what does the arch= hex number represent?

what does the arch= hex number represent?

[Peter Moody]

What does the hex number after arch= mean?

64bit seems to always be c000003e and 32bit seems to be 40000003, but
I'd feel a lot better setting up log monitoring if I knew what they
actually represented.

$ sudo auditctl -l
LIST_RULES: exit,always arch=3221225534 (0xc000003e) ...

Cheers,
peter

-- 
Peter Moody      Google    1.650.253.7306
Security Engineer  pgp:0xC3410038

Re: what does the arch= hex number represent?

[Eric Paris]

On Wed, 2012-01-18 at 10:54 -0800, Peter Moody wrote:
> What does the hex number after arch= mean?
> 
> 64bit seems to always be c000003e and 32bit seems to be 40000003, but
> I'd feel a lot better setting up log monitoring if I knew what they
> actually represented.
> 
> $ sudo auditctl -l
> LIST_RULES: exit,always arch=3221225534 (0xc000003e) ...

If we look around the kernel source code we find

From: include/linux/audit.h

#define __AUDIT_ARCH_64BIT 0x80000000
#define __AUDIT_ARCH_LE    0x40000000
...
#define AUDIT_ARCH_I386         (EM_386|__AUDIT_ARCH_LE)
...
#define AUDIT_ARCH_X86_64       (EM_X86_64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)

From: include/linux/elf-em.h

#define EM_386          3
...
#define EM_X86_64       62      /* AMD x86-64 */

So it is a combination of the elf architecture declaration, endian-ness,
and if it is a 64bit arch....

These should be stable values you can count on.

-Eric