./trustedprograms/tests/test_groupmod.c
1: When a group's gid is changed // groupmod -g gid

./trustedprograms/tests/test_usermod.c
1: When a user name is changed in a group.  // usermod -l
2: When a user is removed from a group.  // usermod -G
  // The user must be a member of a group that is not in the list of groups (-G) supplied on the command to create this record.
3: When a user name is added to a group.  // usermod -G
  // The user must not already be a member of a group that is in the list of groups (-G) supplied on the command to create this record.
4: When a user's home directory is moved.  // usermod -d -m
  // This record can be generated in two different ways.  The first is if the old and new home directory are on the same filesystem.
  // The second is if the old and new home directory are on different filesystems.
5: When a user's home directory owner(s) is changed.  // usermod -d -m -u
6: When a user's uid is changed. & When a user's home directory tree owner(s) is changed.  // usermod -u
  // Although the default group gid will be changed along with the uid, this record will only be generated if the uid is changed.
7: When a user's password is changed.  // usermod -p
9: When a user's default group is changed.  // usermod -g
10: When a user's comment is changed. // usermod -c
11: When a user's home directory is moved. // usermod -d
12: When a user's shell is changed. // usermod -s
13: When a user's inactivity is changed. //usermod -f
14: When a user's expiration date is changed. // usermod -e

./trustedprograms/tests/test_passwd.c
1: When a user successfully uses the passwd program.  // passwd 
2: FAILURE When a user unsuccessfully uses the passwd program.  // passwd

./trustedprograms/tests/test_useradd.c
1: When the defaults for useradd are changed.  // /usr/sbin/useradd --save-defaults -g GID -d HOMEDIR -e EXPIRE -f INACTIVE -s SHELL
2: When a user is added to a group.  // useradd -G GID USER
4: When a user is added.  // useradd 
5: When a user's home directory is created.  // useradd -m USER

./trustedprograms/tests/test_groupadd.c
1: When a group is added.  // groupadd

./trustedprograms/tests/test_userdel.c
2: When a user is deleted.  // userdel
5: When a user's mail file is deleted.  // userdel -r
7: When a user's home directory is deleted.  // userdel -r

./trustedprograms/tests/test_gpasswd.c
1: FAILURE When attempting to modify a group when the user is not "root" or an administrator.  // gpasswd
2: When removing the password associated with a group.  // gpasswd -r
3: When the group password is changed.  // gpasswd

./trustedprograms/tests/test_groupdel.c
1: When a group is deleted.  // groupdel



./libpam/tests/test_su.c  // su
1: su When a user successfully uses the su program.
2: FAILURE su  // su (and a bad password)

./libpam/tests/test_sshd.c  // sshd
1: sshd When a user successfully uses the sshd program.
2: FAILURE sshd When a user unsuccessfully uses the sshd program.
3: sshd When a user successfully authenticates that their origin information is logged

./libpam/tests/test_login.c  // login
1: login When a user successfully uses the login program.
2: FAILURE login When a user fails to authenticate using the login program.

./libpam/tests/test_vsftpd.c  // ftp
1: ftp When a user successfully uses the vsftpd program.
2: FAILURE ftp When a user successfully uses the vsftpd program.



./audit_trail_protection/audit_trail_protection.c
1: stat() file, check root ownership, check permissions
	/etc/audit/audit.rules
	/etc/audit/auditd.conf


audit_tools/ssh01
audit_tools/ssh01_s1
  helpers to generate ssh login

audit_tools/test_setxattr.c
  helper that creates a temp file, sets euid and fsuid then setxattr, sets fsuid and euid back and unlinks 

audit_tools/test_groupadd.c
  helper that does a group add

audit_tools/test_bind.c
  helper for bind and network utils
  The successful case creates an ordinary INET TCP socket and binds to it.
   1) Creates a new socket
   2) Finds a valid port for binding
   3) Sets the euid to the test user
   4) Makes the bind syscall
   5) Sets the euid to the superuser
   6) Verifies that bind executed successfully
   7) Closes the socket.

