The exec_args token records the arguments to an exec() system call. The exec_args token has two fixed fields:
A token ID field that identifies this token as an exec_args token
A count that represents the number of arguments that are passed to the exec() system call
The remainder of this token is composed of zero or more null-terminated strings. The praudit command displays the exec_args token as follows:
vi,/etc/security/audit_user |
The following figure shows the format of an exec_args token.
The exec_args token is output only when the audit policy argv is active.