On Wed, 28 Nov 2007 19:52:46 GMT, Alan Cox said:
> > It might be better to identify the services (gateway, samba, file
> > server whatever) that are actually dealing with possible infected
> > "external" files and then define some generic interface that would
> > allow you to check those as the data appears.
> 
> I am wondering if the right interface is actually more related to the
> existing audit interfaces ?

The problem there is that the audit interface just *records* - it doesn't
have the ability to say "No, I don't *think* so.." that the LSM interface has.