Extension Attribute to Display the OS Install Date

karthikeyan_mac
Valued Contributor

Hi,

Is there a way to check the OS Installed Date on Mac? Google search has provided such option as querying install.log, OSInstall_custom.log. But that does not work for me, since there are logs getting cleared. We have 10.6/10.7/10.8 mixed environment.

Regards,
Karthikeyan

11 REPLIES 11

donmontalvo
Esteemed Contributor III

The problem with OS installation date is if you're imaging you'll get the date the base image was created. Most of the time folks who ask for OS installation date are needing to know when a Mac was imaged.

A script at imaging time that pipes the output of "date" command to a file, and an Extension Attribute to show content of the file does the trick. Just have to make sure the file survives an OS reinstall...and hide it just in case. ;)

For computers that are already deployed, the Creation Date for your hidden admin account home directory should do the trick.

Don

--
https://donmontalvo.com

jhbush
Valued Contributor II

I got this one from Zach over at Puppet.

#!/bin/bash
declare -x perl="/usr/bin/perl"
declare -x date="/bin/date"
declare -xi FIRST_BOOT_EPOCH="$($perl -e 'print ((stat($ARGV[0]))[9]);' /var/db/SystemKey)"
declare -x  FIRST_BOOT_GUESS="$($date -r $FIRST_BOOT_EPOCH "+%Y-%m-%d %H:%M:%S")"

printf "<result>%s</result>
" "$FIRST_BOOT_GUESS"

Zach's explanation: "So this is a bit of a hard one, as to my knowledge asr does not store this data in the file system itself, and if you used a OSInstall.mpkg the /var/log/install.log might be rotated by the time the script runs. So I think you would have to do this in directly. My first impulse was to look at the /System directory, but then it occurred to me that the date there comes from the image not the first boot. So the best I could come up with would be the date the key for your system keychain was generated as this should happen at first boot most days."

karthikeyan_mac
Valued Contributor

We have some users who have their own OS and few we image. Machine we image has a plist which has the Installed date(we query the date from plist)... but we have to determine the OS Install date of the own OS installed by the user..

donmontalvo
Esteemed Contributor III

@jhbush1973 Nice...

$ ./test.sh 
<result>2011-10-24 13:38:35</result>
$
--
https://donmontalvo.com

donmontalvo
Esteemed Contributor III

@jhbush1973 Circling back a few years later...we've been using:

#!/bin/bash
echo "<result>`ls -l /var/db/SystemKey | cut -d' ' -f 9-13`</result>"

Test (different machine than previous post):

$ ls -l /var/db/SystemKey | cut -d' ' -f 9-13
Oct  5  2015
--
https://donmontalvo.com

brock_walters
Contributor

Love these EA scripting posts!

So, I never did this in my environment, but, if I had, even though about 30% of my users had full admin privileges the vast majority of them would have never messed with changing date / time stamps on files. In light of this it seems to me that a pretty good indication of when a computer was imaged would be when the top level directory

/

was created.

All files on the OS X file system (or any UNIX) have an inode number, therefore, all files have a built in chronology of creation independent of date / time. Here's a command you could run to get this information:

/usr/bin/find / -maxdepth 1 -inum 2 -exec stat -f %B {} ;

That's using find to search the top level directory for a file with an inode number of 2 (which just so happens to be the inode number of)

/

without searching into any directories below that, then, using the stat command to show the inode birth date in seconds (or epoch time.) On my computer the result is:

743dae29e963466e9847abcfa82dca8a

But we can do better...

#!/bin/bash

# determine the inode birth date for / then convert seconds to "WeekdayName MonthName DD YYYY" format

eval $(/usr/bin/stat -s /)
result=$(/bin/date -j -f "%s" "$st_birthtime" "+%a %b %d %Y")
echo "<result>$result</result>"

# /usr/bin/find / -maxdepth 1 -inum 2 -exec stat -f %B {} ;
# result=$(/bin/date -j -f "%s" "$st_birthtime" "+%Y%m%d")

This uses eval with a handy feature of stat: shell output. It sets the values stat outputs as shell variables so they can be used in a script! I wish more binaries had this feature. The value we need is $st_birthtime, i.e., the inode birth date. I'm also using the date command to convert the seconds into a human-readable date.

0441adc1c8004a4e9b6eb479286be209

You could replace that line with the line I have commented at the bottom if you wanted a YYYYMMDD format instead. You may proceed with telling me why this is a bad idea but it still has some fun stuff in it. Enjoy!

donmontalvo
Esteemed Contributor III

Hmmm...my MBPr was imaged on Oct 5, 2015, but your script gives me:

$ /tmp/test.sh 
<result>Thu Nov 20 2014</result>
--
https://donmontalvo.com

brock_walters
Contributor

That actually makes sense to me: the OS is copied into the top level directory. :)

So, any suggestions out there? What would be the definitive directory to check inode birth date? Here are 2 other very low inode numbers.

02d32a5df8c546ea9b137c43ebb02cb1

1 last thing @donmontalvo -

If you run this instead does it match your last imaged date? Thanks!

#!/bin/bash

# determine the inode birth date for /System/ then convert seconds to "WeekdayName MonthName DD YYYY" format

eval $(/usr/bin/stat -s /System/)
result=$(/bin/date -j -f "%s" "$st_birthtime" "+%a %b %d %Y")
echo "<result>$result</result>"

brock_walters
Contributor

So, read back carefully through this post & tested some results:

On my computer

/usr/bin/stat -s /var/db/SystemKey

outputs a converted date of Sun Aug 30 2015. All of these, however

/usr/bin/stat -s /var/db/install.log /var/db/.AppleSetupDone /System/Library/CoreServices/.disk_label.contentDetails | awk '{print $12}'

return Thu Apr 23 2015. This means that my System Keychain was generated again after my OS install. It has also been recreated several times since then, so, I don't think it's the definitive file to look at...

The install log file on my system has inode number 27 - pretty low. But, I was not thinking about this correctly when I started, e.g. my /System folder has inode number 36, but, stat -s shows it has an inode birthdate of Tue Sep 09 2014 - 8 months before the creation of the install.log & .AppleSetupDone (files that I know for certain were created at the time of the install.) inodes apparently don't change when a file or directory is copied to a new location on the same filesystem, meaning, DURING IMAGING. Unfortunately, as mentioned above the install.log file might not be definitive because of rolling over. .AppleSetupDone might not be either, say, in the case where a computer was imaged but shelved & not used for some period of time.

Still looking for the right way to do this. :)

peterlbk
Contributor

Hi Guys,

how about we check the install.log? It logs when you install the os in the first line

#!/bin/sh
head -1 /var/log/install.log | awk -F " " '{print $1, $2}'

brock_walters
Contributor

logs are great & sure.

This EA wasn't my idea :) , but, my understanding of what was wanted was something independent of the log entries. I think I have the best candidate file. Posting later... Thanks!