The aide program is a good program to use to see if anything important has changed on your system. It works by creating a baseline which at some future point you use to compare with the current system to see what changed. It can track added files, deleted files, and changed files. The changed files it can tell you which attribute changed such as owner, group, other permissions, size, time, extended attributes, or if the file contents changed yielding a new SHA256 hash of the file.
The only wrinkle is that it requires you to actually move the database after you create it. From the command line that is a bit cumbersome because you need to figure out where things go.
I have a couple of little scripts that simplifies using the aide program: aide-init and aide-check. You can install these into /root/bin for ease of use. This is aide-init:
The only reason I have aide-check is just for symmetry. If have an init, you should have a check.
So, the way to use these is to run aide-init to establish a baseline. Then next time you login, run aide-check to see if anything has changed. If so, investigate. If you are satisfied all changes are explained run aide-init again. Also if you see an update that needs to be installed, immediately do an aide-init after the update so that you have all changes rolled up to the database.
I have one interesting side note on this. I am leasing a VPS system for security research. A VPS system is a Virtual Private Server which is based on container technology. The interesting thing is that I can see when the host updates under me (since I share the base image with other servers).
Anyways...just thought I pass this along in case anyone finds this useful.