Ran into an interesting question today while trying to debug a problem with a monitoring tool, what was the exact installation date of Linux system on this server? I mean this is something you don’t try to find everyday and for a second I was like … yeah… i don’t think none of the logs goes back that far to actually find that information. After some research I actually found few great ways to identify that information.
Find exact Installation date of Linux using tune2fs:
The quickest and most secured way is to find out when the filesystem was created. First you find out information about your partitions.
root@kali:~# root@kali:~# fdisk -l Disk /dev/sda: 85.9 GB, 85899345920 bytes 255 heads, 63 sectors/track, 10443 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk identifier: 0x0004ed66 Device Boot Start End Blocks Id System /dev/sda1 * 1 13 96256 83 Linux Partition 1 does not end on cylinder boundary. /dev/sda2 13 4178 33456128 8e Linux LVM /dev/sda3 4178 10443 50329989+ 8e Linux LVM
Alright, so it looks like
/dev/sda1 is the boot sector. Lets find out when it was created:
root@kali:~# tune2fs -l /dev/sda1 | grep 'Filesystem' Filesystem volume name: Filesystem UUID: 7cd806f8-7940-4b53-8d7a-7b59bebd834f Filesystem magic number: 0xEF53 Filesystem revision #: 1 (dynamic) Filesystem features: has_journal ext_attr resize_inode dir_index filetype needs_recovery sparse_super Filesystem flags: signed_directory_hash Filesystem state: clean Filesystem OS type: Linux Filesystem created: Tue Oct 11 13:53:37 2011
Looks like this filesystem was created on
Tue Oct 11 13:53:37 2011. Woo, that’s like 7 years! This command works on any Linux distro, so more universal.
Find exact Installation date of Linux using apt history:
Now, I don’t think anyone here ever went in their
/var/log folder and deleted the apt history. I mean there’s no reason to, right?
Simply run the following command and find the date of first line:
root@kali:~# head /var/log/apt/history.log Start-Date: 2011-10-12 00:54:33 Install: libpci3 (3.0.0-4ubuntu17), pciutils (3.0.0-4ubuntu17), installation-report (2.39ubuntu4) End-Date: 2011-10-12 00:54:33 Start-Date: 2011-10-12 00:54:34 Install: lvm2 (2.02.54-1ubuntu4.1), libdevmapper-event1.02.1 (1.02.39-1ubuntu4.1), watershed (5) End-Date: 2011-10-12 00:54:34 Start-Date: 2011-10-12 00:54:37 root@kali:~#
Now see the difference? Apt logs tell me the first entry is back in
Start-Date: 2011-10-12 00:54:33 but filesystem was created back on
Tue Oct 11 13:53:37 2011. What it tells me if there’s a change some logs are missing in history (rolled into archive or overwritten maybe, I don’t know.)
I think I will stick with the tune2fs command as that output is more likely to be correct unless you went in and mucked around with boot-sector or did re-partitioning using some external tools on a Virtual machine. BTW guys, I know what you’re thinking … yes, I changed the system hostname and it’s not Kali Linux, it’s Debian flavor though. What’s the oldest NIX* system you’ve worked on? Let me know via comments (as always, comment section doesn’t need signup and it’s anonymous, so feel free).
Hope this helps someone.