  In the erroneous case passes a -1 for socket file descriptor.
  Since this is a bad file descriptor, bind will return an EBADF error code.
   1) Creates a new socket
   2) Sets the euid to the test user
   3) Calls bind() with the sockfd being -1
   4) Sets the euid to the superuser
   5) Verifies that bind executed erroneously
   6) Closes the socket.

audit_tools/au_restart
  uses `/etc/init.d/audit restart` to seed audit log, then checks for messages

audit_tools/ausearch
   test that searching based on SYSCALL information works
    -m SYSCALL
    -sc <name>
    -sc <value>
    -sv <yes>
    -sv <no>
    others?
   test that searching based on TEXT information works
   - messages about adding users and groups

fail-safe/tests/test_rollover.c
   1) Performs pre-processing, including establishing a signal
      handler, incrementing the semaphore and establishing the audit
      configuration (with small pre-allocated binary files in order
      to easily test the rollover function).
   2) Forks a process that writes repeated user-message audit records
      to cause the log files to rollover.
   3) Verifies the rollover function by waiting for a successful
      decrement of the semaphore, insuring the symlink points to the
      new log file and verifying the new log file contains a
      user-message audit record.
   4) Performs post-processing, including resetting the audit
      configuration and displaying all output messages from the
      notification program.

fail-safe/tests/test_rollover_failure.c
   1) Performs pre-processing, including establishing a signal
      handler, incrementing the semaphore, lowering the kernel audit
      buffer (max-messages) and establishing the audit configuration
      (with small pre-allocated binary files in order to easily test
      the rollover function and telling the notify program to return
      a non-zero return code).
   2) Forks a process that writes repeated user-message audit records
      to cause the log files to rollover.  But before it does this,
      it sleeps for a bit to give the other processes time to setup.
      If this process does not block because of unsuccessful rollover
      failure support then this process will signal the parent with
      a SIGHUP.
   3) Forks a second process that detaches from auditing so as not
      to be blocked because of the rollover failure support.  But
      before it does this, it sleeps for a bit to give the parent
      process time to setup.  After detaching from auditing this
      process will sleep for a while to allow the first process
      to do it's thing.  If the first process gets blocked because
      of successful rollover failure support then this process will
      eventually wake up and signal the parent with a SIGINT.
   4) Detaches from auditing so as not to be blocked because of the
      rollover failure support.  Verifies the rollover failure support
      by waiting for a successful decrement of the semaphore (which
      will never happen - but since a semop call will return if the
      process is signaled it allows the test to easily process the
      signal which will indicate success or failure).
         SIGQUIT - an error during test setup
         SIGHUP  - rollover failure support failed
         SIGINT  - rollover failure support succeeded
   5) Performs post-processing, including resetting the kernel audit
      buffer (max-messages), killing the audit daemon using 'kill -9'
      because stopAudit() (which uses killall) won't work if rollover
      failure support worked, resetting the audit configuration and
      displaying all output messages from the notification program(s).

fail-safe/tests/test_pam_loginuid.c
    When auditing is disabled that the pam_loginuid disallows users to login to the system

filters/tests/test_login.c
 Tests the login support.
 -m LOGIN

filters/tests/test_process_attrs.c
 Tests the login-uid process attribute support.
 -F auid=N
 -F auid!=N

filters/tests/test_file_attrs.c
 Tests the file-mode, file-dev, file-ino file attribute support.
 -F inode=N
 Tests the dev-major, dev-minor file attribute support.
 -F devmajor=N
 -F devminor=N

filters/tests/test_syscall_attrs.c
 -F success=yes
 -F success=no
 -F syscall=<name>
 -F syscall=<number>

filters/tests/test_user_msg.c
 Tests the user message filtering support.
 -m <user message>

filters/tests/test_str_cmp.c
 Tests the string comparison filtering support.
 verify strange characters in user messages

filters/tests/watch
 Test behavior for:
 - hardlinks
 - symlinks
 - renames
 use filterkey for determining filesystem object

