Pages

Thursday, January 24, 2013

Get installation date

If you need to determine the installation date of your server then you have a couple of options like look into your network documentation, check for install logs on the server etc. In most cases you don't have these kind of options and with all the different Linux distributions around it can get difficult to get a proper installation date. The next few hints are really just hints to give you a small clue when the installation date was.

With stat you can check the access, modify and change date of a file and a directory. Just take a look at /bin/ls:

# stat /bin/ls
...
Access: 2013-01-17 10:36:21.694010574
Modify: 2011-04-14 22:30:32.000000000
Change: 2011-09-02 14:16:52.631162782


The output shows a change date 09/02/2011 for the file. This is the data when the file was changed the last time, eg. created. /bin/ls might be a bad choice because it could get updated and it is just an example. You probably should pick another file than /bin/ls.
From my point of view it is much safer to look at the directory /lost+found (only when your system is healthy). /lost+found will be created when the operating system installs. When your harddisk/filesystem is OK then it will never get used:

# stat /lost+found
...
Access: 2012-03-13 04:40:05.408839654
Modify: 2011-09-02 14:16:09.000000000
Change: 2011-09-02 14:16:09.000000000


Again the change date is 09/02/2011.
A complete different way to get the installation date is last. last reads the binary file /var/log/wtmp. /var/log/wtmp contains information about logged in and logged out users, shutdown and system boot. The nice part about /var/log/wtmp and the installation date is that it stores also information when was written first:

# last | tail -1
wtmp begins Sat Sep  3 12:26:08 2011


The output indicates 09/02/2011 as the beginning date. The problem with last is that some operating system will rotate the file and then /var/log/wtmp gets a new begin date.
Another chance to get the installation date is the creation date of a file system. First get the used disk for the root file system:

# mount
/dev/sda2 on / type ext4 (rw,relatime,barrier=1,data=ordered)
...


For a ext4 file system you can use dumpe2fs to get the creation date:

# dumpe2fs /dev/sda2 | grep create
dumpe2fs 1.41.14 (22-Dec-2010)
Filesystem created:       Fri Sep  2 14:16:09 2011


And again 2011-09-02 is the date.
After all this I can be more or less sure that 09/02/2011 was the installation date of the server. As far as I can tell there is no direct safe way to get the installation date of a server if you don't have any access to any related documentation or logs. You can just check some facts and use your common sense.
- Try to look for timestamps of files and directories. Keep in mind that files and directories can change through updates, failures etc. When the server is a web server don't use /etc/http/httpd.conf. Chances are good that this file has been changed multiple times after the original installation.
- Try to use last for reading /var/log/wtmp and check the begin date. In this case you also should check log rotating on the server. /var/log/wtmp might have been rotated after the original installation.
- Try to get the file system for the root file system and check the documention for it if it stores the creation date. But this is very file system dependent.

No comments:

Post a Comment