Find exact installation date of Linux

Ran into an interesting question today while trying to debug a problem with a monitoring tool, what was the exact installation date of Linux system on this server? I mean this is something you don’t try to find everyday and for a second I was like … yeah… i don’t think none of the logs goes back that far to actually find that information. After some research I actually found few great ways to identify that information.

Find exact Installation date of Linux using tune2fs:

The quickest and most secured way is to find out when the filesystem was created. First you find out information about your partitions.

root@kali:~# 
root@kali:~# fdisk -l

Disk /dev/sda: 85.9 GB, 85899345920 bytes
255 heads, 63 sectors/track, 10443 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x0004ed66

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *           1          13       96256   83  Linux
Partition 1 does not end on cylinder boundary.
/dev/sda2              13        4178    33456128   8e  Linux LVM
/dev/sda3            4178       10443    50329989+  8e  Linux LVM

Alright, so it looks like /dev/sda1 is the boot sector. Lets find out when it was created:

root@kali:~# tune2fs -l /dev/sda1 | grep 'Filesystem'
Filesystem volume name:   
Filesystem UUID:          7cd806f8-7940-4b53-8d7a-7b59bebd834f
Filesystem magic number:  0xEF53
Filesystem revision #:    1 (dynamic)
Filesystem features:      has_journal ext_attr resize_inode dir_index filetype needs_recovery sparse_super
Filesystem flags:         signed_directory_hash 
Filesystem state:         clean
Filesystem OS type:       Linux
Filesystem created:       Tue Oct 11 13:53:37 2011

Looks like this filesystem was created on Tue Oct 11 13:53:37 2011. Woo, that’s like 7 years! This command works on any Linux distro, so more universal.

Find exact Installation date of Linux using apt history:

Now, I don’t think anyone here ever went in their /var/log folder and deleted the apt history. I mean there’s no reason to, right?

Simply run the following command and find the date of first line:

root@kali:~# head /var/log/apt/history.log 

Start-Date: 2011-10-12  00:54:33
Install: libpci3 (3.0.0-4ubuntu17), pciutils (3.0.0-4ubuntu17), installation-report (2.39ubuntu4)
End-Date: 2011-10-12  00:54:33

Start-Date: 2011-10-12  00:54:34
Install: lvm2 (2.02.54-1ubuntu4.1), libdevmapper-event1.02.1 (1.02.39-1ubuntu4.1), watershed (5)
End-Date: 2011-10-12  00:54:34

Start-Date: 2011-10-12  00:54:37
root@kali:~#

Now see the difference? Apt logs tell me the first entry is back in Start-Date: 2011-10-12 00:54:33 but filesystem was created back on Tue Oct 11 13:53:37 2011. What it tells me if there’s a change some logs are missing in history (rolled into archive or overwritten maybe, I don’t know.)

I think I will stick with the tune2fs command as that output is more likely to be correct unless you went in and mucked around with boot-sector or did re-partitioning using some external tools on a Virtual machine. BTW guys, I know what you’re thinking … yes, I changed the system hostname and it’s not Kali Linux, it’s Debian flavor though. What’s the oldest NIX* system you’ve worked on? Let me know via comments (as always, comment section doesn’t need signup and it’s anonymous, so feel free).

Hope this helps someone.