How can I log all commands executed on Linux, including their command-line arguments (parameters)?
So, for example, if someone runs:
rm -rf /tmp/foo
I would see a log entry similar to this:
2016-01-01 18:00:00 user=bob command='rm -rf /tmp/foo'
And not just this:
2016-01-01 18:00:00 user=bob command='rm'
I have only been able to find uses of auditd which don't log command-line arguments (parameters). Is there a way to properly configure auditd to record this? It looks like FreeBSD has a way to set an argv policy, but this doesn't seem to be present in Debian derivatives.
Have you tried sending history to syslog?
One of many examples
https://jablonskis.org/2011/howto-log-bash-history-to-syslog/index.html
Auditd is really neat :) With the proper configuration you can see all those events as you want (I'll give you an example from one of my servers) So as you can see, in my ausearch output, you can see that /bin/rm was invoked and also the files which were deleted (i've changed the real paths to /tmp/X* - and as you can see it takes all arguments a1 to a8). If this is what you want, I can give you some of my configs and also some guides I've used to configure auditd.