Sentrix' product has integrated this for Windows, but I couldn't help but wonder how I would implement equivalent functionality for Linux. You could detect access to a honeytoken file by monitoring SELinux logs; on access, you could snapshot procfs for relevant information like open sockets and other fds.