Detecting when you need to system rescue
One of the worst problems with file monitoring tools is the occurrence of false positives. If you monitor the
/etc/shadow file, for example, any time a user changes her password, you will get a file modification warning. If you update the system, you may get a flurry of warnings.
These tools cannot process an RPM or dpkg file, for example, before installation to reduce false positives. So, unless you build some additional tooling, you'll probably either turn off monitoring or start ignoring it. Additionally, if a file is modified, you can't easily compare it to the previous version unless you manually diff it against a backup copy. Thus, I strongly recommend only monitoring the critical files; if you want to monitor more, you can set that up as a different report to refer to as needed.
Modern attacks often are about getting root access, and, sadly, Linux has its share of locally exploitable vulnerabilities that can be leveraged to get root access. Once this is accomplished, an attacker can insert a rootkit to evade detection. Attackers have no real need to modify the files on the system but, if they do, they can use the rootkit to present "good" copies of the file to tools like Open Source Tripwire and AIDE.
Virtualization and cloud computing can help here. In these kinds of virtualized environments, you can easily snapshot or examine the filesystem of a running system, from outside of the running system. Thus, things like rootkits will have a much more difficult time hiding modified files from detection. You can also use network filesystems such as GlusterFS  – not only to store data but also to boot from. Because GlusterFS is based on regular filesystems, you can easily examine files from a secured system that has read-only access. Additionally, you can and should use tools like RKHunter to find various rootkits .
Because these tools must be run on a schedule, a window of time exists between scans, during which attackers can break in and not be detected even if they do modify the files being monitored. Several people have proposed using inotify to trigger scans of files as they change, but, as far as I can tell, neither Open Source Tripwire nor AIDE support this or ever will. The
incron  program, however, can be used to trigger applications when a file is changed, so you could use incron to trigger a scan when a file is modified.
Buy this article as PDF
The Internet community officially banishes the notoriously unsafe Secure Sockets Layer protocol.
Popular desktop environment continues the Gnome 2 legacy – with new support for the Gnome 3 toolkit.
The Obama White House has issued a memorandum telling all US government agencies they must use HTTPS for all websites and web communication.
New program will dial up security for the Firefox browser.
Red Hat's community distro embraces the cloud.
New partnership will bring more and better CS training to US schools
Criminals offer online help over Tor network
Sophisticated malware is still present on Joomla and WordPress sites around the world.
Future versions of Ubuntu's code service will support the popular Git version control system used with Linux and other open source projects.
New release marks the arrival of AMD’s unified driver strategy.