Debian: Listing all user-installed packages?

Question

For a cyber security competition I participate in, I'm given a Debian virtual machine with many packages installed and asked to clean extraneous or malicious packages.

In the past, I've used dpkg -l | grep [searchterm] dpkg -l | grep [searchterm] and a list of common packages to preform this task. However, this is extremely inefficient and time-consuming.

To speed up my task, is there any way to search through the list of packages installed on a system for which processes have been installed by a user and are not system "default" packages?

Answer 1

This command may shorten your work:

apt-mark showmanual

It is supposed to show what packages were installed "manually". It is not 100% reliable though, as many automatically installed packages are flagged as manually installed (because of reasons too long to describe here).

You may also (if allowed) run security tools such as clamav and/or rkhunter to scan your computer for malicious programs.

Answer 2

Below is a line from a "health" script I run on my desktop every night. Besides gathering information from sensors, network usage, HDD temperature, etc. it also gets a list of all the software I've installed manually from the command line.

I'm running Kubuntu 14.04.5 (Trusty) at the moment and I don't know the details of any differences between Ubuntu and Debian's package management but hopefully this will work for you as well as it does for me.

( zcat $( ls -tr /var/log/apt/history.log*.gz ) ; cat /var/log/apt/history.log ) | egrep '^(Start-Date:|Commandline:)' | grep -v aptdaemon | egrep '^Commandline:' | egrep 'install' 1>>installed_packages.txt

Answer 3

All Packages

Most all the code that I found for this question used a search from the history log:

$ cat /var/log/apt/history.log | grep 'apt-get install '

or listed all Debian Packages installed on the machine:

$ dpkg --get-selections

Manually Installed

I found the above answers to be inadequate as my history log was incomplete and I didn't want to do the work to separate built-in packages with manually installed packages. However, this solution did the trick of showing only manually initiated installed packages. This one uses the log: /var/log/dpkg.log , and it should be executed as a bash script.

#!/usr/bin/env bash
parse_dpkg_log() {
  {
    for FN in `ls -1 /var/log/dpkg.log*` ; do
      CMD="cat"
      [ ${FN##*.} == "gz" ] && CMD="zcat" 
      $CMD $FN | egrep "[0-9] install" | awk '{print $4}' \
        | awk -F":" '{print $1}'
    done
  } | sort | uniq
}

list_installed=$(parse_dpkg_log)
list_manual=$(apt-mark showmanual | sort)
comm -12 <(echo "$list_installed") <(echo "$list_manual")

I found the code here: https://gist.github.com/UniIsland/8878469

Answer 4

This takes into account also packages installed with aptitude (not only apt install or apt-get install , like Benny Hill's answer which I based on):

( ( zcat $( ls -tr /var/log/apt/history.log*.gz ) ; cat /var/log/apt/history.log ) | egrep '^(Start-Date:|Commandline:)' | grep -v aptdaemon ; ( zcat $( ls -tr /var/log/aptitude.*.gz ) ; cat /var/log/aptitude ) ) | egrep '^Commandline:.*install|^\[INSTALL\]' | sed 's#Commandline: ##' | awk '/INSTALL/ { print $2 }; !/INSTALL/ { print $0 }; ' 1>installed_packages.txt

Example output (the last line comes from aptitude logs):

apt-get install nodejs
apt install tidy
mc:amd64

Answer 5

You may also look at the file /var/lib/apt/extended_states.

cat /var/lib/apt/extended_states | grep -B2 'Auto-Installed: 0'

This is useful if you want to know what was installed on an old partition.

Answer 6

The following Bash command works for me in Debian 10 (buster). It prints all manually installed packages minus the ones that came from your Debian installation (in other words, the packages that you installed with apt install ):

sudo grep -oP "Unpacking \K[^: ]+" /var/log/installer/syslog \
  | sort -u | comm -13 /dev/stdin <(apt-mark showmanual | sort)

sudo is needed to search through /var/log/installer/syslog . You could also save this installer package list somewhere else if you don't want to use sudo every time.

Answer 7

Someone wrote a program generate a list of all packages manually installed (by users, by admin/root, or both), as determined by the Debian package system. It inspects Debian's apt-history log, and then combines the reports from the apt-mark program. Apt-mark includes packages which were manually installed via use of the 'dpkg' system directly by users, not just ones installed via users through their package manager utility (Apt, Synaptic, Software Center, etc.). If you lack the apt-mark utility, you can tell it do just do the history inspection instead.

See the GitHub page .

List User Installed Debian Packages Utility

List all packages manually installed (by users, by admin/root, or both), as determined by the Debian package system.

Answer 8

I dont know if it's possible to distiguich between user installation and default package installation, because the only way to install package is to have ROOT privillages. but you cat get all package installed and their status in one file by executing this command

dpkg --get-selections > installed_packages.txt

Answer 9

An older question but a solution I came up with after finding this and a couple of other questions for a slightly different task. Trying to keep up to date a list of installed packages for system rebuilds. I found the following works pretty well:

comm -12 <(apt list --installed 2> /dev/null | cut -d '/' -f 1 | sort) <(history | grep -e "apt\(-get\)\? install" | grep -v -e "grep -e" | grep -v "./" | cut -d ' ' -f10 | sort)

This takes the list of all installed packages and compares to the history for packages being installed.

I'm assuming that packages are not being installed by evil actors trying to hide their tracks. Also a slightly nasty command apt list in a script however it does seem to work for now.