Hello,
the attached patch adds some functionality to ausearch.  It consists of
two main parts:

ausearch_add_interpreted_item() behaves like ausearch_add_item(), but
the conditions are evaluated by comparing the interpreted field value,
not the raw value (e.g. ("uid", "=", "mitr") instead of ("uid", "=",
"500").  In principle, the application using ausearch could contain it's
own code to "un-interpret" field values, but I think it is cleaner when
the only place that maps raw and interpreted value is libauparse.  The
current implementation simply interprets the value of each field before
performing the comparison; in the future, the implementation could be
changed to "un-interpret" the supplied value when creating the rule if
the current implementation turns out to be too slow.

ausearch_add_timestamp_item() allows placing conditions on event
timestamp.

In addition, the patch fixes checking whether the operator is unknown in
ausearch_add_item().
	Mirek