Detecting when you need to system rescue
One of the worst problems with file monitoring tools is the occurrence of false positives. If you monitor the
/etc/shadow file, for example, any time a user changes her password, you will get a file modification warning. If you update the system, you may get a flurry of warnings.
These tools cannot process an RPM or dpkg file, for example, before installation to reduce false positives. So, unless you build some additional tooling, you'll probably either turn off monitoring or start ignoring it. Additionally, if a file is modified, you can't easily compare it to the previous version unless you manually diff it against a backup copy. Thus, I strongly recommend only monitoring the critical files; if you want to monitor more, you can set that up as a different report to refer to as needed.
Modern attacks often are about getting root access, and, sadly, Linux has its share of locally exploitable vulnerabilities that can be leveraged to get root access. Once this is accomplished, an attacker can insert a rootkit to evade detection. Attackers have no real need to modify the files on the system but, if they do, they can use the rootkit to present "good" copies of the file to tools like Open Source Tripwire and AIDE.
Virtualization and cloud computing can help here. In these kinds of virtualized environments, you can easily snapshot or examine the filesystem of a running system, from outside of the running system. Thus, things like rootkits will have a much more difficult time hiding modified files from detection. You can also use network filesystems such as GlusterFS  – not only to store data but also to boot from. Because GlusterFS is based on regular filesystems, you can easily examine files from a secured system that has read-only access. Additionally, you can and should use tools like RKHunter to find various rootkits .
Because these tools must be run on a schedule, a window of time exists between scans, during which attackers can break in and not be detected even if they do modify the files being monitored. Several people have proposed using inotify to trigger scans of files as they change, but, as far as I can tell, neither Open Source Tripwire nor AIDE support this or ever will. The
incron  program, however, can be used to trigger applications when a file is changed, so you could use incron to trigger a scan when a file is modified.
Buy this article as PDF
Popular open source encryption tool is vulnerable to attack
New “Yakkety Yak” edition emphasizes cloud and servers
Google finally enters the phone hardware business.
Innovative system adds a hard drive and Ubuntu Core to the RPi for an IoT hub.
Linux is two weeks younger than we thought!
The Apache Software Foundation considers retiring OpenOffice
Adobe won’t kill the plugin in 2017
Linux Foundation's big event celebrates the 25th anniversary of Linux
Linux has evolved from “won’t be a professional” project to one of the most professional software projects in the history of computers.