Thread: Honeypot files & directories

Hello everyone, How can I make Linux inform me by email or by logging whenever particular file(s) or directory(ies) is/are opened?

Originally Posted by AJN

Hello everyone, How can I make Linux inform me by email or by logging whenever particular file(s) or directory(ies) is/are opened?

Split the task out into two processes: event detection and alerting. The first depends on 0) the file (type, ownership and permissions, etc), 1) what your distribution offers in terms of kernel (dnotify, inotify, audit) and userland (inotify tools, incron, FUSE, cron daemon, active audit tools) and 2) any other your requirements like say near real time triggering or not. The second depends on how events are generated: if there's system or daemon logs then the alerting process needs to filter the log for the right message at the right interval, if there's a dedicated log file then a marker takes care of that (see the logging component of the deprecated PortSentry tool for what I mean) else stdout (inotify tools, FUSE loggedfs) might indicate a new message and an audit tool like Samhain send emails itself. (And if this reply is thought to be kind of long it serves to indicate only verbose and precise questions elicit tailored responses.)