There is no way to know for sure if your system is compromised, especially not if you are dealing with an adversary advanced enough to break into dom0. Compared to breaking into dom0 altering a log file is beyond trivial.
i.e. patch rpm -Va (or a tripwire-binary) to output “everthing is fine here, go away”.
To prove that dragons don’t exist is kind of difficult, too.
If a malware wants to talk to the outside world, that communication can be hunted down with wireshark on a seperate, trustworthy machine. However, that can be difficult especially if the traffic is encrypted and headed to some (everyday) AWS-Instance.
Finding suspicious stuff like UDP-traffic without screensharing-app (or similiar) running or an iodine-tunnel might be easy. But https-traffic - in which you can’t look inside - connecting to unfamiliar hosts (maybe just the usual advertising and tracking) can be difficult.