmfValueCoreadm.html \
 	SmfValueExAcctFlow.html \
 	SmfValueExAcctProcess.html \
diff --git a/usr/src/lib/libsecdb/help/auths/SmfManageAudit.html b/usr/src/lib/libsecdb/help/auths/SmfManageAudit.html
new file mode 100644
index 0000000000..f51fd29c6d
--- /dev/null
+++ b/usr/src/lib/libsecdb/help/auths/SmfManageAudit.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
+"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<!--
+    CDDL HEADER START
+
+    The contents of this file are subject to the terms of the
+    Common Development and Distribution License (the "License").
+    You may not use this file except in compliance with the License.
+
+    You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+    or http://www.opensolaris.org/os/licensing.
+    See the License for the specific language governing permissions
+    and limitations under the License.
+
+    When distributing Covered Code, include this CDDL HEADER in each
+    file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+    If applicable, add the following below this CDDL HEADER, with the
+    fields enclosed by brackets "[]" replaced with your own identifying
+    information: Portions Copyright [yyyy] [name of copyright owner]
+
+    CDDL HEADER END
+
+    Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
+-->
+<head>
+<title>solaris.smf.manage.audit</title>
+<meta http-equiv="content-type" content="text/html;charset=iso-8859-1" />
+</head>
+
+<body>
+<p>
+	When Manage Audit Service is in the Authorizations Include column,
+	it grants the authorization to enable, disable, or restart the audit
+	service.
+</p>
+<p> 
+	If Manage Audit Service is grayed, then you are not entitled to
+	Add or Remove this authorization.
+</p>
+</body>
+</html>
diff --git a/usr/src/lib/libsecdb/help/auths/SmfValueAudit.html b/usr/src/lib/libsecdb/help/auths/SmfValueAudit.html
new file mode 100644
index 0000000000..55beea12d4
--- /dev/null
+++ b/usr/src/lib/libsecdb/help/auths/SmfValueAudit.html
@@ -0,0 +1,41 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
+"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<!--
+    CDDL HEADER START
+
+    The contents of this file are subject to the terms of the
+    Common Development and Distribution License (the "License").
+    You may not use this file except in compliance with the License.
+
+    You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+    or http://www.opensolaris.org/os/licensing.
+    See the License for the specific language governing permissions
+    and limitations under the License.
+
+    When distributing Covered Code, include this CDDL HEADER in each
+    file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+    If applicable, add the following below this CDDL HEADER, with the
+    fields enclosed by brackets "[]" replaced with your own identifying
+    information: Portions Copyright [yyyy] [name of copyright owner]
+
+    CDDL HEADER END
+
+    Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
+-->
+<head>
+<title>solaris.smf.value.audit</title>
+<meta http-equiv="content-type" content="text/html;charset=iso-8859-1" />
+</head>
+
+<body>
+<p>
+	When Configure Audit is in the Authorizations Included column,
+	it grants authorization to configure the Audit service.
+</p>
+<p>  
+	If Configure Audit is grayed, then you are not entitled to Add
+	or Remove this authorization.
+</p>
+</body>
+</html>
diff --git a/usr/src/lib/libsecdb/help/profiles/Makefile b/usr/src/lib/libsecdb/help/profiles/Makefile
index bc08b900b3..a8701922f2 100644
--- a/usr/src/lib/libsecdb/help/profiles/Makefile
+++ b/usr/src/lib/libsecdb/help/profiles/Makefile
@@ -26,6 +26,7 @@ include ../../../../Makefile.master
 HTMLENTS = \
 	RtAcctadm.html \
 	RtAll.html \
+	RtAuditCfg.html \
 	RtAuditCtrl.html \
 	RtAuditReview.html \
 	RtContractObserver.html \
diff --git a/usr/src/lib/libsecdb/help/profiles/RtAuditCfg.html b/usr/src/lib/libsecdb/help/profiles/RtAuditCfg.html
new file mode 100644
index 0000000000..91d7662a51
--- /dev/null
+++ b/usr/src/lib/libsecdb/help/profiles/RtAuditCfg.html
@@ -0,0 +1,41 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
+"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<!--
+    CDDL HEADER START
+
+    The contents of this file are subject to the terms of the
+    Common Development and Distribution License (the "License").
+    You may not use this file except in compliance with the License.
+
+    You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+    or http://www.opensolaris.org/os/licensing.
+    See the License for the specific language governing permissions
+    and limitations under the License.
+
+    When distributing Covered Code, include this CDDL HEADER in each
+    file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+    If applicable, add the following below this CDDL HEADER, with the
+    fields enclosed by brackets "[]" replaced with your own identifying
+    information: Portions Copyright [yyyy] [name of copyright owner]
+
+    CDDL HEADER END
+
+    Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
+-->
+<head>
+<title>Audit Configuration</title>
+<meta http-equiv="content-type" content="text/html;charset=iso-8859-1" />
+</head>
+
+<body>
+<p>
+	When Audit Configuration is in the Rights Included column, it grants the
+	right to configure audit service.
+</p>
+<p>
+	If Audit Configuration is grayed, then you are not entitled to Add or
+	Remove this right.
+</p>
+</body>
+</html>
diff --git a/usr/src/lib/libsecdb/help/profiles/RtAuditCtrl.html b/usr/src/lib/libsecdb/help/profiles/RtAuditCtrl.html
index 6380a9c9b4..17c851cc54 100644
--- a/usr/src/lib/libsecdb/help/profiles/RtAuditCtrl.html
+++ b/usr/src/lib/libsecdb/help/profiles/RtAuditCtrl.html
@@ -1,11 +1,12 @@
-<HTML>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
+"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
 <!--
     CDDL HEADER START
 
     The contents of this file are subject to the terms of the
-    Common Development and Distribution License, Version 1.0 only
-    (the "License").  You may not use this file except in compliance
-    with the License.
+    Common Development and Distribution License (the "License").
+    You may not use this file except in compliance with the License.
 
