From mboxrd@z Thu Jan  1 00:00:00 1970
From: Eric Paris <eparis@redhat.com>
Subject: Re: what does the arch= hex number represent?
Date: Fri, 20 Jan 2012 09:26:12 -0500
Message-ID: <1327069572.14949.3.camel@localhost>
References: <CALnj_=6VV-Tyij2i4r7bC71WEPFtrne7oTtbp78whahfp8XVYg@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <CALnj_=6VV-Tyij2i4r7bC71WEPFtrne7oTtbp78whahfp8XVYg@mail.gmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Peter Moody <pmoody@google.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Wed, 2012-01-18 at 10:54 -0800, Peter Moody wrote:
> What does the hex number after arch= mean?
> 
> 64bit seems to always be c000003e and 32bit seems to be 40000003, but
> I'd feel a lot better setting up log monitoring if I knew what they
> actually represented.
> 
> $ sudo auditctl -l
> LIST_RULES: exit,always arch=3221225534 (0xc000003e) ...

If we look around the kernel source code we find

From: include/linux/audit.h

#define __AUDIT_ARCH_64BIT 0x80000000
#define __AUDIT_ARCH_LE    0x40000000
...
#define AUDIT_ARCH_I386         (EM_386|__AUDIT_ARCH_LE)
...
#define AUDIT_ARCH_X86_64       (EM_X86_64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)

From: include/linux/elf-em.h

#define EM_386          3
...
#define EM_X86_64       62      /* AMD x86-64 */

So it is a combination of the elf architecture declaration, endian-ness,
and if it is a 64bit arch....

These should be stable values you can count on.

-Eric