AIDE (Debian package name aide) is a program that tracks how system files are modified. It is not a complete solution, but nonetheless a useful one. When a system is first set up, AIDE should be run using aideinit. This builds a database of file signatures and modification time/date. When aide is run later, it can, then, compare file status against the stored version.
Before a system update, aide should be run first to detect any potential unauthorized changes. If the system is clean, then it can be updated. After a system update, aideinit should be run again so that update information of system files are stored.
Note that AIDE does not encrypt the database. This means that it is possible that a malware program or hacker can forge entries after modifying system files. As a result, the database of AIDE should be backed up to read-only media immediately after aideinit and restored immediately before running aide.