How can I log all commands executed on Linux, including their command-line arguments (parameters)?
So, for example, if someone runs:
rm -rf /tmp/foo
I would see a log entry similar to this:
2016-01-01 18:00:00 user=bob command='rm -rf /tmp/foo'
And not just this:
2016-01-01 18:00:00 user=bob command='rm'
I have only been able to find uses of auditd
which don't log command-line arguments (parameters). Is there a way to properly configure auditd
to record this? It looks like FreeBSD has a way to set an argv
policy, but this doesn't seem to be present in Debian derivatives.