On Wed, 2012-01-18 at 10:54 -0800, Peter Moody wrote: > What does the hex number after arch= mean? > > 64bit seems to always be c000003e and 32bit seems to be 40000003, but > I'd feel a lot better setting up log monitoring if I knew what they > actually represented. > > $ sudo auditctl -l > LIST_RULES: exit,always arch=3221225534 (0xc000003e) ...
If we look around the kernel source code we find From: include/linux/audit.h #define __AUDIT_ARCH_64BIT 0x80000000 #define __AUDIT_ARCH_LE 0x40000000 ... #define AUDIT_ARCH_I386 (EM_386|__AUDIT_ARCH_LE) ... #define AUDIT_ARCH_X86_64 (EM_X86_64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) From: include/linux/elf-em.h #define EM_386 3 ... #define EM_X86_64 62 /* AMD x86-64 */ So it is a combination of the elf architecture declaration, endian-ness, and if it is a 64bit arch.... These should be stable values you can count on. -Eric -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
