proc-trace-exec
Three ways to get a binary — pick the one that fits your setup.
No local Go install required. Produces static binaries for amd64 and arm64 in one command via build.sh.
One line with a local Go install. Output is dynamically linked — fine for dev use on the same machine.
Fully static, no libc dependency. Copy the binary to any Linux system of the same architecture and it just works.
The tool uses the Linux proc connector — a standard netlink socket interface available on virtually every modern distribution.
| Requirement | Details | Status |
|---|---|---|
| Linux kernel | Any version with CONFIG_CONNECTOR=y and CONFIG_PROC_EVENTS=y (default on Ubuntu, Debian, Fedora, RHEL, Arch, Alpine) |
✓ universal |
| CAP_NET_ADMIN | Required to subscribe to the netlink proc connector multicast group. Run as root, or grant the capability to the binary with setcap. |
✓ root / setcap |
| Go 1.21+ | Only needed for the from-source build methods. The Docker build uses golang:1.22-alpine internally. |
✓ optional |
| Docker | Only needed for the build.sh Docker method. Any recent Docker Engine with buildx support works. |
✓ optional |
build.sh
Clones the repo, runs the build inside an golang:1.22-alpine container, and drops two static binaries
into ./dist/ — no local Go toolchain needed.
build.sh executable and run it./dist//usr/local/bin/ or wherever you like.# Clone ❯ git clone https://github.com/binRick/proc-trace-exec.git ❯ cd proc-trace-exec # Build ❯ chmod +x build.sh ❯ ./build.sh Building proc-trace-exec v0.1.0 ... → linux/amd64 → linux/arm64 Done. Binaries in ./dist/: proc-trace-exec-linux-amd64 (4.2 MB) proc-trace-exec-linux-arm64 (4.0 MB) # Install ❯ sudo cp dist/proc-trace-exec-linux-amd64 /usr/local/bin/proc-trace-exec ❯ proc-trace-exec --version proc-trace-exec v0.1.0
If you already have Go installed, this is the fastest path. The resulting binary is dynamically linked but works fine for development and local use.
❯ git clone https://github.com/binRick/proc-trace-exec.git ❯ cd proc-trace-exec ❯ go build -o proc-trace-exec . ❯ sudo ./proc-trace-exec (watching all exec() calls system-wide...)
Disabling CGO and stripping debug symbols produces a self-contained binary you can copy anywhere: another machine, a container, a server with no Go install.
❯ CGO_ENABLED=0 go build -ldflags="-s -w" -o proc-trace-exec . # Confirm: no dynamic libraries ❯ file proc-trace-exec proc-trace-exec: ELF 64-bit LSB executable, x86-64, statically linked, stripped # Copy to any amd64 Linux box ❯ scp proc-trace-exec user@server:/usr/local/bin/
CAP_NET_ADMIN with setcapInstead of running as root every time, you can grant only the capability the tool actually needs. The binary will be usable by any user on the system.
# Grant the capability (one-time, as root) ❯ sudo setcap cap_net_admin+eip /usr/local/bin/proc-trace-exec # Verify ❯ getcap /usr/local/bin/proc-trace-exec /usr/local/bin/proc-trace-exec cap_net_admin=eip # Now run as a normal user ❯ proc-trace-exec -t sh -c 'ls /tmp' 12345+ sh -c 'ls /tmp' 12346+ ls /tmp 12346- ls exited status=0 time=0.001s 12345- sh exited status=0 time=0.004s
Security note: cap_net_admin allows the binary to
control network interfaces and routing in addition to subscribing to proc events.
Grant it only to a copy you trust and keep in a root-owned, non-writable path.
A quick sanity-check before deploying.
# Print version ❯ proc-trace-exec --version proc-trace-exec v0.1.0 # Print help (colorized on a tty) ❯ proc-trace-exec -h # Trace one command end-to-end ❯ sudo proc-trace-exec -t echo hello 99001+ echo hello hello 99001- echo exited status=0 time=0.001s