Things that need to be done:
===========================
1.6.6
* Put message types into ternary or avl tree for ausearch/aureport use
* Add remote logging plugin, gssapi, labeled networking, nss.
* fix auparse to handle out of order messages
* Fix retry logic in distribute event, buffer is freed by the logger thread
* Consider adding node/machine name to records going to rt interface in daemon    as protocol version 2.
* Sessions for logins - all events in same session ausearch
* Get a basic ids plugin up and running. (login on watched acct).
* Create basic response plugin

1.6.7
* Add keywords for time: month-ago
* Fix multilib problems for sc-audit
* Allow -F path!=/var/my/app
* Add ignore action for rules
* Look at openat and why passed dir is not given
* look at emitting event in pipe mode when 5 clock seconds have passed and         nothing new has been read
* Submit patch for runlevel change
* Add SYSLOG data source for auparse. This allows leading text before audit       messages, missing type, any line with no = gets thrown away. iow, must have     time and 1 field to be valid.
* Update auditctl so that if syscall is not found, it checks for socket call      and suggests using it instead. Same for IPCcall.
* Fix aureport accounting for avc in permissive mode
* Interpret more syscall args: ioctl,[sg]etsockopt,ptrace,fcntl,chmod 
* rework ausearch to use auparse
* rework aureport to use auparse
* Add subject information to audit internal messages
* interpret contexts
* Add gzip format for logs

1.6.8
* Investigate effects of slow dispatcher
* Consolidate parsing code between libaudit and auditd-conf.c
* Group message types in ausearch help.
* Add mode where it ignores syscalls it can't resolve for arch
* Look at variadic avc logging patch 
* If relative file in cwd, need to build also (realpath). watch out for (null) and socket
* Change ausearch to output name="" unless its a real null. (mount) ausearch-report.c, 523. FIXME
* Changes in uid/gid, failed changes in credentials in aureport
* Add aureport report giving login time ranges for a user
* add more libaudit man pages
* ausearch --op search
* Fix aureport-scan to properly decide if CONFIG_CHANGE is add or del, need to optionally look for op and use remove/add to decide

1.7
* Look at adding the direction read/write to file report (threat modelling)
* Switch auditctl over to use only new rule structs
* Remove all old rule structs
* Bump soname number ???
* aureport get specific reports working
* Add keywords for time: last-boot, last-load, last-relabel.
* auditctl session id, pgid
* auditctl should ignore invalid arches for rules
* Look at supporting binary formats
* Remove evil getopt cruft in auditctl

1.8
Look at key option for aureport
Add scheduling options: strict, relaxed, loose (determines user space queueing)
Allow users to specify message types to be kept for logging
Allow users to specify fields to be kept for logging

1.9
Pretty Print ausearch messages
audit explorer gui
Look at modifying kernel rule matcher to do: first match & match all 
