Osiris

I implemented Osiris version 4.2.3 in the company. I compile it on Fedora 7 and running on Vmware ESX.

web site
http://osiris.shmoo.com/

You can find comparison of host integrity tools here
http://www.securityfocus.com/infocus/1771

Osiris:
Osiris is a Host Integrity Monitoring System that periodically monitors one or more hosts for change. It maintains detailed logs of changes to the file system, user and group lists, resident kernel modules, and more. Osiris can be configured to email these logs to the administrator. Hosts are periodically scanned and, if desired, the records can be maintained for forensic purposes. Osiris keeps an administrator apprised of possible attacks and/or nasty little trojans. The purpose here is to isolate changes that indicate a break-in or a compromised system. Osiris makes use of OpenSSL for encryption and authentication in all components.

Filtering is a bit complicated.
\[mq.*\]\[.*\]\[/opt/oracle/product/RDBMS10g/.*_dwh.*\]\[(mtime|ctime|checksum|inode)\]
.* is like * in unix.

Also you can configure filtering in configuration of hosts:

exclude file (^/opt/oracle/product/RDBMS10g/dbs/spfiledwh.ora$)
exclude file (^/opt/oracle/product/RDBMS10g/dbs/lkDWH$)
exclude file (^/opt/oracle/product/RDBMS10g/dbs/orapwdwh$)
exclude file ("product/RDBMS10g/dbs/snapcf_dwh.f")
exclude file ("product/RDBMS10g/dbs/snapcf_dwh.f")
exclude file (^/opt/oracle/product/RDBMS10g/dbs/hc_dwh.dat$)
Recursive 1
NoEntry product/RDBMS10g/rdbms/log
NoEntry product/RDBMS10g/admin/dwh/bdump
NoEntry product/RDBMS10g/rdbms/audit
NoEntry product/RDBMS10g/network/log
NoEntry product/RDBMS10g/oc4j/j2ee/OC4J_DBConsole_*_dwh/log
NoEntry product/RDBMS10g/css/log
NoEntry product/RDBMS10g/admin/dwh/udump
NoEntry product/RDBMS10g/css/init
NoEntry product/RDBMS10g/oc4j/j2ee
IncludeAll