From df5afa4fcd9725380f94ca6476248d4cc24f889a Mon Sep 17 00:00:00 2001 From: Ashlee Young Date: Sun, 29 Nov 2015 08:22:13 -0800 Subject: v2.4.4 audit sources Change-Id: I9315a7408817db51edf084fb4d27fbb492785084 Signed-off-by: Ashlee Young --- framework/src/audit/TODO | 61 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 framework/src/audit/TODO (limited to 'framework/src/audit/TODO') diff --git a/framework/src/audit/TODO b/framework/src/audit/TODO new file mode 100644 index 00000000..e568929a --- /dev/null +++ b/framework/src/audit/TODO @@ -0,0 +1,61 @@ +Things that need to be done: +=========================== +2.5 +* Add audit by process name support +* Add support for enriched data + +2.5.1 +* Fix auparse to handle out of order messages +* Add metadata in auparse for subj,obj,action,results +* Performance improvements for auparse +* auditctl should ignore invalid arches for rules +* If auparse input is a pipe timeout events by wall clock + +2.6 +* Add cross-compile support +* Add gzip format for logs +* Add keywords for time: month-ago +* Add rule verify to detect mismatch between in-kernel and on-disk rules +* Fix SIGHUP for auditd network settings +* Fix auvirt to report AVC's and --proof for --all-events + +2.6.1 +* Fix ausearch/report to handle aggregated events +* When searching, build log time list & only read the ones that are in range +* Change ausearch-string to be AVL based +* Add libaudit.m4 to make audit easier to include +* Look at adding the direction read/write to file report (threat modelling) +* Changes in uid/gid, failed changes in credentials in aureport +* aureport get specific reports working +* Remove evil getopt cruft in auditctl +* Group message types in ausearch help. + +2.7 +* Look at pulling audispd into auditd +* Consider adding node/machine name to records going to rt interface in daemon as protocol version 2. +* Fix retry logic in distribute event, buffer is freed by the logger thread +* interpret contexts +* Allow -F path!=/var/my/app +* Add ignore action for rules +* Look at openat and why passed dir is not given +* Add SYSLOG data source for auparse. This allows leading text before audit messages, missing type, any line with no = gets thrown away. iow, must have time and 1 field to be valid. +* Update auditctl so that if syscall is not found, it checks for socket call and suggests using it instead. Same for IPCcall. +* Fix aureport accounting for avc in permissive mode +* rework ausearch to use auparse +* rework aureport to use auparse + +2.8 +* Consolidate parsing code between libaudit and auditd-conf.c +* Look at variadic avc logging patch +* If relative file in cwd, need to build also (realpath). watch out for (null) and socket +* Change ausearch to output name="" unless its a real null. (mount) ausearch-report.c, 523. FIXME +* add more libaudit man pages +* ausearch --op search +* Fix aureport-scan to properly decide if CONFIG_CHANGE is add or del, need to optionally look for op and use remove/add to decide + +2.9 +Add scheduling options: strict, relaxed, loose (determines user space queueing) +Allow users to specify message types to be kept for logging +Allow users to specify fields to be kept for logging +Pretty Print ausearch messages (strace style?) +Look at modifying kernel rule matcher to do: first match & match all -- cgit 1.2.3-korg