Ran into an interesting question today while trying to debug a problem with a monitoring tool, what was the exact installation date of Linux system on this server? I mean this is something you donโt try to find everyday and for a second I was like โฆ yeahโฆ i donโt think none of the logs goes back that far to actually find that information. After some research I actually found few great ways to identify that information.
Find exact Installation date of Linux using tune2fs:
The quickest and most secured way is to find out when the filesystem was created. First you find out information about your partitions.
root@kali:~# root@kali:~# fdisk -l Disk /dev/sda: 85.9 GB, 85899345920 bytes 255 heads, 63 sectors/track, 10443 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk identifier: 0x0004ed66 Device Boot Start End Blocks Id System /dev/sda1 * 1 13 96256 83 Linux Partition 1 does not end on cylinder boundary. /dev/sda2 13 4178 33456128 8e Linux LVM /dev/sda3 4178 10443 50329989+ 8e Linux LVM
Alright, so it looks like /dev/sda1 is the boot sector. Lets find out when it was created:
root@kali:~# tune2fs -l /dev/sda1 | grep 'Filesystem' Filesystem volume name: Filesystem UUID: 7cd806f8-7940-4b53-8d7a-7b59bebd834f Filesystem magic number: 0xEF53 Filesystem revision #: 1 (dynamic) Filesystem features: has_journal ext_attr resize_inode dir_index filetype needs_recovery sparse_super Filesystem flags: signed_directory_hash Filesystem state: clean Filesystem OS type: Linux Filesystem created: Tue Oct 11 13:53:37 2011
Looks like this filesystem was created on Tue Oct 11 13:53:37 2011. Woo, thatโs like 7 years! This command works on any Linux distro, so more universal.
Find exact Installation date of Linux using apt history:
Now, I donโt think anyone here ever went in their /var/log folder and deleted the apt history. I mean thereโs no reason to, right?
Simply run the following command and find the date of first line:
root@kali:~# head /var/log/apt/history.log Start-Date: 2011-10-12 00:54:33 Install: libpci3 (3.0.0-4ubuntu17), pciutils (3.0.0-4ubuntu17), installation-report (2.39ubuntu4) End-Date: 2011-10-12 00:54:33 Start-Date: 2011-10-12 00:54:34 Install: lvm2 (2.02.54-1ubuntu4.1), libdevmapper-event1.02.1 (1.02.39-1ubuntu4.1), watershed (5) End-Date: 2011-10-12 00:54:34 Start-Date: 2011-10-12 00:54:37 root@kali:~#
Now see the difference? Apt logs tell me the first entry is back in Start-Date: 2011-10-12 00:54:33 but filesystem was created back on Tue Oct 11 13:53:37 2011. What it tells me if thereโs a change some logs are missing in history (rolled into archive or overwritten maybe, I donโt know.)
I think I will stick with the tune2fs command as that output is more likely to be correct unless you went in and mucked around with boot-sector or did re-partitioning using some external tools on a Virtual machine. BTW guys, I know what youโre thinking โฆ yes, I changed the system hostname and itโs not Kali Linux, itโs Debian flavor though. Whatโs the oldest NIX* system youโve worked on? Let me know via comments (as always, comment section doesnโt need signup and itโs anonymous, so feel free).
Hope this helps someone.
2 comments
Excellent tip about filesystem creation date! Thanks for that! I have teo Linux servers I have to check. One is running Red Hat Linux from somewhere around 1998. Other one is much younger, running Fedora Core 4.
Awesome info! It worked on Ubuntu linux as well.