When I try this one on my x86_64 system, I am seeing:
# auditctl -a entry,always -F arch=64b -S open
AUDIT_LIST: entry always arch=0 syscall=open
# auditctl -a entry,always -F arch=32b -S open
AUDIT_LIST: entry always arch=0 syscall=open
AUDIT_LIST: entry always arch=0 syscall=open
# auditctl -a entry,always -F arch=32 -S open
AUDIT_LIST: entry always arch=0 syscall=open
AUDIT_LIST: entry always arch=0 syscall=open
AUDIT_LIST: entry always arch=0 syscall=open

And I don't see any audit records generated for syscall=open.

If I do:
# auditctl -a entry,always -S open
then I do see records like:
type=KERNEL msg=audit(1113924447.821:5496854): syscall=2 arch=c000003e success=yes exit=3 a0=2a9555bf20 a1=0 a2=3920 a3=ffffffd0 items=1 pid=5737 loginuid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm=tail exe=/usr/bin/tail
type=KERNEL msg=audit(1113924447.821:5496854): item=0 name="/lib64/tls/libpthread.so.0" inode=6947034 dev=fd:00 mode=0100755 uid=0 gid=0 rdev=00:00

When I try arch=c000003e, I get:
# auditctl -a entry,always -F arch=c000003e -S open
-F arch=c000003e machine type not found

So I believe auditctl is suposed to work with values like "arch=32b" or "arch=64b". Is that correct?

-debbie

linux-audit-bounces@redhat.com wrote on 04/18/2005 04:16:46 PM:

> Hello,

> I've just released a new version of the audit daemon. It can be downloaded
> from http://people.redhat.com/sgrubb/audit   The Changelog is:

> - Check log file size on start up
> - Added priority_boost config item
> - Reworked arch support
> - Reworked how run level is changed
> - Make allowances for ECONNREFUSED.

> The program was not checking the logfile size on startup which could make it
> add a record before deciding to perform the log file size action.

> In order to help solve the lost records problem, I've added a priority boost
> option to auditd.conf. The default is 3. you should probably check
> you /etc/auditd.conf file to see that you have the new option.

> The arch support has been reworked. Thanks to Debbie Velarde for helping
> gather the syscall tables. Please give this feature a try. I think it should
> be working (except for "both"). Please report any bugs with this soon and
> I'll release a 0.6.12 to fix any problems.

> The way that the run level is changed was reworked to make SE Linux policy
> better. It was invoking system() now it does execve().

> People that are rolling their own kernels and not including the audit system
> were being stopped from logging by pam. I made an exception that if
> ECONNREFUSED is detected during sendto, they are using a modified kernel and
> we'll bypass logging.  ECONNREFUSED means the kernel isn't listening on the
> audit netlink socket....so I think this exception is safe.

> Please give it some testing and report any problems.

> -Steve

> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> http://www.redhat.com/mailman/listinfo/linux-audit