     You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
     or http://www.opensolaris.org/os/licensing.
@@ -20,21 +21,23 @@
 
     CDDL HEADER END
 
--- Copyright 2000 Sun Microsystems, Inc.  All rights reserved.
--- Use is subject to license terms.
+    Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
 -->
-<HEAD>
-	<TITLE> </TITLE>
-	 
-	
-</HEAD>
-<BODY>
-<!-- ident	"%Z%%M%	%I%	%E% SMI" -->
+<head>
+<title>Audit Control</title>
+<meta http-equiv="content-type" content="text/html;charset=iso-8859-1" />
+</head>
 
-When Audit Control is in the Rights Included column, it grants the right to manage the audit subsystem (which keeps track of event information), but not the right to read the audit files (see Audit Review).
+<body>
 <p>
-If Audit Control is grayed, then you are not entitled to Add or Remove this right.
+	When Audit Control is in the Rights Included column, it grants the right
+	to manage the audit service states (enable/disable/refresh/restart)
+	but not the right to read the audit configuration
+	(see Audit Configuration).
+</p>
 <p>
-<p>
-</BODY>
-</HTML>
+	If Audit Control is grayed, then you are not entitled to Add or Remove
+	this right.
+</p>
+</body>
+</html>
diff --git a/usr/src/lib/libsecdb/help/profiles/RtAuditReview.html b/usr/src/lib/libsecdb/help/profiles/RtAuditReview.html
index e5a85e29ac..8a81ae41bd 100644
--- a/usr/src/lib/libsecdb/help/profiles/RtAuditReview.html
+++ b/usr/src/lib/libsecdb/help/profiles/RtAuditReview.html
@@ -1,11 +1,12 @@
-<HTML>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
+"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
 <!--
     CDDL HEADER START
 
     The contents of this file are subject to the terms of the
-    Common Development and Distribution License, Version 1.0 only
-    (the "License").  You may not use this file except in compliance
-    with the License.
+    Common Development and Distribution License (the "License").
+    You may not use this file except in compliance with the License.
 
     You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
     or http://www.opensolaris.org/os/licensing.
@@ -20,20 +21,23 @@
 
     CDDL HEADER END
 
--- Copyright 2000 Sun Microsystems, Inc.  All rights reserved.
--- Use is subject to license terms.
+    Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
 -->
-<HEAD>
-	<TITLE> </TITLE>
-	 
-	
-</HEAD>
-<BODY>
-<!-- ident	"%Z%%M%	%I%	%E% SMI" -->
+<head>
+<title>Audit Review</title>
+<meta http-equiv="content-type" content="text/html;charset=iso-8859-1" />
+</head>
 
-When Audit Review is in the Rights Included column, it grants the right to read the audit trail, but not the right to manage the audit subsystem (see Audit Control).
+<body>
 <p>
-If Audit Review is grayed, then you are not entitled to Add or Remove this right.
+	When Audit Review is in the Rights Included column, it grants the right
+	to read the audit trail, but not the right to manage the audit service
+	states (see Audit Control) or change the audit service configuration
+	(see Audit Configuration).
+</p>
 <p>
-</BODY>
-</HTML>
+	If Audit Review is grayed, then you are not entitled to Add or
+	Remove this right.
+</p>
+</body>
+</html>
diff --git a/usr/src/lib/libsecdb/prof_attr.txt b/usr/src/lib/libsecdb/prof_attr.txt
index 6085ed1f2d..650a0fd919 100644
--- a/usr/src/lib/libsecdb/prof_attr.txt
+++ b/usr/src/lib/libsecdb/prof_attr.txt
@@ -27,8 +27,9 @@
 # profiles attributes. see prof_attr(4)
 #
 All:::Execute any command as the user or role:help=RtAll.html
-Audit Control:::Configure Solaris Auditing:auths=solaris.audit.config,solaris.jobs.admin;help=RtAuditCtrl.html
-Audit Review:::Review Solaris Auditing logs:auths=solaris.audit.read;help=RtAuditReview.html
+Audit Configuration:::Configure Solaris Audit:auths=solaris.smf.value.audit;help=RtAuditCfg.html
+Audit Control:::Control Solaris Audit:auths=solaris.smf.manage.audit;help=RtAuditCtrl.html
+Audit Review:::Review Solaris Auditing logs:help=RtAuditReview.html
 Console User:::Manage System as the Console User:profiles=Suspend To RAM,Suspend To Disk,Brightness,CPU Power Management,Network Autoconf User;auths=solaris.system.shutdown;help=RtConsUser.html
 Contract Observer:::Reliably observe any/all contract events:help=RtContractObserver.html
 Device Management:::Control Access to Removable Media:auths=solaris.device.*;help=RtDeviceMngmnt.html