Radmind/Tripwire

The open source tool called Tripwire is a host-based intrusion detection system. It is not so much concerned with detecting intrusion attempts at the periphery of a computing system (as in Network intrusion detection systems), but rather looks for and reports on the resultant changes of state in the computing system under observation.

Intruders usually leave traces of their activities (change system state). Tripwire looks for these by monitoring key attributes of files that should not change, including binary signature, size, expected change of size, etc. - and reporting its findings. While useful for intrusion detection it can also be used for many other purposes such as integrity assurance, change management, policy compliance, and more.

Many techniques used for host-based intrusion detection were entirely or in part pioneered by Tripwire. In many senses recent efforts at managing security on computers, such as the Trusted Computing Group Trusted Platform Module are extensions of these ideas and techniques wrapped up in a piece of silicon that runs external to the CPU and is thus harder to crack.

Radmind goes beyond the general Tripwire by allowing you to reverse changes instead of only notifying the administrator. To fail tripwire means that something changed without the administrator's knowledge.