Things that need to be done:
===========================
1.5.5
* Finish new event dispatcher
* Add end-of-event record. filter out in auditd, but send to rt interface
* Fix aureport accounting for avc in permissive mode
* Add node/machine name to records
* Interpret more syscall args: ioctl,[sg]etsockopt,ptrace,fcntl,chmod 
* fix auparse to handle out of order messages
* Update auditctl so that if syscall is not found, it checks for socket call
  and suggests using it instead. Same for IPCcall.
* rework ausearch to use auparse
* rework aureport to use auparse
* regex search options for parser library
* Add subject information to audit internal messages
* interpret contexts
* Add gzip format

1.5.6
* Investigate effects of slow dispatcher
* Consolidate parsing code between libaudit and auditd-conf.c
* Group message types in ausearch help.
* Add mode where it ignores syscalls it can resolve for arch
* Allow use of errno strings for exit codes
* Put message types into ternary or avl tree for ausearch/aureport use
* look at emitting event in pipe mode when 5 clock seconds has passed and nothing new has been read
* Look at variadic avc logging patch 
* If relative file in cwd, need to build also (realpath). watch out for (null) and socket
* Change ausearch to output name="" unless its a real null. (mount) ausearch-report.c, 523. FIXME
* Changes in uid/gid, failed changes in credentials in aureport
* Add aureport report giving login time ranges for a user
* add more libaudit man pages
* ausearch --op search
* Fix aureport-scan to properly decide if CONFIG_CHANGE is add or del, need to optionally look for op and use remove/add to decide

1.5.7
* Look at adding the direction read/write to file report (threat modelling)
* Switch auditctl over to use only new rule structs
* Remove all old rule structs
* Bump soname number ???
* aureport get specific reports working
* Add keywords for time: last-boot, last-load, last-relabel.
* Sessions for logins - all events in same session ausearch

1.6
create responder to potential security incidents
auditctl session id, pgid
Add counting semaphore to control internal queue depth
auditctl should ignore invalid arches for rules
Look at supporting binary formats
Remove evil getopt cruft in auditctl

1.7
Look at key option for aureport
Add scheduling options: strict, relaxed, loose (determines user space queueing)
Add config option media: syslog, file, socket, dbus
Allow users to specify message types to be kept for logging
Allow users to specify fields to be kept for logging

1.8
Pretty Print ausearch messages
audit explorer gui

IN THE DISTANT FUTURE:
Look at modifying kernel rule matcher to do: first match & match all 
Consider creating way to interactively delete rules by menu
Create a rule builder GUI
