Never Ending Security

It starts all here

How to find recently modified files on Linux

How to find recently modified files on Linux

There are various occasions where you would like to search for files that have been changed/created in your Linux system recently or within any time frame. For example, as a system admin, you have done some configuration on your Linux system, but forgot where it was saved. You want to verify whether/how your Linux file system has been tampered with by someone recently. If you would like to find recently updated files on Linux, you can use find command as follows.

To find the most recently modified files, sorted in the reverse order of update time (i.e., the most recently updated files first):

$ find /etc -type f -printf '%TY-%Tm-%Td %TT %p\n' | sort -r

2012-09-14 22:25:14.0000000000 /etc/shadow
2012-08-17 00:56:36.0000000000 /etc/resolv.conf
2012-08-16 23:22:57.0000000000 /etc/ld.so.cache
2012-08-16 23:22:29.0000000000 /etc/mtab
2012-08-16 23:22:04.0000000000 /etc/network/run/ifstate
2012-07-10 01:19:24.0000000000 /etc/papersize
...

The above command sorts files in /etc (and all its subdirectories), in the reverse order of their update time, and prints out the sorted list, along with their location and update time. If you want to examine directories as well, you can omit “-type f” option in the command.

To search for files in /target_directory and all its sub-directories, that have been modified in the last 60 minutes:

$ find /target_directory -type f -mmin -60

To search for files in /target_directory and all its sub-directories, that have been modified in the last 2 days:

$ find /target_directory -type f -mtime -2

To search for files in /target_directory and all its sub-directories no more than 3 levels deep, that have been modified in the last 2 days:

$ find /target_directory -type f -mtime -2 -depth -3

You can also specify the range of update time. To search for files in /target_directory and all its sub-directories, that have been modified in the last 7 days, but not in the last 3 days:

$ find /target_directory -type f -mtime -7 ! -mtime -3

All these commands so far only print out the locations of files that are matched. You can also get detailed file attributes of recently modified files, using “-exec” option as follows.

To search for files in /target_directory (and all its sub-directories) that have been modified in the last 60 minutes, and print out their file attributes:

$ find /target_directory -type f -mmin -60 -exec ls -al {} \;

Alternatively, you can use xargs command to achieve the same thing:

$ find /target_directory -type f -mmin -60 | xargs ls -l

Note that files that have been “created” within the specified time frame will also matched by these commands.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s