Just the other day we were auditing some of the packages on our production application servers and found a few that we were surprised about. None of us remember installing them, so we set out to try and find out who might have done it, and when it might have happened. The other two admins started grepping through the history files and looking at old, archived log data. I used the information within the RPM database and simply asked the machine when it was installed:
[[email protected] ~]# rpm -qi htop
Name : htop Relocations: (not relocatable)
Version : 0.7 Vendor: Dag Apt Repository, http://dag.wieers.com/apt/
Release : 1.el5.rf Build Date: Sat 24 Nov 2007 07:24:19 AM MST
Install Date: Tue 04 Nov 2008 04:02:40 PM MST Build Host: lisse.leuven.wieers.com
Group : Applications/System Source RPM: htop-0.7-1.el5.rf.src.rpm
Size : 148330 License: GPL
Signature : DSA/SHA1, Sat 24 Nov 2007 07:29:40 AM MST, Key ID a20e52146b8d79e6
Packager : Dag Wieers <[email protected]>
URL : http://htop.sourceforge.net/
Summary : Interactive process viewer
htop is an interactive process viewer for Linux.
As you can see in the example above, the RPM database provides information on “Install Date”, including the time. With this information I was able to report to the other admins that the htop package was installed on Tue 04 Nov 2008 at 4:02:40 PM MST. That is more specific than anything they’d find looking through old log data!