By the way, simple honeypot on Linux using auditd: just set a rule like `-w /etc/secret-file -p rxwa -k some.tag` and use your mechanism of choice to watch logs/journal for the occurrence of `some.tag` string.

`-p rxwa` causes logging of any read, exec, write or attributes change on that file. More in `man auditctl`.

Among others, this has a benefit that, in principle, such honeypot triggers immediately and not only after someone decides to try using some actual credentials/data.

Obviously needs some work to make this robust (logs monitoring plus alerting), but it's a nice building block worth knowing and, if you care, then you probably already have those additional pieces in place anyway.