Determine when, by who, a centos 6 package was installed.

Thomas Cameron thomas.cameron at camerontech.com
Wed Dec 31 13:45:25 MST 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/31/2014 09:35 AM, Matt Graham wrote:
> On 2014-12-31 06:13, Keith Smith wrote:
>> I am trying to determine who installed GIT and when GIT was
>> installed and what repository it came from. The date stamp on
>> /usr/share/git-core says Oct 31 16:55.  The server did not exist
>> until early November.
> 
> /root/install.log should contain the packages installed from the
> normal installer or the kickstart installer.  Things installed
> after that would be recorded in /var/log/yum.log .  However,
> this'll only tell you when the RPM was installed, not which
> non-root user was responsible or which repository it came from.
> You could try "rpm -q -f /usr/share/git-core/templates/description
> --qf %{NAME}%{INSTALLTIME}%{VENDOR}" and convert the timestamp
> from seconds-since-epoch to a regular time as well.
> 
> If the log files and RPM database don't contain anything about a
> git RPM, then whoever installed it might've done "./configure
> --prefix=/usr && make && su -c 'make install' ".  At that point,
> you go trawling through users' .bash_history files....
> 

Might be in /var/log/yum.log, and if you archive your
/var/log/messages and /var/log/secure files, it might be in there, as
well (assuming someone used su to install).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlSkYGQACgkQmzle50YHwaBN6wCgxYzC4vD0r7hU5WKkHFtrE5fN
NDcAn33OEsxOeCH9hrYJkE8W6pV8wTBb
=c95Z
-----END PGP SIGNATURE-----


More information about the PLUG-discuss mailing list