We want to monitor certain file access. For example, which all processes are trying to access ~/.ssh directory? Or any other credential/files on the system. The user will specify a list of files.

Why?

Because after getting into the system, people always tries to access important documents, including passwords, logs, emails.

Initial experiments showing that using auditd will be better/easier to monitor file access, and we can monitor auditd logs to notify the users.

I've used watchdog once for something similar and it worked well. If the file monitoring is happening in python, that might be a good choice?

I've used watchdog once for something similar and it worked well. If the file monitoring is happening in python, that might be a good choice?

I found only auditd is capable of telling us about the process which is accessing the files/directories. None other userspace tool was being able to do so.