My main goal for this test was to see how the code handles the watch list management specially on boundaries. I did not try to be too creative in this test. I ran the test on intel 2.6.11 kernel. Non SMP. The short conclusion is that the Watch list management holds pretty good. Again, this is was not an SMP box. Suggested improvements: - A little slow on delete. Did not time, just from observation. - Change the return error whenever deleting a nonexistent watch from: operation not permitted to something like watch does not exists. - Need (not necessarily a CAPP requirement) an audit record whenever a Watch is added or deleted. What I did: - Just one Watch node in the Watch list -> OK - 10000 Watch nodes for 10000 files, touch all the files -> OK, got all the records. - Added 100 to the 10000 Watch nodes with auditcl -w xxx -p w -k keyxxx -> OK, got all records. - Looping and accessing the last watch point for 1000 times -> OK, got all records, no hang. - Looping on a middle Watch node for 1000 times -> OK, got all records, no hang. - Looping on the first Watch node for 1000 times -> Ok, got all records no hang. - 4 simultaneous loops with 10000 iteration each all accessing the same file. -> OK, correct number of records, no hang. - Delete the last Watch point & access the file -> OK, no record generated. - Delete 500 Watch nodes from the middle -> OK, BUT took somewhat longer than expected - Delete 3000 Watch nodes from the end. & access the remaining files -> OK, correct number of records. - Delete 500 from the beginning of the list & access the remaining files -> OK, correct number of records. - Add Watch nodes for 1000 directories: auditctl -w xxx -p w -k kxxx -> OK. correct number of records. - Create one file in each of these directories -> OK, correct number of records. - Loop creating 10 files in each directory -> OK, correct number of records. Mounir Bsaibes Linux Security Tel: (512) 838-1301 Cell: (512) 762-9957 Fax: (512) 838-8858 e-mail: bsaibes(a)us.ibm.com