Detecting when you need to system rescue
One of the worst problems with file monitoring tools is the occurrence of false positives. If you monitor the
/etc/shadow file, for example, any time a user changes her password, you will get a file modification warning. If you update the system, you may get a flurry of warnings.
These tools cannot process an RPM or dpkg file, for example, before installation to reduce false positives. So, unless you build some additional tooling, you'll probably either turn off monitoring or start ignoring it. Additionally, if a file is modified, you can't easily compare it to the previous version unless you manually diff it against a backup copy. Thus, I strongly recommend only monitoring the critical files; if you want to monitor more, you can set that up as a different report to refer to as needed.
Modern attacks often are about getting root access, and, sadly, Linux has its share of locally exploitable vulnerabilities that can be leveraged to get root access. Once this is accomplished, an attacker can insert a rootkit to evade detection. Attackers have no real need to modify the files on the system but, if they do, they can use the rootkit to present "good" copies of the file to tools like Open Source Tripwire and AIDE.
Virtualization and cloud computing can help here. In these kinds of virtualized environments, you can easily snapshot or examine the filesystem of a running system, from outside of the running system. Thus, things like rootkits will have a much more difficult time hiding modified files from detection. You can also use network filesystems such as GlusterFS  – not only to store data but also to boot from. Because GlusterFS is based on regular filesystems, you can easily examine files from a secured system that has read-only access. Additionally, you can and should use tools like RKHunter to find various rootkits .
Because these tools must be run on a schedule, a window of time exists between scans, during which attackers can break in and not be detected even if they do modify the files being monitored. Several people have proposed using inotify to trigger scans of files as they change, but, as far as I can tell, neither Open Source Tripwire nor AIDE support this or ever will. The
incron  program, however, can be used to trigger applications when a file is changed, so you could use incron to trigger a scan when a file is modified.
Buy this article as PDF
Founder of ownCloud launches the Nextcloud project.
Will The Machine change the way future programmers think about memory?
The new Torus distributed storage system is available under an open source license on GitHub
Juries decides Google’s use of Java APIs Was Fair Use
But if you are not using the latest Linux kernel, your system is insecure.
Home routers will give room for custom firmware but still comply with FCC rules
Frank Karlitschek will continue to lead the open source ownCloud project
“Xenial Xerus” comes with a new packages format and several improvements for the enterprise.
Linux users can now download and install the Windows code editor
New initiative will address security and interoperability concerns around container technology.