[bruce_one]

eBPF is a great tool to use for debugging this kind of thing too, e.g. [bpftrace](https://bpftrace.org) has an [execsnoop](https://github.com/bpftrace/bpftrace/blob/master/tools/execs...) script for looking at everything being exec'd on the system :-)

(No need to use bpftrace, just an easy example :-) )

[repiret]

Or just `strace`.

[raddan]

Seconded. Way simpler than BPF, especially when all you want to see is syscalls.