Re: audit 0.6.10 released

I'd expect that adding a rule with arch=64 on a 32bit machine would fail. But, arch=32/64 doesn't look like the right solution. We are exposing the underlying architecture which is more granular that 32 vs. 64 bit. It includes various architectures as well. Why not keep this value the same as the output in the audit message? And if it's done as it currently is, the records could (theoretically) be parsed on a machine with a different cpu arch than the machine that generated the record.