The exec_args token records the arguments to an exec() system call. The exec_args token has two fixed fields:
A token ID field that identifies this token as an exec_args token
A count that represents the number of arguments that are passed to the exec() system call
The remainder of this token is composed of count strings. The praudit -x command shows the fields of the exec_args token:
<exec_args><arg>/usr/bin/sh</arg><arg>/usr/bin/hostname</arg></exec_args> |
The exec_args token is output only when the argv audit policy option is active.