Samhain is an open source security tool in the same vein as tripwire It scans a unix-based system building a database of all existing files, storing information about each scanned file:
- a 192-bit cryptographic checksum
- the inode of the file
- the type of the file
- the file's owner and group
- access permissions
- the timestamps of the file
- the file size
- the number of hard links
- minor and major device number (devices only)
- the name of the linked file (if the file is a symbolic link)
Samhain then runs as a daemon, scanning the system periodically and can alert the system administrator to any changes that occur. The daemon can send notifications via email, the syslog or any other method via running external scripts.
Samhain can take a little time to configure to your liking, improving the signal to noise ratio in the logfile took me a couple of days. Because it checks everything, it can generate false alarms on frequently changing items like logfiles, until you add those files into an 'ignore file size changes'
Samhain is very, very customisable. You can set it to report on files based on different attributes such as permission changes, or tell it to treat a file as read only and only ignore access times.
Samhain also scans login times, to match logins to file modifications, and scans for kernel rootkits.
I use this lovely piece of software in conjunction with logcheck to send me emails whenever a change is detected in one of the servers I manage. I cannot recommend it too highly, in my opinion it should be in every security-concious sysadmin's toolkit.