The introduced changes test the proper audit of system calls corresponding to file-create (fc) audit class. Each system call is tested twice, once for failure mode and the other for success. These tests lay the guidelines for further addition of tests covering wide range of functionalities of a specific system call.

A total of 12 file-create system calls were tested:

• mkdir(2), mkdirat(2)
• mknod(2), mknodat(2) : (requires root privileges)
• mkfifo(2), mkfifoat(2)
• link(2), linkat(2)
• symlink(2), symlinkat(2)
• rename(2), renameat(2)

Individual test-cases are independent and follow Kyua guidelines. As recommended by @asomers, it is ensured that every test-case starts auditd(8) in case it is not already running and closes it in the cleanup section. A general observation, which follows from this approach is that the time taken to complete the tests in case auditd(8) is already running is way less than the situation otherwise.

A particular observation:

1. auditd(8) already running:

▶ /usr/bin/time kyua test
file-create:link_failure  ->  passed  [0.021s]
file-create:link_success  ->  passed  [0.012s]
.........
file-create:symlinkat_failure  ->  passed  [0.014s]
file-create:symlinkat_success  ->  passed  [0.013s]

24/24 passed (0 failed)
        0.42 real         0.13 user         0.27 sys

2. auditd(8) not running initially

▶ /usr/bin/time kyua test
file-create:link_failure  ->  passed  [0.043s]
file-create:link_success  ->  passed  [0.047s]
 ......
file-create:symlinkat_failure  ->  passed  [0.053s]
file-create:symlinkat_success  ->  passed  [0.046s]

24/24 passed (0 failed)
       26.35 real         0.53 user         0.94 sys

Please note the difference in time.

• Execute make from test/sys/audit.
• Execute kyua test from test/sys/audit. All testcases should succeed.