opensnoop from DTrace can show which files are opened by a program/pid. It does not trace opens by forked/vforked children though. Related dtruss has this follow functionality.
Is there a way to tell opensnoop to also follow children?
-p option actually adds PID == pid check into generated script where pid is built in variable, representing current process id and PID is a -p option value.
There is an action in DTrace called progenyof which checks that current process is a child (not necessary direct) of a process, so simply replace that check in opensnoop:
--- /usr/dtrace/DTT/opensnoop Wed Jun 25 01:34:47 2014
+++ opensnoop Fri Jan 13 17:43:41 2017
@@ -199,7 +199,7 @@
/* check each filter */
(OPT_name == 1 && NAME == execname) ? self->ok = 1 : 1;
- (OPT_pid == 1 && PID == pid) ? self->ok = 1 : 1;
+ (OPT_pid == 1 && progenyof(PID)) ? self->ok = 1 : 1;
/* OPT_file is checked on return to ensure pathp is mapped */
}