I can only refer you back to
There is no way to know for sure if your system is compromised, especially not if you are dealing with an adversary advanced enough to break into dom0. Compared to breaking into dom0 altering a log file is beyond trivial.
i.e. patch rpm -Va (or a tripwire-binary) to output “everthing is fine here, go away”.
To prove that dragons don’t exist is kind of difficult, too.
If a malware wants to talk to the outside world, that communication can be hunted down with wireshark on a seperate, trustworthy machine. However, that can be difficult especially if the traffic is encrypted and headed to some (everyday) AWS-Instance.
Finding suspicious stuff like UDP-traffic without screensharing-app (or similiar) running or an iodine-tunnel might be easy. But https-traffic - in which you can’t look inside - connecting to unfamiliar hosts (maybe just the usual advertising and tracking) can be difficult.
Can you elaborate on the RPM queries please?
Just like tripwire. And you may run trusted rpm binary from a clean boot, just like tripwire.
However, if dom0 is not compromised, there is a lot of ways rpm is more handy.