Hello, I'm posting these patches for early review; users of the code are not in the kernel yet. Two new records are defined; in each case output of records is caused by a syscall, and all other syscall-related data (process identity, syscall result) is audited in the usual records. AUDIT_CRYPTO_STORAGE_KEY is used when a system-wide storage wrapping key is changed. AUDIT_CRYPTO_USERSPACE_OP is used when any user-space program performs a crypto operation. To disable auditing these records by default and to allow the users to selectively enable them using filters, a new filter field AUDIT_CRYPTO_OP is defined; auditing of all crypto operations can thus be enabled using (auditctl -a exit,always -F crypto_op!=0). Attached for review are: - A kernel patch - An userspace audit patch - A few example audit entries Mirek