We have recently built Host Intrusion Detection System (HIDS) for our stake pool, and tuned up for the Guild Ops Cardano Node directory structure and monitoring.
Its based on OSSEC agents(Releases · ossec/ossec-hids · GitHub) reporting to an OSSEC server linking to prometheus and Grafana so you get a nice dashboard and UI for monitoring. A lot of you may already be running prometheus and Grafana as part of the Guild Ops build so will be familiar with these tools.
OSSEC is a very lightweight agent and can run integrity and root kit checks as well as parsing auth files, and monitoring directory changes. We are using the Linux agents but there are agents for Windows and Mac.
Let me know if there is interest and I will write up and share back here.