The exec_args token records the arguments to an exec system call. The exec_args record has two fixed fields: a token ID field that identifies this as an exec_args token, and a count that represents the number of arguments passed to the exec call. The remainder of the token is composed of zero or more null-terminated strings. Figure A-6 shows an exec_args token.
The exec_args token is output only when the audit policy argv is active. See "Setting Audit Policies" for more information.