Using find Command for security check
The ‘find’ command is usually used to find filenames which have specific patterns. However, we can also use it to find the files modified/accessed within a specific time period.
For example we can find all files in /etc owned by root that have been modified within the last 2 days:
The options we can use here are:
-ctime: when the file’s permissions were last changed
-mtime: when the file’s data was last modified
You may have noticed that we have a minus sign in front of ‘2′ in the last example. The ‘time’ options for the find command are expressed in 24-hour increments, and the sign in front of the number can indicate ‘less than’ or ‘greater than’. Thus ‘-2′ means we want to find files which were modified within the last two days. If we wanted to find files that were modified more than 2 days ago, we would need to put a plus sign in front of the 2:
There are also versions of the atime, ctime, and mtime arguments that measure time in minutes:
-cmin: when (in minutes) the file’s permissions were last changed
-mmin: when (in minutes) the file’s data was last modified
To match -atime +1, a file has to have been accessed at least two days ago. More example in the find man pages.
Leave a Reply
You must be logged in to post a comment.
