4

How can I log all commands executed on Linux, including their command-line arguments (parameters)?

So, for example, if someone runs:

rm -rf /tmp/foo

I would see a log entry similar to this:

2016-01-01 18:00:00 user=bob command='rm -rf /tmp/foo'

And not just this:

2016-01-01 18:00:00 user=bob command='rm'

I have only been able to find uses of auditd which don't log command-line arguments (parameters). Is there a way to properly configure auditd to record this? It looks like FreeBSD has a way to set an argv policy, but this doesn't seem to be present in Debian derivatives.

Neil
  • 2,345
  • 8
  • 35
  • 44
  • You can try - https://github.com/sensepost/Snoopy – ALex_hha Mar 22 '16 at 11:42
  • I'd like to just add that what you are asking will not be 100% as there are so many different ways to avoid this type of logging activity. – mdpc Mar 25 '16 at 21:25

2 Answers2

1

Have you tried sending history to syslog?

One of many examples

https://jablonskis.org/2011/howto-log-bash-history-to-syslog/index.html

Jacob Evans
  • 7,636
  • 3
  • 25
  • 55
0

Auditd is really neat :) With the proper configuration you can see all those events as you want (I'll give you an example from one of my servers) So as you can see, in my ausearch output, you can see that /bin/rm was invoked and also the files which were deleted (i've changed the real paths to /tmp/X* - and as you can see it takes all arguments a1 to a8). If this is what you want, I can give you some of my configs and also some guides I've used to configure auditd.

time->Thu May 28 11:35:01 2015

type=PATH msg=audit(1432812901.638:4583880): item=1 name=(null) inode=57348 dev=08:02 mode=0100755 ouid=0 ogid=0 rdev=00:00

type=PATH msg=audit(1432812901.638:4583880): item=0 name="/bin/rm" inode=8252 dev=08:02 mode=0100755 ouid=0 ogid=0 rdev=00:00

type=CWD msg=audit(1432812901.638:4583880):  cwd="XXX"

type=EXECVE msg=audit(1432812901.638:4583880): argc=9 a0="rm" a1="-r" a2="/tmp/*" a3="/tmp/XX" a4="/tmp/XXX" a5="/tmp/XXXX" a6="/tmp/XXXXX" a7="/tmp/XXXXXXX" a8="/tmp/XXXXXXX"

type=SYSCALL msg=audit(1432812901.638:4583880): arch=c000003e syscall=59 success=yes exit=0 a0=1d27830 a1=1d27e20 a2=1d26870 a3=7fff70cfb2d0 items=2 ppid=10230 pid=10231 auid=1105 uid=1105 gid=1005 euid=1105 suid=1105 fsuid=1105 egid=1005 sgid=1005 fsgid=1005 tty=(none) ses=35220 comm="rm" exe="/bin/rm" key=(null)
fuero
  • 9,413
  • 1
  • 35
  • 40
runyoufreak
  • 184
  • 1
  • 6