extrace

Trace all program executions on the system

$ sudo extrace

$ sudo extrace [command]

$ sudo extrace -d

$ sudo extrace -l

$ sudo extrace -u

extrace [options] [command]

extrace traces exec() system calls system-wide to monitor program execution on Linux. It captures every time a program is executed, displaying the command line, process hierarchy, and optionally the user, working directory, and environment variables.
Unlike strace which traces individual processes, extrace monitors all execution activity on the system or within a specific process tree. It's particularly useful for security auditing to detect suspicious process execution, debugging complex scripts that spawn multiple subprocesses, and understanding system behavior during package installations or automated tasks.
The tool uses Linux kernel tracing facilities (ftrace or similar) to capture exec calls with minimal overhead compared to attaching a debugger to each process.

-d

Print working directory

Resolve full executable path

Display user running process

Print environment variables

Trace only specific PID tree

Requires root privileges. Uses kernel tracing facilities. May impact system performance when tracing heavily.

strace(1), ltrace(1), auditd(8)