Ran into an interesting question today while trying to debug a problem with a monitoring tool, what was the exact installation date of Linux system on this server? I mean this is something you don’t try to find everyday and for a second I was like … yeah… i don’t think none of the logs goes back that far to actually find that information. After some research I actually found few great ways to identify that information.
Find exact Installation date of Linux using tune2fs:
The quickest and most secured way is to find out when the filesystem was created. First you find out information about your partitions.
root@kali:~# root@kali:~# fdisk -l Disk /dev/sda: 85.9 GB, 85899345920 bytes 255 heads, 63 sectors/track, 10443 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk identifier: 0x0004ed66 Device Boot Start End Blocks Id System /dev/sda1 * 1 13 96256 83 Linux Partition 1 does not end on cylinder boundary. /dev/sda2 13 4178 33456128 8e Linux LVM /dev/sda3 4178 10443 50329989+ 8e Linux LVM
Alright, so it looks like
/dev/sda1 is the boot sector. Lets find out when it was created:
root@kali:~# tune2fs -l /dev/sda1 | grep 'Filesystem' Filesystem volume name: Filesystem UUID: 7cd806f8-7940-4b53-8d7a-7b59bebd834f Filesystem magic number: 0xEF53 Filesystem revision #: 1 (dynamic) Filesystem features: has_journal ext_attr resize_inode dir_index filetype needs_recovery sparse_super Filesystem flags: signed_directory_hash Filesystem state: clean Filesystem OS type: Linux Filesystem created: Tue Oct 11 13:53:37 2011
Looks like this filesystem was created on
Tue Oct 11 13:53:37 2011. Woo, that’s like 7 years! This command works on any Linux distro, so more universal.
Find exact Installation date of Linux using apt history:
Now, I don’t think anyone here ever went in their
/var/log folder and deleted the apt history. I mean there’s no reason to, right?
Simply run the following command and find the date of first line:
root@kali:~# head /var/log/apt/history.log Start-Date: 2011-10-12 00:54:33 Install: libpci3 (3.0.0-4ubuntu17), pciutils (3.0.0-4ubuntu17), installation-report (2.39ubuntu4) End-Date: 2011-10-12 00:54:33 Start-Date: 2011-10-12 00:54:34 Install: lvm2 (2.02.54-1ubuntu4.1), libdevmapper-event1.02.1 (1.02.39-1ubuntu4.1), watershed (5) End-Date: 2011-10-12 00:54:34 Start-Date: 2011-10-12 00:54:37 root@kali:~#
Now see the difference? Apt logs tell me the first entry is back in
Start-Date: 2011-10-12 00:54:33 but filesystem was created back on
Tue Oct 11 13:53:37 2011. What it tells me if there’s a change some logs are missing in history (rolled into archive or overwritten maybe, I don’t know.)
I think I will stick with the tune2fs command as that output is more likely to be correct unless you went in and mucked around with boot-sector or did re-partitioning using some external tools on a Virtual machine. BTW guys, I know what you’re thinking … yes, I changed the system hostname and it’s not Kali Linux, it’s Debian flavor though. What’s the oldest NIX* system you’ve worked on? Let me know via comments (as always, comment section doesn’t need signup and it’s anonymous, so feel free).
Hope this helps someone.
Excellent tip about filesystem creation date! Thanks for that! I have teo Linux servers I have to check. One is running Red Hat Linux from somewhere around 1998. Other one is much younger, running Fedora Core 4.
Awesome info! It worked on Ubuntu linux as well.