I am trying to determine best method for monitoring filesystem for invalid file permissions, 777 or on NFS share but owned by root etc. Any suggestions? Thanks!

The definition of "best" depends on what causes invalid permissions and what the effect will be. For instance if directories and files are read-only, are created once a night by automated exports and are only accessible by a select group of authorized users then running a post-export checking script could do. However if directory names are created on the fly by human users and need to be corrected immediately then you obviously need to detect and respond likewise. Your method of implementing watches depends on what the file system can handle: as far as I understand NFS protocol (which is decidedly limited) it doesn't hand out file descriptors directly but some kind of "reference". Practically speaking NFSv4.1 has "directory notifications" so dnotify() could work (but then again the "modern" inotify variety won't AFAIK), file descriptors (like fopen) get logged so an Auditd watch (or FUSE LoggedFS) may or may not work and need to be paired with a real-time script to hand off changing permissions (in a sensible and error-free way). Maybe one of the NFS gurus could chip in their POV?..

Thanks! I am looking into notify (new one for me) but currently, there are some major apps that are not playing well here and I am working with vendor on that solution, but meantime there are a lot of user created violations that I spend a lot of time trying to fix. A "sensible and error free" script is what I want. Problem is, we are a NetApps shop and do not want to alter file in such a way that triggers backup prematurely.