On Wed, 2012-01-18 at 10:54 -0800, Peter Moody wrote: If we look around the kernel source code we find From: include/linux/audit.h #define __AUDIT_ARCH_64BIT 0x80000000 #define __AUDIT_ARCH_LE 0x40000000 ... #define AUDIT_ARCH_I386 (EM_386|__AUDIT_ARCH_LE) ... #define AUDIT_ARCH_X86_64 (EM_X86_64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) From: include/linux/elf-em.h #define EM_386 3 ... #define EM_X86_64 62 /* AMD x86-64 */ So it is a combination of the elf architecture declaration, endian-ness, and if it is a 64bit arch.... These should be stable values you can count on. -Eric