Things that need to be done:
===========================
2.8
* Support FANOTIFY record
* Add object2 API to auparse-normalize
* ausearch text format, add 'to xxx' for file perm/owner, & uid/gid changes
* ausearch text format, add 'to xxx' for mount operations
* There are 3 kinds of mount: failed, fuser success, kernel success
* Check calls to simple_file_attr() are getting right record
* In normalizer, check number of first_field calls
* In auparse-normalize, fix USER_CHAUTHTOK to use op field
* If server suspends after client sends event &before ack, client wont reconnect
* Re-write auvirt
* Fix auvirt to report AVC's and --proof for --all-events
* In audispd, look into non-blocking handling of write to plugins
* Add sockaddr accessor functions in auparse
* non-equality comparisons for values other than \timestamp, \timestamp_ex and \record_type in ausearch-expression (#1399314)

2.8.1
* Support multiple time streams when searching
* Support ipv6 remote logging
* Look into TLS support
* Add rule verify to detect mismatch between in-kernel and on-disk rules

2.9
* Look at pulling audispd into auditd
* Container support
* Performance improvements for auparse (Memory management)
* auditd.conf space_left sizes can be %
* Add ability to filter events in auditd
* Fix audit.pc.in to use Requires.private
* If auparse input is a pipe timeout events by wall clock
* Change ausearch to output name="" unless its a real null. (mount) ausearch-report.c, 523. FIXME

3.0
* Basic HIDS
* Consolidate linked lists and other functions
* Consolidate parsing code between libaudit and auditd-conf.c

3.0.1
* Fix SIGHUP for auditd network settings
* Add gzip format for logs
* Add keywords for time: month-ago

3.0.2
* Look at adding the direction read/write to file report (threat modelling)
* Changes in uid/gid, failed changes in credentials in aureport

3.1
* Allow -F path!=/var/my/app
* Look at openat and why passed dir is not given
* Add SYSLOG data source for auparse. This allows leading text before audit       messages, missing type, any line with no = gets thrown away. iow, must have     time and 1 field to be valid.
* Fix aureport accounting for avc in permissive mode

3.1.1
* Fix aureport-scan to properly decide if CONFIG_CHANGE is add or del, need to optionally look for op and use remove/add to decide
