Does anyone know of a good way to report back on the OS install date of a linux/unix OS? The web says a good way is to look at when the basesystem rpm was installed, but the the BigFix ‘packages’ inspector doesn’t report back the package installation date (+RFE ?? ).
Any other ideas? thanks
You could try the following relevance statement in an analysis or via FastQuery, but this assumes that the basesystem package is installed and that you can pull the installtime property (RFE may be needed). Our systems don’t allow for this implementation.
(name of it, version of it) of packages whose (name of it contains “basesystem”) of rpm
Alternatively, you could implement the standard Fixlet to generate a file for an Analysis to report the results. For example, one of the following.
Option #1 (assumes basesystem installed)
(a) Fixlt – wait su - root -c “rpm -q basesystem --qf ‘%{installtime:date}\n’ > /var/opt/BESClient/basesystem_installtime.log”
(b) Analysis – lines of file “/var/opt/BESClient/basesystem_installtime.log”Option #2
(a) Fixlet – wait su - root -c “dumpe2fs /dev/sda1 | grep ‘Filesystem created:’ > /var/opt/BESClient/root_filesystem_created.log”
(b) Analysis – lines of file “/var/opt/BESClient/root_filesystem_created.log”
Obviously the above would have to be customized for your environment. Additionally, it may be necessary to refresh the above log file once the file gets to a certain age (every 2 weeks?) to ensure data quality.
Hope this helps.
—@cmcannady
Hi, thanks for the suggestions. Any ideas how to do it with just relevancy within a property, rather than having to execute a command, write the results to a log file, and reading the results in to a property?
If the “installtime” property was available in the RPM object in relevance to query for basesystem it should be possible, but I’m pretty sure you’re going to have to submit an RFE to get that added. I looked in the inspector documentation and I just don’t see where that’s currently an option, hence the fixlet/analysis suggestions.
http://support.bigfix.com/inspectors/Installed%20System%20Software_Lin.html
Are there any other things that people have used in Linux to determine the install date? Creation date of a folder or file?
Unless someone has built something into their kickstart script or gold image to record the OS installation date, I’m not aware of anything from the OS/distribution level.
I would suggest looking for how to do this just in general, once you have a method, then look to implement it with bigfix.
You generally want to find a file that you can read with relevance, or a command line option to give you the answer and read the answer back with relevance.
It also matters if you want major OS updates to affect the answer or not. You need to define very explicitly what the answer is that you are looking for and what you are using it for.
I actually recommend creating an experimental analysis and collect all of the possibilities on a few machines and see which options work best.
This is not perfectly accurate, but should work on RHEL family, Debian family, Mac OS, and Windows:
minima of creation times of (files it; folders it) of ("/root/install.log"; "/"; "/var/log/installer"; "/root"; "/root/anaconda-ks.cfg"; "/var/log"; "C:\Recovery")
The question really becomes… how accurate do you really need the answer to be? Is this good enough, or not? Also, you can check the answers over time through experimentation when setting up a new system… mark the time the install started / finished / and the answers. Also look at very old systems to see if the answers are much newer than they should be in the case where an upgrade or patch changed the answer in a way you didn’t desire.
If you just want to know when BigFIx was installed, that can also be useful:
minima of subscribe times of sites
If only every OS made it as easy as Windows:
Just looking for a date the OS was installed and preferably not impacted by an OS updates (like a ServicePack). I understand it’s not perfect so some tolerance is expected and ok.
For me, this doesn’t seem to work with OEL 7 (BESAgent-9.5.4.38-rhe5.x86_64)
Default masthead location, using /etc/opt/BESClient/actionsite.afxm
Q: minima of creation times of (files it; folders it) of ("/root/install.log"; "/"; "/var/log/installer"; "/root"; "/root/anaconda-ks.cfg"; "/var/log"; "C:\Recovery")
E: The operator "creation times" is not defined.
For Windows, i’m using this which seems to work pretty well. It’s just Linux that is hard to nail down.
(((value "InstallDate" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" of native registry as integer) * second) + ("01 Jan 1970 00:00:00" as local time))
Created an RFE to have the “packages of rpm” return the package installed date.
http://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=109059
Can you try the following:
number of (files it; folders it) of ("/root/install.log"; "/"; "/var/log/installer"; "/root"; "/root/anaconda-ks.cfg"; "/var/log"; "C:\Recovery")
Also, see if this throws an error:
(files it; folders it) of ("/root/install.log"; "/"; "/var/log/installer"; "/root"; "/root/anaconda-ks.cfg"; "/var/log"; "C:\Recovery")
You may need to find a location for OLE 7 to add to this relevance that would have a creation time similar to the OS install time.
