These are the testcases I am writing to test the code Tim is providing for the audit filesystem. The testcases will be included in LTP.
These cases are meant to cover the CAPP requirements. there is some FVT testing covered as well, but that still needs to be expanded to test the permissions and boundary cases (watch fields lengths, invalid fields ... etc).
Please give feedback if you can think of any scenarios that I have not considered, or modifications that I need to implement.

Thanks
- Loulwa

Test 1 : Access watched file by opening it (file already exists)
               Expected: 1 watch records for file access/open
       
Test 2 : Create a watched file (file created after watch is inserted)
               Expected: 1 watch records for open() with regards to file creation

Test 3 : Create hard link to a watched file and then access it by opening it for read
               Expected: 1 watch record for open() on original file

Test 4 : Create hard link to an unwatched file, watch file, then access hard link by opening it for read
                Expected: 1 watch record for open() on original file

Test 5 : Create hard link to watched file, delete watched file, then access hard link by opening it for read
                Expected: No watch record

Test 6 : Recreate a watched file that has been deleted previously
                Expected: 1 watch record for unlink() with regards to file deletion
                Expected: 1 watch record for open() with regards to file recreation

Test 7 : Recreate a watched file that has been deleted previously
               (creating hardlink to it first, so on recreation we are certain we get new inode number)
               Expected: 1 watch record for unlink() with regards to file deletion
               Expected: 1 watch record for open() with regards to file recreation

Test 8 : Delete a watched file
              Expected: 1 watch record for file deletion

Test 9 : Remove a watched directory
              Expected: 1 watch record for rmdir() with respect to directory removal

Test 10 : copy a watched file to unwatched name (copy out) - access through new name
               Expected: 1 watch record for original file access/open
               Expected: No record for accessing through new name

Test 11 : copy a file to a watched name (copy in) - access through new name
               Expected: 1 record for file creation in new name
               Expected: 1 record for new file access/open

Test 12 : Move a watched file out of a watched location and access by opening it for read
               Expected: 1 watch record for rename() with regards to moving out of a watched location.        
               Expected: No watch record for new file open()

Test 13 : Move a watched file into a watched location and access by opening it for read
               Expected: 1 record for rename() with regards to moving out of a watched location.        
               Expected: 1 watch record for open() in new location

Test 14 : Move a directory having a watched file - access file in new location
               Expected: No watch record