> I'd expect that adding a rule with arch=64 on a 32bit machine would fail.
> But, arch=32/64 doesn't look like the right solution.  We are exposing
> the underlying architecture which is more granular that 32 vs. 64 bit.
> It includes various architectures as well.  Why not keep this value
> the same as the output in the audit message?  And if it's done as it
> currently is, the records could (theoretically) be parsed on a machine
> with a different cpu arch than the machine that generated the record.

Can you post a couple of examples of what the auditctl rules would look like?