One of the first hurdles that every Linux newbie working on Command Line Interface (CLI) bumps into is finding files on the file system. Administrators who switch from Windows environment are so much used to the click-n-find mentality that discovering files via Linux CLI is painful for them. This tutorial is written for those friends who work on Linux and don't have the luxury of Graphical User Interface (GUI).

I started playing with Linux during my internship, working with Snort (Intrusion Detection System), Nessus (Vulnerability Scanner) and IPTables (Firewall). Like most of programs, these tools also have quite a few configuration files. Initially, it was difficult for me to remember path to each file and I started to use the power of 'find' and 'locate' commands which I will share with you in this tutorial.

Method 1: LOCATE

Before we start playing around with LOCATE command, it's important to learn about "updatedb". Every day, your system automatically via cron runs updatedb command to create or update a database that keeps a record of all filenames. The locate command then searches through this database to find files.

This database is by default stored at /var/lib/mlocate/mlocate.db. Obviously we are curious to what this database looks like, so first I do ls -lh to find the size of this file.

Since this is in db format, I doubt if we would see anything legible with a "cat" command. So instead I used a string command, which threw a lot of file names on the string (132516 to be exact). Hence, I used grep to only see filenames which have lighttpd – a web server installed on my system.

But, of course this is not the right way to do searches. This we did just to see what updatedb is doing. Now let's get back to "locate". Remember that since locate is reading the database created by updatedb, so your results would be as new as the last run of updatedb command. You can always run updatedb manually from the CLI and then use the locate command.

Let's start exercising this command by searching for commands. I start by looking for pdf documentation files for "snort". If I just type in "locate snort" it gives me 1179 file names in result.

[root@localhost:~] locate snort | less
/etc/snort
/etc/snort/rules
/etc/snort/rules/VRT-License.txt
/etc/snort/rules/attack-responses.rules
/etc/snort/rules/backdoor.rules
/etc/snort/rules/bad-traffic.rules
/etc/snort/rules/cgi-bin.list
/etc/snort/rules/chat.rules
/etc/snort/rules/classification.config
/etc/snort/rules/ddos.rules
/etc/snort/rules/deleted.rules
....

But, I want the documentation files which I already know are in PDF format. So now I will use power or regular expressions to further narrow down my results.

The "–r" options is used to tell "locate" command to expect a regular expression. In the above case, I use pdf$ in regex to only show me files which end with pdf.

Remember that updatedb exclude temporary folders, so it may not give you results as you expect. To remove these bottlenecks comes the command "find".

Method 2: Find

Find command is the most useful of all commands I have used in my few years of managing Linux machines. Still this command is not fully understood and utilized by many administrators. Unlike "locate" command, "find" command actually goes through the file-system and looks for the pattern you define while running the command.

Most common usage of "find" command is to search for a file with specific file name.

Like "-name" find command has other qualifiers based on time as show below. These are also very helpful if you are doing forensic analysis on your Linux machine.

• -iname = same, as name but case insensitive
• -atime n = true, if file was accessed n days ago
• -amin n = true, if file was accessed n minutes ago
• -mtime n = true, if file contents were changed n days ago
• -mmin n = true, if file content were changed n minutes ago
• -ctime n = true, if file attributes were changed n days ago
• -cmin n = true, if file attributes were changed n minutes ago

To make reader understand these qualifiers, I created a file with name "foobar.txt" four minutes back and then I run "find /root -mmin -5" to show me all files in /root folder where last modification time is less than 5 minutes and it shows me the foobar.txt file. However, if I change the value of –mmin to less than 2 minutes, it shows me nothing.

There is another very useful qualifier, which searches on file size.

Some other qualifiers that I always use while administering Linux servers are:

• -regex expression = select files which match the regular expression
• -iregex expression = same as above but case insensitive
• -empty = select files and directories which are empty
• -type filetype = Select file by Linux file types
• -user username = Select files owned by the given user
• -group groupname = Select files owned by the given group

There are few more qualifiers, but I leave those as homework for you to read the manpage and enhance your knowledge.

NOTE: One thing you will notice is that "locate" runs at super fast, that's because it is looking from a database file rather than actually traversing the file system.

This was a very short and crisp introduction to find and locate commands, but these are the most important commands for any administrator. Once you get used to them, you will wish there was something similar and so powerful in windows.