This week’s TechMail is Monitor your system for threats with rsec alerts which discusses the rsec tool I forked from Mandriva’s msec years ago (for Annvix). It’s been updated and is available for Red Hat Enterprise Linux 5 (and CentOS 5) as I think it’s still a pretty good tool and complements stuff like logwatch quite nicely. rsec essentially reports on various bits of your system… it lets you know if there are changes to suid/sgid files, points out unowned files, changes to firewall rules, indicates if there are new packages to install, if there are changes to listening services, etc. Basically it took all the best bits (reporting) of msec and got rid of all the crappy bits (that change things).
I have heard that msec now is much better, but have not had a chance to try it although I do try to keep up with the changes to msec related to reporting and fold those back into rsec.