Sorry ... the first copy of this was under a non related thread ... my clue to go home .. Hi, I am adding the new test cases to check for the boundary conditions on filename and pathname when inserting watches... I am trying the following scenarios: Filename > NAME_MAX (260) Filename = NAME_MAX (255) Filename = NAME_MAX+1 (256) Filename = NAME_MAX-1 (254) Pathname > PATH_MAX (4098) Pathname = PATH_MAX (4095) Pathname = PATH_MAX+1 (4096) Pathname = PATH_MAX-1 (4094) The values in () are the strlen() output of what I am actually supplying the auditctl command (now I am passing those values, assuming that the null character will bring the value up to what I am testing) Then I thought to get the latest audit and I look in auditctl.c file, it seems that it is comparing against strlen() output, so not counting NULL. Based on what I found, I am thinking my initial assumption above is not valid, and I need to supply enough characters (without the null) to meet my test scenario ... Is this correct? -loulwa