I have a little BASH script that checks to see is a Password.txt file is accessed. If it is I get an email.
This Password file is a basically a honey trap.
It does work, but also getting lots of false positives. Often several from the same time. During this testing period I’m 99% sure it’s not a person accessing it as the machine is air gapped and physically not accessible to anyone but me.
Therefore guessing it’s some system cache, tidy etc that’s triggering it.
Does anyone know how I can stop these false positives from occurring?
Many thanks for any help.
Here is the code:
#!/bin/bash
DATE=$(date +'%Y-%m-%d %H:%M:%S')
HOSTNAME=$(hostname)
# Colours for visual clarity
RED='33[0;31m'
GREEN='33[0;32m'
ORANGE='33[0;33m'
NC='33[0m'
# File to monitor
FILE_PATH="/home/me/Documents/Password.txt"
# Email configuration (replace with your actual details)
RECIPIENT_EMAIL="[email protected]"
# Function to send email notifications
send_notification() {
SUBJECT="$HOSTNAME: File Access Detected"
BODY="$HOSTNAME reports File '$FILE_PATH' was accessed on $DATE."
echo -e "$BODY" | mail -s "$SUBJECT" "$RECIPIENT_EMAIL"
}
# inotifywait command with error handling
inotifywait -m -e access "$FILE_PATH" 2>/dev/null | while read -r dir action file; do
echo -e "${RED}File Accessed: $file${NC}"
send_notification
done
5