Tripwire:

  One of the best ways of discovering a security compromise is to
  discover changes in essential system files.  For example, most
  "root kits" --- software packages used for hacking into machines
  --- come with fake versions of the login(1) and passwd(1) commands.
  Discovering unauthorized changes to files is a hard science to do
  reliably, but a half-way decent job can be done with tripwire.

  Tripwire is a simple tool that provides a way to easily monitor and
  detect changes in file statistics.  Among the file statistics that
  it allows for monitoring are:

    File Type
    Owner
    Group
    Mode
    Last access time
    Last modification time
    Creation time
    
  It also has a variety of hashing algorithms available for monitoring
  the contents of files.

  Among the weaknesses of tripwire is its reliance on a database of the
  last recorded file statistics.  It is very difficult to set up a system
  in which you can make necessary updates to the database, but a hacker
  cannot change the database to cover up any files they have changed.