Al,
Thanks for posting this.
Amy,
To give some background...we have this open bugzilla:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=168285
It was agreed last summer that this would be useful for people. It has nothing
to do with CAPP certification, so it was put on the back burner. No one had
the time to complete it until now. What the patch does is collect the string
arguments to execve and logs them as an auxiliary record. It was also put
onto linux-audit mail list as a proposal, item #1 here:
https://www.redhat.com/archives/linux-audit/2005-September/msg00061.html
Hope this helps...
-Steve