aboutsummaryrefslogtreecommitdiffstats
path: root/framework/src/audit/TODO
diff options
context:
space:
mode:
Diffstat (limited to 'framework/src/audit/TODO')
-rw-r--r--framework/src/audit/TODO61
1 files changed, 61 insertions, 0 deletions
diff --git a/framework/src/audit/TODO b/framework/src/audit/TODO
new file mode 100644
index 00000000..e568929a
--- /dev/null
+++ b/framework/src/audit/TODO
@@ -0,0 +1,61 @@
+Things that need to be done:
+===========================
+2.5
+* Add audit by process name support
+* Add support for enriched data
+
+2.5.1
+* Fix auparse to handle out of order messages
+* Add metadata in auparse for subj,obj,action,results
+* Performance improvements for auparse
+* auditctl should ignore invalid arches for rules
+* If auparse input is a pipe timeout events by wall clock
+
+2.6
+* Add cross-compile support
+* Add gzip format for logs
+* Add keywords for time: month-ago
+* Add rule verify to detect mismatch between in-kernel and on-disk rules
+* Fix SIGHUP for auditd network settings
+* Fix auvirt to report AVC's and --proof for --all-events
+
+2.6.1
+* Fix ausearch/report to handle aggregated events
+* When searching, build log time list & only read the ones that are in range
+* Change ausearch-string to be AVL based
+* Add libaudit.m4 to make audit easier to include
+* Look at adding the direction read/write to file report (threat modelling)
+* Changes in uid/gid, failed changes in credentials in aureport
+* aureport get specific reports working
+* Remove evil getopt cruft in auditctl
+* Group message types in ausearch help.
+
+2.7
+* Look at pulling audispd into auditd
+* Consider adding node/machine name to records going to rt interface in daemon as protocol version 2.
+* Fix retry logic in distribute event, buffer is freed by the logger thread
+* interpret contexts
+* Allow -F path!=/var/my/app
+* Add ignore action for rules
+* Look at openat and why passed dir is not given
+* Add SYSLOG data source for auparse. This allows leading text before audit messages, missing type, any line with no = gets thrown away. iow, must have time and 1 field to be valid.
+* Update auditctl so that if syscall is not found, it checks for socket call and suggests using it instead. Same for IPCcall.
+* Fix aureport accounting for avc in permissive mode
+* rework ausearch to use auparse
+* rework aureport to use auparse
+
+2.8
+* Consolidate parsing code between libaudit and auditd-conf.c
+* Look at variadic avc logging patch
+* If relative file in cwd, need to build also (realpath). watch out for (null) and socket
+* Change ausearch to output name="" unless its a real null. (mount) ausearch-report.c, 523. FIXME
+* add more libaudit man pages
+* ausearch --op search
+* Fix aureport-scan to properly decide if CONFIG_CHANGE is add or del, need to optionally look for op and use remove/add to decide
+
+2.9
+Add scheduling options: strict, relaxed, loose (determines user space queueing)
+Allow users to specify message types to be kept for logging
+Allow users to specify fields to be kept for logging
+Pretty Print ausearch messages (strace style?)
+Look at modifying kernel rule matcher to do: first match & match all