diff -urp audit-2.3.5.orig/src/ausearch-common.h audit-2.3.5/src/ausearch-common.h --- audit-2.3.5.orig/src/ausearch-common.h 2014-03-12 12:30:31.000000000 -0400 +++ audit-2.3.5/src/ausearch-common.h 2014-03-17 17:08:27.200016460 -0400 @@ -1,5 +1,5 @@ /* ausearch-common.h -- - * Copyright 2006-08,2010 Red Hat Inc., Durham, North Carolina. + * Copyright 2006-08,2010,2014 Red Hat Inc., Durham, North Carolina. * Copyright (c) 2011 IBM Corp. * All Rights Reserved. * @@ -41,6 +41,7 @@ extern const char *event_filename; extern const char *event_hostname; extern const char *event_terminal; extern int event_syscall; +extern int event_machine; extern const char *event_exe; extern int event_ua, event_ga; extern int event_exit, event_exit_is_set; diff -urp audit-2.3.5.orig/src/ausearch-match.c audit-2.3.5/src/ausearch-match.c --- audit-2.3.5.orig/src/ausearch-match.c 2014-03-12 12:30:31.000000000 -0400 +++ audit-2.3.5/src/ausearch-match.c 2014-03-17 17:08:27.200016460 -0400 @@ -84,9 +84,14 @@ int match(llist *l) if ((event_pid != -1) && (event_pid != l->s.pid)) return 0; - if ((event_syscall != -1) && - (event_syscall != l->s.syscall)) - return 0; + if (event_syscall != -1) { + if (event_syscall != l->s.syscall) + return 0; + if (event_machine != -1 && + (event_machine != + audit_elf_to_machine(l->s.arch))) + return 0; + } if ((event_session_id != -2) && (event_session_id != l->s.session_id)) return 0; diff -urp audit-2.3.5.orig/src/ausearch-options.c audit-2.3.5/src/ausearch-options.c --- audit-2.3.5.orig/src/ausearch-options.c 2014-03-12 12:30:31.000000000 -0400 +++ audit-2.3.5/src/ausearch-options.c 2014-03-17 17:08:27.200016460 -0400 @@ -49,7 +49,7 @@ pid_t event_pid = -1, event_ppid = -1; success_t event_success = S_UNSET; int event_exact_match = 0; uid_t event_uid = -1, event_euid = -1, event_loginuid = -2; -int event_syscall = -1; +int event_syscall = -1, event_machine = -1; int event_ua = 0, event_ga = 0, event_se = 0; int just_one = 0; int event_session_id = -2; @@ -661,6 +661,7 @@ int check_params(int count, char *vars[] optarg); retval = -1; } + event_machine = machine; } c++; break; diff -urp audit-2.3.5.orig/src/ausearch-parse.c audit-2.3.5/src/ausearch-parse.c --- audit-2.3.5.orig/src/ausearch-parse.c 2014-03-12 12:30:31.000000000 -0400 +++ audit-2.3.5/src/ausearch-parse.c 2014-03-17 17:09:33.344014612 -0400 @@ -1883,6 +1883,37 @@ static int parse_kernel_anom(const lnode } } + if (n->type == AUDIT_SECCOMP) { + // get arch + str = strstr(term, "arch="); + if (str == NULL) + return 0; // A few kernel versions don't have it + ptr = str + 5; + term = strchr(ptr, ' '); + if (term == NULL) + return 12; + *term = 0; + errno = 0; + s->arch = (int)strtoul(ptr, NULL, 16); + if (errno) + return 13; + *term = ' '; + // get syscall + str = strstr(term, "syscall="); + if (str == NULL) + return 14; + ptr = str + 8; + term = strchr(ptr, ' '); + if (term == NULL) + return 15; + *term = 0; + errno = 0; + s->syscall = (int)strtoul(ptr, NULL, 10); + if (errno) + return 16; + *term = ' '; + } + return 0; } diff -urp audit-2.3.5.orig/src/ausearch-report.c audit-2.3.5/src/ausearch-report.c --- audit-2.3.5.orig/src/ausearch-report.c 2014-03-12 12:30:31.000000000 -0400 +++ audit-2.3.5/src/ausearch-report.c 2014-03-17 17:08:27.201016460 -0400 @@ -335,7 +335,7 @@ static void interpret(char *name, char * } type = auparse_interp_adjust_type(rtype, name, val); - if (rtype == AUDIT_SYSCALL) { + if (rtype == AUDIT_SYSCALL || rtype == AUDIT_SECCOMP) { if (machine == (unsigned long)-1) machine = audit_detect_machine(); if (*name == 'a' && strcmp(name, "arch") == 0) {