What does it mean to omit the `-F arch` option in audit.rules?

The man page is not clear: > For best performance, you should supply an arch field in the rule. The individual permissions will cause the selection of specific system calls that use that kind of access. Not supplying the arch will cause the selection of all system calls which will affect performance as all system calls will be evaluated. However I **want** to capture both 32-bit and 64-bit system calls. I would rather not write two identical rules with -F arch=b32 and -F arch=b64 as this leads to twice as many opportunities to forget an audit rule. A link to the source code where this option is evaluated would be ideal, but of course all answers are helpful.