How It Works
============
raw event -> classifier -> classified events

Target
======
* RHEL-7.4
* BZ#1381601 - audit package update

What to test
============
For the most important events:

  TC1: EVENT MEETS SPECIFICATION
       * it contains fields it should have
       * fields are set correctly
     
  TC2: EVENT IS CLASSIFIED
       * event is classified
       * all fields are classified

  TC3: CLASSIFIED EVENT IS CORRECT
       * no data is missing
       * text
         * correct semantics
         * correct syntax
       * csv
         * well-formed
     
How to test
===========
N/A

Tools
=====
* fields-csv.c
* record-diff.R

TO BE DONE
==========
* we do not have a reference yet (specification)
* we need to prioritize event types

Meeting notes
=============
- make sure subject is correct (IP address, tty, ...)
- we need to have specification how to audit things
- this is a first time we want to standardize
- containers and events - we do not know if they are even correct
- ask Bob about CRYPTO_ events
- issue with: ausearch -m anom_abend --raw | aureport -x
- to test auparse classifier can be used (there should be not changes)