> > 2. auditctl is smart enough to understand that 0x8000 is the same as
> > 0x800000000.
> huh?
Nevermind, not important if we go with the 'arch=64' 'arch=32' idea.
> > Also, we need to decide what the default behavior should be.
> > For our tests, there would be considerably less impact if:
> > "auditctl -a entry,always -S chmod"
> > would result in two rules being added:
> > auditctl -a entry,always -S chmod -F arch=32
> > auditctl -a entry,always -S chmod -F arch=64
> This adds 2 rules for my machine which is not 64 bit capable. Every rule added
> slows the whole system down everytime there's the potential to generate an
> audit event.
Is it possible for auditctl to determine if it is on a 64bit capable system, if so it will add both rules.
Otherwise it will only add the arch=32 bit rule?
> > Also from the user point of view, if they want to audit chmod syscalls,
> > they more likely want to audit all of them, not just 32bit or 64bit
> > versions of them.
> I suspect that a user on a 64 bit machine may think this way. Its waste for 32
> bit machines.
I realize our evaluation isn't the only thing to consider. But, most of the systems in our evaluation are 64bit.
-debbie