For a cyber security competition I participate in, I\'m given a Debian virtual machine with many packages installed and asked to clean extraneous or malicious packages.
Someone wrote a program generate a list of all packages manually installed (by users, by admin/root, or both), as determined by the Debian package system. It inspects Debian's apt-history log, and then combines the reports from the apt-mark
program. Apt-mark includes packages which were manually installed via use of the 'dpkg' system directly by users, not just ones installed via users through their package manager utility (Apt, Synaptic, Software Center, etc.). If you lack the apt-mark utility, you can tell it do just do the history inspection instead.
See the GitHub page.
List User Installed Debian Packages Utility
List all packages manually installed (by users, by admin/root, or both), as determined by the Debian package system.
You may also look at the file /var/lib/apt/extended_states.
cat /var/lib/apt/extended_states | grep -B2 'Auto-Installed: 0'
This is useful if you want to know what was installed on an old partition.
An older question but a solution I came up with after finding this and a couple of other questions for a slightly different task. Trying to keep up to date a list of installed packages for system rebuilds. I found the following works pretty well:
comm -12 <(apt list --installed 2> /dev/null | cut -d '/' -f 1 | sort) <(history | grep -e "apt\(-get\)\? install" | grep -v -e "grep -e" | grep -v "./" | cut -d ' ' -f10 | sort)
This takes the list of all installed packages and compares to the history for packages being installed.
I'm assuming that packages are not being installed by evil actors trying to hide their tracks. Also a slightly nasty command apt list in a script however it does seem to work for now.