Ran into an interesting enquiry today spell trying to debug a employment alongside a monitoring tool, what was the exact installation appointment of Linux organization on this server? I hateful this is something you lot don’t endeavour to detect everyday in addition to for a instant I was similar … yeah… i don’t mean value none of the logs goes dorsum that far to truly detect that information. After some enquiry I truly establish few neat ways to position that information.
Find exact Installation appointment of Linux using tune2fs:
The quickest in addition to most secured mode is to detect out when the filesystem was created. First you lot detect out data virtually your partitions.
root@kali: #
root@kali: # fdisk -l
Disk /dev/sda: 85.9 GB, 85899345920 bytes
255 heads, 63 sectors/track, 10443 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x0004ed66
Device Boot Start End Blocks Id System
/dev/sda1 * 1 thirteen 96256 83 Linux
Partition 1 does non goal on cylinder boundary.
/dev/sda2 thirteen 4178 33456128 8e Linux LVM
/dev/sda3 4178 10443 50329989+ 8e Linux LVM
Alright, in addition to then it looks similar /dev/sda1 is the kick sector. Lets detect out when it was created:
root@kali: # tune2fs -l /dev/sda1 | grep 'Filesystem'
Filesystem book name:
Filesystem UUID: 7cd806f8-7940-4b53-8d7a-7b59bebd834f
Filesystem magic number: 0xEF53
Filesystem revision #: 1 (dynamic)
Filesystem features: has_journal ext_attr resize_inode dir_index filetype needs_recovery sparse_super
Filesystem flags: signed_directory_hash
Filesystem state: clean
Filesystem OS type: Linux
Filesystem created: Tue October eleven 13:53:37 2011
Looks similar this filesystem was created on Tue October eleven 13:53:37 2011. Woo, that’s similar vii years! This ascendance industrial plant on whatsoever Linux distro, in addition to then to a greater extent than universal.
Find exact Installation appointment of Linux using apt history:
Now, I don’t mean value anyone hither ever went inward their /var/log folder in addition to deleted the apt history. I hateful there’s no argue to, right?
Simply run the next ascendance in addition to detect the appointment of offset line:
root@kali: # caput /var/log/apt/history.log
Start-Date: 2011-10-12 00:54:33
Install: libpci3 (3.0.0-4ubuntu17), pciutils (3.0.0-4ubuntu17), installation-report (2.39ubuntu4)
End-Date: 2011-10-12 00:54:33
Start-Date: 2011-10-12 00:54:34
Install: lvm2 (2.02.54-1ubuntu4.1), libdevmapper-event1.02.1 (1.02.39-1ubuntu4.1), watershed (5)
End-Date: 2011-10-12 00:54:34
Start-Date: 2011-10-12 00:54:37
root@kali: #
Now run into the difference? Apt logs enjoin me the offset entry is dorsum inward Start-Date: 2011-10-12 00:54:33 but filesystem was created dorsum on Tue October eleven 13:53:37 2011. What it tells me if there’s a modify some logs are missing inward history (rolled into archive or overwritten maybe, I don’t know.)
I mean value I volition stick alongside the tune2fs ascendance every bit that output is to a greater extent than probable to hold upwardly right unless you lot went inward in addition to mucked only about alongside boot-sector or did re-partitioning using some external tools on a Virtual machine. BTW guys, I know what you’re thinking … yes, I changed the organization hostname in addition to it’s non Kali Linux, it’s Debian flavour though. What’s the oldest NIX* organization you’ve worked on? Let me know via comments (as always, comment department doesn’t request signup in addition to it’s anonymous, in addition to then experience free).
Hope this helps someone.
