You can

• Watch network access - What is communicating to the outside? Why is it? What is it communicating? I like sniffnet
• Watch CPU and GPU usage - What is using resources? Why is it? I like Mission Center and ps auxf in the terminal
• What is using the disk? I like Filelight and Disk Usage Analyzer
• Run AV software. I don’t have any recommendations.
• And I guess sometimes you can also find it when benchmarking software because you want the absolute best performance.

You can also assume you are compromised and use a solution like a Faraday cage. If you’re trying to detect advanced spyware, it might be better to check network activity from outside the device like what network activity is the router managing for the computer.

Honestly if you’re at the point of suspecting that your Linux system is infected, just back everything up, wipe, and reinstall. Make sure to use a known good computer to make the install disk, and completely wipe the drive before install and not use existing partitions.

People have mentioned Wireshark which you can use to monitor for suspicious network activity, but IMO for most people this isn’t super helpful because it’s hard to tell what’s suspicious and what’s normal from Wireshark alone without quite a bit of networking/software knowledge. Maybe there’s more user friendly packet capture software though, something that can string the packets together into their respective connections and summarise key information like the protocol and domain involved.

QDirStat can visualize the contents of your drive as an interactive map. Might be helpful for finding files that aren’t supposed to be there.

ClamAV is an open source antivirus available for Linux but I don’t know how well it does at actually detecting Linux malware. Seems to be more for people running file/email servers to scan incoming file uploads.

Slap the top of the pc and exclaim “no spyware in this thing”.

It depends on the level of mistrust you’re willing to entertain but the short version is; no, you cannot be sure.

Ken Thompson’s 1983 talk, Reflections on trusting trust is the classic talk on just why you cannot be sure.

op, if you can’t see any spyware it’s probably fine.

DNS whitelist firewall on a router. Deny everything that is not whitelisted by address and port.

Bucket of water

Can’t have spyware if the computer doesn’t even work

You can never be sure there is no spyware because if your infected a sufficiently advanced spyware can hide itself.

In theory you can use a liveCD to scan your OS for specious signs but if someone has written bespoke spyware for you it may be hard to detect as it won’t match any of the signatures.

run a barebones environment with a trusted minimal operating system (that’s freebsd/netbsd/slackware for me)

Is this a specific PC, or a general question?

All spyware needs to get the info to the spy somehow, so as others have said, it’s probably best to watch the network traffic.

But also - not so much for home, more for an office - look out for keyloggers and weird physical devices attached to the PC, they can be sending data via other methods.

And prevention is better than cure, get a good antimalware installed - and perhaps something which only allows known good (allow listing), rather than blocking known bad (block listing).

Some of the other comments got me curious…

Is there a way to print the most recent accessed files (and time accessed and by which user) within a specific directory to terminal?