Audit Event Enrichment
======================

There are times when the audit events are stored in another machine and need
to be searched at a later date. Some parts of the audit event are transient
in nature or unique to a system. This makes interpretting fields that
are numbers into human readable fields hard or impossible without running a
report at the time of the event or on the machine the event occurred on.

To address this issue, the audit daemon will get a new log_format, ENRICHED,
where the audit trail will be amended as follows at the time a record is
recieved from the kernel:

1) Translations will be:
  a) appended to the end of the event with the field's name in capital letters
  b) encoded if user controlled data is used for enrichment
2) The auparse library will:
  a) preferentially use these fields whenever an interpretation is requested
  b) if none exist, look up the fields on the local machine if necessary
3) Ausearch will hide them except when --raw command line option is given
4) The fields that will be resolved at event time are:
  a) *uid (translation is user defined)
  b) *gid (translation is admin defined)
  c) saddr (split in constituent pieces)
  d) arch
  e) syscall