-
Notifications
You must be signed in to change notification settings - Fork 6
/
TODO
60 lines (56 loc) · 2.87 KB
/
TODO
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Things that need to be done:
===========================
2.1.4
* Add support for obj uid/gid rules
* Add support for new kernel rule comparitor
* Fix ausearch/report to handle aggregated events
* When searching, build log time list & only read the ones that are in range
* Fix auparse to handle out of order messages
* Look at gssapi support being done via dlopen()
* Add rule verify to detect mismatch between in-kernel and on-disk rules
* Fix SIGHUP for auditd network settings
* If auparse input is a pipe timeout events by wall clock
* Review sshd login data being put into prelude events, add source addr/port
2.1.5
* Change ausearch-string to be AVL based
* Performance improvements for auparse
* Look at pulling audispd into auditd
* auditctl needs to be able to take file names with spaces in rule files
* Add gzip format for logs
* Consider adding node/machine name to records going to rt interface in daemon as protocol version 2.
* Update prelude detections to send anomaly events
* Add basic responses to prelude plugin
* Should session number go into logins and AVCs for prelude?
* Add libaudit.m4 to make audit easier to include
* Look at adding the direction read/write to file report (threat modelling)
* Changes in uid/gid, failed changes in credentials in aureport
* aureport get specific reports working
* auditctl should ignore invalid arches for rules
* Remove evil getopt cruft in auditctl
* Group message types in ausearch help.
2.2
* Fix retry logic in distribute event, buffer is freed by the logger thread
* interpret contexts
* Add keywords for time: month-ago
* Allow -F path!=/var/my/app
* Add ignore action for rules
* Look at openat and why passed dir is not given
* Add SYSLOG data source for auparse. This allows leading text before audit messages, missing type, any line with no = gets thrown away. iow, must have time and 1 field to be valid.
* Update auditctl so that if syscall is not found, it checks for socket call and suggests using it instead. Same for IPCcall.
* Fix aureport accounting for avc in permissive mode
* rework ausearch to use auparse
* rework aureport to use auparse
2.3
* Consolidate parsing code between libaudit and auditd-conf.c
* Look at variadic avc logging patch
* If relative file in cwd, need to build also (realpath). watch out for (null) and socket
* Change ausearch to output name="" unless its a real null. (mount) ausearch-report.c, 523. FIXME
* add more libaudit man pages
* ausearch --op search
* Fix aureport-scan to properly decide if CONFIG_CHANGE is add or del, need to optionally look for op and use remove/add to decide
2.4
Add scheduling options: strict, relaxed, loose (determines user space queueing)
Allow users to specify message types to be kept for logging
Allow users to specify fields to be kept for logging
Pretty Print ausearch messages (strace style?)
Look at modifying kernel rule matcher to do: first match & match all