linux-audit-bounces@redhat.com wrote on 04/19/2005 02:03:15 PM:

> On Tuesday 19 April 2005 11:34, Debora Velarde wrote:
> > # auditctl -a entry,always -F arch=64b -S open
> > AUDIT_LIST: entry always arch=0 syscall=open

> OK I found and fixed some minor bugs. However, the main problem here is that
> you need to use b64 and not 64b.

Seems to work fine on x86_64 if you use the b64, b32 flag.

chmod from a 64bit compiled record:
type=KERNEL msg=audit(1113940516.264:7457468): item=0 name="/tmp/arch64_check" inode=5701640 dev=fd:00 mode=0100644 uid=0 gid=0 rdev=00:00
type=KERNEL msg=audit(1113940516.264:7457468): syscall=90 arch=c000003e success=yes exit=0 a0=4006d5 a1=1ff a2=34bbf2ea03 a3=0 items=1 pid=24480 loginuid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm=arch64 exe=/deb/arch_test/arch64

chmod from a 32bit compiled record:
type=KERNEL msg=audit(1113940549.990:7466028): syscall=15 arch=40000003 success=yes exit=0 a0=a7eff4 a1=0 a2=8048442 a3=0 items=1 pid=24512 loginuid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm=arch32 exe=/deb/arch_test/arch32
type=KERNEL msg=audit(1113940549.990:7466028): item=0 name="/tmp/arch32_check" inode=5701647 dev=fd:00 mode=0100644 uid=0 gid=0 rdev=00:00

Thanks!
debbie