Q: number of (files it; folders it) of ("/root/install.log"; "/"; "/var/log/installer"; "/root"; "/root/anaconda-ks.cfg"; "/var/log"; "C:\Recovery")
A: 4
T: 186307
Q: (files it; folders it) of ("/root/install.log"; "/"; "/var/log/installer"; "/root"; "/root/anaconda-ks.cfg"; "/var/log"; "C:\Recovery")
A: /
A: /root
A: /root/anaconda-ks.cfg
A: /var/log
T: 309Well those definitely seem to be working as I would have expected.
Now I see that creation time is only available on Mac/Win:
Why aren’t more filesystem times available for all platforms? @AlanM
Seems like a good RFE
Give this a try:
minima of ( (if exists properties whose(it as string contains "creation time of <filesystem object>: time") then ( creation times of it ) else NOTHINGS) ; (if exists properties whose(it as string contains "change time of <filesystem object>: time") then ( creation times of it ) else NOTHINGS) ; (if exists properties whose(it as string contains "modification time of <filesystem object>: time") then ( modification times of it ) else NOTHINGS) ; (if exists properties whose(it as string contains "accessed time of <filesystem object>: time") then ( accessed times of it ) else NOTHINGS) ) of (files it; folders it) of ("/root/install.log"; "/"; "/var/log/installer"; "/root"; "/root/anaconda-ks.cfg"; "/var/log"; "C:\Recovery")
I had to create a big IF/THEN statement to get all of the file times I could, then get the minimum of them.
I have no clue if this is going to work well to find the OS install time, but it MIGHT work to approximate that fairly well.
This should at least give results on all OSes.
Still no go on OEL 7
Default masthead location, using /etc/opt/BESClient/actionsite.afxm
Q: minima of ( (if exists properties whose(it as string contains "creation time of <filesystem object>: time") then ( creation times of it ) else NOTHINGS) ; (if exists properties whose(it as string contains "change time of <filesystem object>: time") then ( creation times of it ) else NOTHINGS) ; (if exists properties whose(it as string contains "modification time of <filesystem object>: time") then ( modification times of it ) else NOTHINGS) ; (if exists properties whose(it as string contains "accessed time of <filesystem object>: time") then ( accessed times of it ) else NOTHINGS) ) of (files it; folders it) of ("/root/install.log"; "/"; "/var/log/installer"; "/root"; "/root/anaconda-ks.cfg"; "/var/log"; "C:\Recovery")
E: The operator "creation times" is not defined.
T: 199341
Q: version of client
A: 9.5.4.38
T: 102
Q: name of operating system
A: Linux Oracle Enterprise Server 7.1
T: 172Not a good answer but sometimes the OS doesn’t give the answer. It probably should be available somewhere though. Sometimes there are also “mac specific” name variants as you have found and we should alias them to the same thing.
true. I guess i’ll just have to stick with Windows only because that is the only reliable platform I can report on installed date. thanks for the help.
That is odd. That error should be suppressed by my IF/THEN statement.
There should still be a way to approximate it on other OSes.
What are you using this for? Could the BigFix Client install date work for this use case?
I’m trying to see when endpoints were built because it’s useful to some of our operators. We can’t rely on the BigFix Client install date because the client was not installed during time of OS install for much of our estate.
Try this:
minima of (change times of it; modification times of it) of (files it; folders it) of ("/root/install.log"; "/"; "/var/log/installer"; "/root"; "/root/anaconda-ks.cfg"; "/var/log"; "C:\Recovery")
Instead of trying to use IF/THEN to ignore the relevance for platforms that don’t support it, I just removed them. I was trying to be fancy and come up with something universal, but that seems to be the wrong tactic and one I usually recommend against for a first try.
for Linux that works but c:\Recovery didn’t work for me so I removed it and added a reg value for windows.
this is works in our environment:
if (name of operating system as lowercase contains "win") then (((value "InstallDate" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" of native registry as integer) * second) + ("01 Jan 1970 00:00:00" as local time)) as string else if (exists folder "/lost+found") then (modification time of folder "/lost+found" as string) else if (name of operating system starts with "Linux Oracle Enterprise Server 7") then (minima of (change times of it; modification times of it) of (files it; folders it) of ("/root/install.log"; "/"; "/var/log/installer"; "/root"; "/root/anaconda-ks.cfg"; "/var/log")) as string else "unknown"