How to log all commands run on Linux including their arguments (parameters)?

Question

How can I log all commands executed on Linux, including their command-line arguments (parameters)?

So, for example, if someone runs:

rm -rf /tmp/foo

I would see a log entry similar to this:

2016-01-01 18:00:00 user=bob command='rm -rf /tmp/foo'

And not just this:

2016-01-01 18:00:00 user=bob command='rm'

I have only been able to find uses of auditd which don't log command-line arguments (parameters). Is there a way to properly configure auditd to record this? It looks like FreeBSD has a way to set an argv policy, but this doesn't seem to be present in Debian derivatives.

I'd like to just add that what you are asking will not be 100% as there are so many different ways to avoid this type of logging activity. — mdpc, Mar 25 '16 at 21:25

score 1 · Answer 1 · answered Mar 22 '16 at 04:27

1

Have you tried sending history to syslog?

One of many examples

https://jablonskis.org/2011/howto-log-bash-history-to-syslog/index.html

answered Mar 22 '16 at 04:27

Jacob Evans

7,636
3
25
55

But you should bear in mind that it won't work if a user will use mc – ALex_hha Mar 22 '16 at 11:42

score 0 · Answer 2 · edited Mar 23 '16 at 14:32

Auditd is really neat :) With the proper configuration you can see all those events as you want (I'll give you an example from one of my servers) So as you can see, in my ausearch output, you can see that /bin/rm was invoked and also the files which were deleted (i've changed the real paths to /tmp/X* - and as you can see it takes all arguments a1 to a8). If this is what you want, I can give you some of my configs and also some guides I've used to configure auditd.

time->Thu May 28 11:35:01 2015

type=PATH msg=audit(1432812901.638:4583880): item=1 name=(null) inode=57348 dev=08:02 mode=0100755 ouid=0 ogid=0 rdev=00:00

type=PATH msg=audit(1432812901.638:4583880): item=0 name="/bin/rm" inode=8252 dev=08:02 mode=0100755 ouid=0 ogid=0 rdev=00:00

type=CWD msg=audit(1432812901.638:4583880):  cwd="XXX"

type=EXECVE msg=audit(1432812901.638:4583880): argc=9 a0="rm" a1="-r" a2="/tmp/*" a3="/tmp/XX" a4="/tmp/XXX" a5="/tmp/XXXX" a6="/tmp/XXXXX" a7="/tmp/XXXXXXX" a8="/tmp/XXXXXXX"

type=SYSCALL msg=audit(1432812901.638:4583880): arch=c000003e syscall=59 success=yes exit=0 a0=1d27830 a1=1d27e20 a2=1d26870 a3=7fff70cfb2d0 items=2 ppid=10230 pid=10231 auid=1105 uid=1105 gid=1005 euid=1105 suid=1105 fsuid=1105 egid=1005 sgid=1005 fsgid=1005 tty=(none) ses=35220 comm="rm" exe="/bin/rm" key=(null)

Please supply the community with the config, else your comment would not be very useful. — M. Schmidt, Aug 27 '20 at 09:41

How to log all commands run on Linux including their arguments (parameters)?

2 Answers2