I think someome with physical access to my laptop has logged in, how can I prove this to be the case? I already have heads, but this wouldn’t be able to detect changes other than just the boot process.
Trivially, examine contents of
last, but that’s equally trivial to
subvert, as is the case with any logs.
You could examine files to see if any have been altered recently, but
again, a serious attacker would have guarded against this.
find <target> -mtime -1 -ls will show you files changed in the last
You could examine logs in /var/log/qubes to see if anything looks
untoward with qube activity.
Unless you are running some form of IDS it’s extremely unlikely you will
be able to prove anything, unless the “someone” is incompetent or
doesn’t care about leaving traces.
Did you leave your laptop unattended while logged in? It’s not worth the
stress to do this, despite the convenience.
For heads, if your TOTP is still matching then you can be pretty safe in assuming the firmware hasnt been compromised, and as long as you are using the /boot signing protection that your kernel etc is all just fine if no error is thrown up when it compares the hashes to your signed copy of the hash file. Assuming you can vouch for the physical security of your USB signing key. If not, scorched earth sadly.
Personally I have file integrity checker running in Dom0 (AIDE, yeah its old but does the job i need) so that if heads TOTP matches, the /boot signing matches my sig, the USB signing key has not been out of my possession and AIDE reports no unexpected file changes (and the hash of the DB matches my offline copy of the hash) then I am reasonably comfortable that the integrity of the system is assured. I can always scorch individual Qubes and remove/re-install templates from repos if there is suspicion an individual Qube or template has been tampered with.
@unman makes good suggestions on time of file modification and looking in logs. I also echo. the questions around your personal security practice if a third party has been able to use the machine - are you saying that they have your password, or that you left the machine logged in?
Tripwire for me - even older, but still workable. I run it in dom0,
significant templates and crucial qubes.
Strongly recommend some form of IDS.
I just posted a lengthy post that included this topic.
I couldn’t find anything in logs
But… couple months back I noticed all logs were deleted for the whole day… despite seeing I’d actually sent an email in the morning…
I think this coincided with those issues with updates not working due to a pgp key being revoked/updated / some Python error involving the 4.1 upgrade?
But this is slightly alarming.
I was trying to brush it off as paranoia but
Are we sure that some kind of compromise may have occurred?