The second level of intrusion detection involves monitoring the files on the system. There are several good monitors that will alert you to new, deleted, or modified files, usually filtering the reports so they include only changes that indicate a potential compromise. The most commonly used File Monitor is Tripwire and that is what is installed by the harden-environment package. However, Tripwire is now owned by a commercial enterprise that sells proprietary versions. While open source tripwire is still available, many administrators are switching to AIDE (Advanced Intrusion Detection Environment) or Samhain as alternatives.
Configure your file monitors carefully to catch important changes and filter out as many false positives as possible without filtering out the true positives.
The importance of filtering your results can't be overemphasized. An alert or report with too many false positives will frequently be skimmed at best or ignored at worst, and can result in missing a true positive indication of compromised files.
