Had an incident the other day where I was suspicious that someone logged into my PureOS system while I was gone. Started looking for way to determine every command app application that was launched within a certain time frame.
I’m not aware of any capabilities for doing so natively on PureOS, but did come cross the snoopy utility and it looked like the right tool for the job.
Does anyone have experience setting up and using this tool on PureOS?
No, but unauthorized access/logins are a physical security issue I address with my security practices.
And it goes without saying that someone with physical access may be able to compromise the logging or the log file or both.
I should clarify that this isn’t some cloak and dagger corporate espionage scenario.
I’m merely trying to find out if children in the household have been jumping on my computer and playing games when they’re not supposed to.
You can use surveillance cameras to log any unauthorized attempts to physically access your computer.
Then I would assume that the normal password protection would be sufficient.
If your children are sometimes allowed to use your computer then you could give them their own usernames and passwords. That, by definition, would limit what they can access if they do use the computer. Assuming that their accounts do not have sudo access then this would also create a record of when they log in.
You might also seek to impose access hours restrictions on those accounts. (This appears to be standard PAM functionality but not enabled by default and I have not myself used it.)
If SSH access is a consideration then you might configure SSH to limit it to certain usernames i.e. yours but not theirs.
You would probably want to make sure that you have an encrypted root file system, to combat the more sophisticated child. 
I already give them their own accounts without admin or sudo access. Thanks for tip on PAM login time restriction functionality. I’m not so much interested in restricting login hours as I am in limiting the length of a login session per day. Currently it’s 30 minutes/day for gaming. If there was a way to have the gnome session automatically log out 30 minutes after login, that would remove the huge headache of trying to police screen time.
I’m not aware of such functionality. Depends on how technical you are. You may be able to implement a user service that gives you that.
If your “adversary” is not sophisticated, a Startup Application may do the job.
Note however that logging someone out after 30 minutes is not the same as 30 minutes per day. If you need 30 minutes per day then it will need to be stateful, using state that the adversary can’t modify or otherwise interfere with.
Public libraries often have session managers that attempt to limit the time of each library card holder, although they are easily bypassed with little technical knowledge.
That bypassing could be looked from the positive side: the kids, they would be learning new skills in computing… (it’s just a matter of learning where to apply that knowledge).
Concerning that first question of “how to tell if…”. If you assume that journal wouldn’t be tampered with, you can get all kinds of info from that with grep commands. Something along the lines of
sudo journalctl | grep -E "november 29 17" | grep "vlc"
where you chain in this example three commands together: look at your logs (journalctl), filter that by month, date and hour (exactly how the log lines start, so timeframe is that hour, in this example from 17:00:00 to 17:59:59 [there are more fancy ways to do this and get wider frames, but I think you can make do with this for starters]), and then you search for a specific app or action (in this case vlc… or you can search for login, or something else interesting).