what does the arch= hex number represent?
Eric Paris
eparis at redhat.com
Fri Jan 20 14:26:12 UTC 2012
On Wed, 2012-01-18 at 10:54 -0800, Peter Moody wrote:
> What does the hex number after arch= mean?
>
> 64bit seems to always be c000003e and 32bit seems to be 40000003, but
> I'd feel a lot better setting up log monitoring if I knew what they
> actually represented.
>
> $ sudo auditctl -l
> LIST_RULES: exit,always arch=3221225534 (0xc000003e) ...
If we look around the kernel source code we find
From: include/linux/audit.h
#define __AUDIT_ARCH_64BIT 0x80000000
#define __AUDIT_ARCH_LE 0x40000000
...
#define AUDIT_ARCH_I386 (EM_386|__AUDIT_ARCH_LE)
...
#define AUDIT_ARCH_X86_64 (EM_X86_64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
From: include/linux/elf-em.h
#define EM_386 3
...
#define EM_X86_64 62 /* AMD x86-64 */
So it is a combination of the elf architecture declaration, endian-ness,
and if it is a 64bit arch....
These should be stable values you can count on.
-Eric
More information about the Linux-audit
mailing list