You can trace the system calls with strace, but there is indeed an inevitable speed penalty. You need to run strace as root if the command runs with elevated privileges:
sudo strace -f -o foo.trace su user -c 'mycommand'Another method that's likely to be faster is to preload a library that wraps around filesystem access functions: LD_PRELOAD=/path/to/libmywrapper.so mycommand. The LD_PRELOAD environment variable won't be passed to programs invoked with elevated privileges. You'd have to write the code of that wrapper library (here's an example from “Building library interposers for fun and profit”); I don't know if there is reusable code available on the web.
If you're monitoring the files in a particular directory hierarchy, you can make a view of the filesystem with LoggedFS such that all accesses through that view are logged.
loggedfs -c my-loggedfs.xml /logged-viewmycommand /logged-view/somedirTo configure LoggedFS, start with the sample configuration shipped with the program and read LoggedFS configuration file syntax.
Another possibility is Linux's audit subsystem. Make sure the auditd daemon is started, then configure what you want to log with auditctl. Each logged operation is recorded in /var/log/audit/audit.log (on typical distributions). To start watching a particular file:
auditctl -a exit,always -w /path/to/fileIf you put a watch on a directory, the files in it and its subdirectories recursively are also watched. Take care not to watch the directory containing the audit logs. You can restrict the logging to certain processes, see the auditctl man page for the available filters. You need to be root to use the audit system.