Things that need to be done:
===========================
2.7
* Update libev to 4.22
* Update auparse_set_escape_mode to use the auparse_state_t pointer
* Look into restarting network connections in audisp-remote after idle timeout
* Fix audit.pc.in to use Requires.private
* Add sockaddr accessor functions in auparse
* Add a realpath variant accessor that resolves whole path
* Add metadata in auparse for subj,obj,action,results
* Formats for ausearch output
* Selectable escaping for ausearch/report output
* Add ability to suppress types of records (drop_records)

2.7.1
* Look at pulling audispd into auditd
* In audispd, look into non-blocking handling of write to plugins
* Consolidate linked lists and other functions
* Consolidate parsing code between libaudit and auditd-conf.c
* If relative file in cwd, need to build also (realpath). watch out for (null) and socket
* Change ausearch to output name="" unless its a real null. (mount) ausearch-report.c, 523. FIXME
* Support mutiple time streams when searching
* When interpretting sockaddr, use syscall to determine remote vs local

3.0
* Basic HIDS
* Support ipv6 remote logging
* Look into TLS support
* Performance improvements for auparse
* If auparse input is a pipe timeout events by wall clock
* Add rule verify to detect mismatch between in-kernel and on-disk rules
* ausearch --op search

3.0.1
* Fix auvirt to report AVC's and --proof for --all-events
* Fix SIGHUP for auditd network settings
* auditctl should ignore invalid arches for rules
* Add gzip format for logs
* Add keywords for time: month-ago

3.0.2
* When searching, build log time list & only read the ones that are in range
* Look at adding the direction read/write to file report (threat modelling)
* Changes in uid/gid, failed changes in credentials in aureport
* Group event types in ausearch help.

3.1
* Allow -F path!=/var/my/app
* Add ignore action for rules
* Look at openat and why passed dir is not given
* Add SYSLOG data source for auparse. This allows leading text before audit       messages, missing type, any line with no = gets thrown away. iow, must have     time and 1 field to be valid.
* Fix aureport accounting for avc in permissive mode
* rework ausearch to use auparse
* rework aureport to use auparse

3.1.1
* Look at variadic avc logging patch 
* add more libaudit man pages
* Fix aureport-scan to properly decide if CONFIG_CHANGE is add or del, need to optionally look for op and use remove/add to decide
Allow users to specify fields to be kept for logging
