Is there a similar facility for Linux distro system packages? Like the Windows DISM command, I want to be able to know if e.g. some malware or other software has changed a system file... I can't believe this is not a standard thing in Linux distros already.
It is. Most distros have a verify built into their packaging systems. For example; https://docs.redhat.com/en/documentation/red_hat_enterprise_...
Sounds like you want Tripwire https://www.redhat.com/en/blog/security-monitoring-tripwire