How to find recently modified files on Linux
Last updated on September 27, 2020 by Dan Nanni
There are various occasions where you would like to search for files that have been changed/created in your Linux system recently or within any time frame. For example, as a system admin, you have done some configuration on your Linux system, but forgot where it was saved. You want to verify whether/how your Linux file system has been tampered with by someone recently. If you would like to find recently updated files on Linux, you can use find command as follows.
To find the most recently modified files, sorted in the reverse order of update time (i.e., the most recently updated files first):
$ find /etc -type f -printf '%TY-%Tm-%Td %TT %p\n' | sort -r
2012-09-14 22:25:14.0000000000 /etc/shadow 2012-08-17 00:56:36.0000000000 /etc/resolv.conf 2012-08-16 23:22:57.0000000000 /etc/ld.so.cache 2012-08-16 23:22:29.0000000000 /etc/mtab 2012-08-16 23:22:04.0000000000 /etc/network/run/ifstate 2012-07-10 01:19:24.0000000000 /etc/papersize ...
The above command sorts files in /etc (and all its subdirectories), in the reverse order of their update time, and prints out the sorted list, along with their location and update time. If you want to examine directories as well, you can omit -type f option in the command.
To search for files in /target_directory and all its sub-directories, that have been modified in the last 60 minutes:
$ find /target_directory -type f -mmin -60
To search for files in /target_directory and all its sub-directories, that have been modified in the last 2 days:
$ find /target_directory -type f -mtime -2
To search for files in /target_directory and all its sub-directories no more than 3 levels deep, that have been modified in the last 2 days:
$ find /target_directory -type f -mtime -2 -depth -3
You can also specify the range of update time. To search for files in /target_directory and all its sub-directories, that have been modified in the last 7 days, but not in the last 3 days:
$ find /target_directory -type f -mtime -7 ! -mtime -3
All these commands so far only print out the locations of files that are matched. You can also get detailed file attributes of recently modified files, using -exec option as follows.
To search for files in /target_directory (and all its sub-directories) that have been modified in the last 60 minutes, and print out their file attributes:
$ find /target_directory -type f -mmin -60 -exec ls -al {} ;
Alternatively, you can use xargs command to achieve the same thing:
$ find /target_directory -type f -mmin -60 | xargs ls -l
Note that files that have been created within the specified time frame will also matched by these commands.
Support Xmodulo
This website is made possible by minimal ads and your gracious donation via PayPal or credit card
Please note that this article is published by Xmodulo.com under a Creative Commons Attribution-ShareAlike 3.0 Unported License. If you would like to use the whole or any part of this article, you need to cite this web page at Xmodulo.com as the original source.
Xmodulo © 2021 ‒ About ‒ Write for Us ‒ Feed ‒ Powered by DigitalOcean