Finding Files and File Contents

Run find:

find

See how many files it finds there:

find | wc -l

Run find on /home and its subdirectory contents:

find /home

See how many files are there:

find /home | wc -l

Search the /etc directory for files whose names include .conf (the -name flag means it will be case sensitive):

find /etc -name *.conf 2> /dev/null

See how many files are returned:

find /etc -name *.conf 2> /dev/null | wc -l

Now, run a similar search, but this time, the -iname flag makes it case insensitive:

find /etc -iname *.conf 2> /dev/null | wc -l

Look for everything in the directory:

find /etc -iname *.* 2> /dev/null | wc -l

Instead, add quotation marks to the command:

find /etc -iname "*.*" 2> /dev/null | wc -l

Let's say you made a backup. Let's run touch on it:

touch lastbackup

See what the timestamps are on it:

ls -l lastbackup

See more info about it:

stat lastbackup

Run touch on a range of files:

touch file{1..10}

Run ls.

Compare the dates and times of lastbackup and the files we just looked at:

ls -l lastbackup file*

Find what files have changed since a particular backup or event:

find /home -newer lastbackup 2> /dev/null

Take a look at files that are 128k or larger:

find /etc -size +128k 2> /dev/null

Run a similar search, but this time we'll get more information:

find /etc -size +128k -exec ls -l {} \; 2> /dev/null

Change the size specification:

find /etc -size +512k -exec ls -l {} \; 2> /dev/null

Run the following to see the sizes in bytes:

find /etc -size +512k -exec ls -lh {} \; 2> /dev/null

Run touch on file99:

touch file99

Run ls -l:

ls -l file99

Create a hard link to file99:

ln file99 hardlink2file99

Run ls -l again:

ls -l *file99

This time, we'll see both files.

Run ls -li:

ls -li *file99

We'll see they share the same inode number.

Run a search:

find /home -samefile file99 -exec ls -li {} \; 2> /dev/null

Run the ps aux command, pipe it to grep, and look for ssh:

ps aux | grep ssh

We should see we get a few entries.

Find out more about ssh:

pstree -a | grep ssh

Get the process number of sshd:

pstree -ap | grep sshd

Insert the process number you received in the previous command output:

pstree -ap <sshd_PROCESS_NUMBER>

This will give us a tree of everything, and their process IDs, running through sshd.

Use grep to search for a user in multiple files:

grep cloud_user /etc/passwd /etc/group /etc/shadow

Search for zip in /usr/share/doc/packages:

grep -i zip /usr/share/doc/packages

It won't work because it's a directory.

Try this instead:

grep -ir zip /usr/share/doc/packages

-ir tells it to look recursively from wherever we're pointing it to. This time, we'll see a ton of files.

Get a count of the files:

grep -ir zip /usr/share/doc/packages | wc -l

There should be thousands (somewhere around 3800).

Search specifically for zip on its own as a word:

grep -irw zip /usr/share/doc/packages | wc -l

This time, there are still a lot (close to 2000), but not as many.

Search for ZIP:

grep -rw ZIP /usr/share/doc/packages | wc -l

There should be even fewer this time (in the 150 range).

Run the following to search for src:

grep -rw ZIP /usr/share/doc/packages | grep src

Get even more information:

grep -rwn ZIP /usr/share/doc/packages | grep -n src

Open one of the files in the list:

vim /usr/share/doc/packages/p7zip/DOC/src-history.txt +174

Quit the file with :q.

Find the accounts that are on your system:

lastlog

Search forward with to find the accounts that have never logged in:

lastlog | grep "Never"

This time, cloud_user won't be on the list, as we've logged in.

Invert the search to see everything that doesn't have "Never" in it:

lastlog | grep -v "Never"