1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
|
Things that need to be done:
===========================
1.7.5
* Get remote logging receive working
* Create aulast command
1.7.6
* Get remote logging flow control working
* Fix auparse to handle out of order messages
* Should session number go into logins and AVCs for prelude?
* add definitions for crypto events
* auditctl needs to be able to take file names with spaces in rule files
* Finish remote logging plugin, nss, gssapi, labeled networking.
2.0
* Consider adding node/machine name to records going to rt interface in daemon as protocol version 2.
* Update prelude detections to send anomaly events
* Look at adding the direction read/write to file report (threat modelling)
* Submit patch for runlevel change
* Add basic responses to prelude plugin
* Changes in uid/gid, failed changes in credentials in aureport
* Switch auditctl over to use only new rule structs
* Remove all old rule structs
* Bump soname number ???
* aureport get specific reports working
* Add keywords for time: last-boot, last-load, last-relabel.
* auditctl session id, pgid
* auditctl should ignore invalid arches for rules
* Look at supporting binary formats
* Remove evil getopt cruft in auditctl
2.0.1
* Fix retry logic in distribute event, buffer is freed by the logger thread
* Interpret more syscall args: ioctl,[sg]etsockopt,ptrace,fcntl,chmod
* Add subject information to audit internal messages
* interpret contexts
* Add keywords for time: month-ago
* Allow -F path!=/var/my/app
* Add ignore action for rules
* Look at openat and why passed dir is not given
* look at emitting event in pipe mode when 5 clock seconds have passed and nothing new has been read
* Add SYSLOG data source for auparse. This allows leading text before audit messages, missing type, any line with no = gets thrown away. iow, must have time and 1 field to be valid.
* Update auditctl so that if syscall is not found, it checks for socket call and suggests using it instead. Same for IPCcall.
* Fix aureport accounting for avc in permissive mode
* rework ausearch to use auparse
* rework aureport to use auparse
* Add gzip format for logs
2.0.2
* Consolidate parsing code between libaudit and auditd-conf.c
* Group message types in ausearch help.
* Add mode where it ignores syscalls it can't resolve for arch
* Look at variadic avc logging patch
* If relative file in cwd, need to build also (realpath). watch out for (null) and socket
* Change ausearch to output name="" unless its a real null. (mount) ausearch-report.c, 523. FIXME
* Add aureport report giving login time ranges for a user
* add more libaudit man pages
* ausearch --op search
* Fix aureport-scan to properly decide if CONFIG_CHANGE is add or del, need to optionally look for op and use remove/add to decide
2.1
Add scheduling options: strict, relaxed, loose (determines user space queueing)
Allow users to specify message types to be kept for logging
Allow users to specify fields to be kept for logging
2.2
Pretty Print ausearch messages
audit explorer gui
Look at modifying kernel rule matcher to do: first match & match all
|