Installed applications

DNF Logs 1

The DNF log files on a RHEL provide a historical record of package management activities performed with the DNF package manager. They are located in the /var/log/ directory. Here are some of the key log files:

dnf.log: This is the main log file, where DNF logs all transactions (package installations, updates, and removals). It includes details about the command executed, packages affected, and the date and time of the transaction.
dnf.librepo.log: This log file includes detailed messages from the librepo library, which DNF uses to download RPM packages from repositories. It contains information about the download process for each package, including the URLs used and the download speeds.
dnf.rpm.log: This is the most interesting for forensic examination. This log file includes messages from RPM (the underlying package manager that DNF uses to install, update and remove packages). The entries in this file correspond to the actions that RPM performs on individual packages during a DNF transaction.
dnf.plugin.log: This file contains logs from DNF plugins. DNF has a plugin system that extends its functionality, and plugins can write their own log messages.

Anaconda logs 2

Anaconda is the installer program used by RHEL as well as several Linux distributions in the Red Hat ecosystem. The logs generated by the Anaconda installer can provide insight into the initial setup and configuration of a system, including

Details about partitiion layouts
Packages that were installed
Network initialization
Kernel messages
calls to external programs

The following log files track the above information.

/var/log/anaconda/anaconda.log: General installation information
/var/log/anaconda/program.log: External program calls and output
/var/log/anaconda/storage.log: Storeage device scan, partitioning etc.
/var/log/anaconda/packaging.log: Packages installed at system installation.

The package.log file can provide a baseline of what software was initially installed on the system. This can be used to compare with the current state of the system to identify any additional packages that were installed or removed.

Sample log output from `packaging.log`

02:27:32,420 INF packaging: Installed: gspell-1.9.1-3.el9.x86_64 1628556777 2c775e0b07438c046ab708eda8bf3da4d11d6b8d366b2068f7caf6a3a3c381a8
02:27:32,444 INF packaging: Installed: evince-libs-40.5-2.el9.x86_64 1653385936 2c88010f0d4aff5be78b1c785bd9a3a0f2eab41f58f5140ee551660c8b8a4ea8
02:27:32,461 INF packaging: Installed: libgnomekbd-3.26.1-7.el9.x86_64 1628568220 9eaac4d5ba9a475fca34ea14903854bd3a8c2730d84098123d694b99a6903dc4
02:27:32,496 INF packaging: Installed: libpeas-gtk-1.30.0-4.el9.x86_64 1628573987 7e943d7a11e66487fbcba66aebc3332e0873d2aa1ddf08c5d1795377987a7b76
02:27:32,502 INF packaging: Installed: nautilus-extensions-40.2-11.el9.x86_64 1677145377 508247a767c7146dd5c01bd3278ddd2a6ff428af00419fd7d0e9ca5e04f164cf
02:27:32,508 INF packaging: Installed: clutter-gst3-3.0.27-7.el9.x86_64 1628541416 9ad2024221179e726f0c7ba0440c79b3371137edf98c1e28e1edf081d631a0e6
02:27:32,516 INF packaging: Installed: cheese-libs-2:3.38.0-6.el9.x86_64 1628540134 c5232a3cc4e0629cc35ad80f187109081b5d9a29b18c7188702237c9be010bb7

https://utcc.utoronto.ca/~cks/space/blog/linux/DNFLogsWhatWhere

https://docs.fedoraproject.org/en-US/quick-docs/anaconda/anaconda/

Digital forensics & Intrusion Response Playbook - *nix OS

Installed applications

DNF Logs 1

Anaconda logs 2

Sample log output from packaging.log

Sample log output from `packaging.log`