Back in the 1990s, there was a tool called ‘tripwire’ that checked key files against expected checksums.
As I recall, they recommended putting the expected values on a floppy disk and setting the ‘write protect’ tab, so the checksums couldn’t be changed.
For some time a number of people and companies have been using OSSEC for that job. [1] There are a couple versions of it free open source and enterprise. There are a handful of other programs that also keep an eye on checksums.
If tinkering with OSSEC one of the first steps should be to configure whitelisting for IP ranges and CIDR blocks used by your company, SNAT addresses and bastion IP's so that someone does not lock everyone out. It does a lot more than checksums.
[1] - https://www.ossec.net/
tripwire was the orginal file integrity anti-virus/anti-tampering software from the security group (which turned into CERIAS) at Purdue led by Dr. Eugene "Spaff" Spafford.
https://docs.lib.purdue.edu/cstech/1084/
Back in the 90s I fantasized about a hard drive bay with a physical write-protect switch on the cover plate.
In the mid-2000's I briefly worked for a company that did this at a firmware level ("write-blocked firmware") for USB drive adapters (IDE / SATA / whatever IDE variant laptops were using / etc). This was apparently very valuable for police and investigative services, so they could collect evidence, while being able to show that they did not tamper with the original drive.
Tenable makes some "read only" adapters for hard disks (SATA, PATA, SCSI & FW at least). They're usually sold as part of a forensic analysis kit. I have a couple and they definitely work. I believe there are a couple of other vendors (Wiebetech?) make similar devices.
The alternative (tho not practical in many cases) would be RO media like RW-DVD.