The groups token replaces the group token. The groups token records the group entries from the process's credential.
The groups token has two fixed fields:
A token ID field that identifies this token as a groups token
A count that represents the number of groups that are contained in this audit record
The remainder of this token is composed of count group entries.
The praudit -x command shows the fields of the groups token:
<group><gid>staff</gid><gid>other</gid></group> |
The groups token is output only when the group audit policy option is active.