[heroprotagonist]

There is security software which can restrict even root access to files. One such example is CA ControlMinder.

It can protect files/programs/processes at the kernel level and redirect authorization attempts through its own authorization engine and then back through the original syscall (if permitted). So, you shouldn't, but you could chmod a file to have world-read/world-write access and then set default access to the file to 'none' via this authorization engine and it would still be inaccessible to all users (even root).

You can form more granular controls, such as 'this file can only be accessed by the process launched by program with device/inode xx/yy', and 'this program cannot be launched if any of these 8 attribute checks show as being modified'..

By the same interception mechanism, auditing can be performed which records when specified files are accessed, by whom, and which server they had originally connected from when they did it. An audit only mode can simply monitor activity without performing any denials. Add in a keylogger that targets terminals of specific users, or just specific surrogate accounts (eg, when any user su's to root) and you can get a closer inspection of all activity performed (and not just activity to specific protected files/resources).

So, it's possible to tell what's been compromised, but one would need to be running such security software and have it properly configured for auditing the right resources. This isn't a trivial task to perform across environments with tens of thousands of servers.