Finding Files and File Contents

45 minutes
  • 2 Learning Objectives

About this Hands-on Lab

In this lab, we’ll use the `find` command and its options to find all sorts of files on our system. Once we have found certain files, we’ll use the execute function on them to run commands that will further display useful information about those files. Then, we’ll use the `grep` command to show the contents of files, display additional context for what is found, show what lines those instances occur on, and more.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Use the `find` Command to Search for Files

Run find:


See how many files it finds there:

find | wc -l

Run find on /home and its subdirectory contents:

find /home

See how many files are there:

find /home | wc -l

Search the /etc directory for files whose names include .conf (the -name flag means it will be case sensitive):

find /etc -name *.conf 2> /dev/null

See how many files are returned:

find /etc -name *.conf 2> /dev/null | wc -l

Now, run a similar search, but this time, the -iname flag makes it case insensitive:

find /etc -iname *.conf 2> /dev/null | wc -l

Look for everything in the directory:

find /etc -iname *.* 2> /dev/null | wc -l

Instead, add quotation marks to the command:

find /etc -iname "*.*" 2> /dev/null | wc -l

Let’s say you made a backup. Let’s run touch on it:

touch lastbackup

See what the timestamps are on it:

ls -l lastbackup

See more info about it:

stat lastbackup

Run touch on a range of files:

touch file{1..10}

Run ls.

Compare the dates and times of lastbackup and the files we just looked at:

ls -l lastbackup file*

Find what files have changed since a particular backup or event:

find /home -newer lastbackup 2> /dev/null

Take a look at files that are 128k or larger:

find /etc -size +128k 2> /dev/null

Run a similar search, but this time we’ll get more information:

find /etc -size +128k -exec ls -l {} ; 2> /dev/null

Change the size specification:

find /etc -size +512k -exec ls -l {} ; 2> /dev/null

Run the following to see the sizes in bytes:

find /etc -size +512k -exec ls -lh {} ; 2> /dev/null

Run touch on file99:

touch file99

Run ls -l:

ls -l file99

Create a hard link to file99:

ln file99 hardlink2file99

Run ls -l again:

ls -l *file99

This time, we’ll see both files.

Run ls -li:

ls -li *file99

We’ll see they share the same inode number.

Run a search:

find /home -samefile file99 -exec ls -li {} ; 2> /dev/null
Find File Contents and Display the Results Using the `grep` Command

Run the ps aux command, pipe it to grep, and look for ssh:

ps aux | grep ssh

We should see we get a few entries.

Find out more about ssh:

pstree -a | grep ssh

Get the process number of sshd:

pstree -ap | grep sshd

Insert the process number you received in the previous command output:

pstree -ap <sshd_PROCESS_NUMBER>

This will give us a tree of everything, and their process IDs, running through sshd.

Use grep to search for a user in multiple files:

grep cloud_user /etc/passwd /etc/group /etc/shadow

Search for zip in /usr/share/doc/packages:

grep -i zip /usr/share/doc/packages

It won’t work because it’s a directory.

Try this instead:

grep -ir zip /usr/share/doc/packages

-ir tells it to look recursively from wherever we’re pointing it to. This time, we’ll see a ton of files.

Get a count of the files:

grep -ir zip /usr/share/doc/packages | wc -l

There should be thousands (somewhere around 3800).

Search specifically for zip on its own as a word:

grep -irw zip /usr/share/doc/packages | wc -l

This time, there are still a lot (close to 2000), but not as many.

Search for ZIP:

grep -rw ZIP /usr/share/doc/packages | wc -l

There should be even fewer this time (in the 150 range).

Run the following to search for src:

grep -rw ZIP /usr/share/doc/packages | grep src

Get even more information:

grep -rwn ZIP /usr/share/doc/packages | grep -n src

Open one of the files in the list:

vim /usr/share/doc/packages/p7zip/DOC/src-history.txt +174

Quit the file with :q.

Find the accounts that are on your system:


Search forward with to find the accounts that have never logged in:

lastlog | grep "Never"

This time, cloud_user won’t be on the list, as we’ve logged in.

Invert the search to see everything that doesn’t have "Never" in it:

lastlog | grep -v "Never"

Additional Resources

Log in to the lab server using the credentials provided:

ssh cloud_user@<PUBLIC IP ADDRESS>

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?