At times, you need to search for specific files—such as files modified after a par-ticular date—to generate statistical representations, and so on. The search com-mand provided by Linux can be used effectively for extracting such information from the system. Some of the commands used by administrators for this purpose are grep,find,slocate,finger,which,whereis, and updatedb.
find
The findcommand searches for files in a directory and its subdirectories. This command searches the directory tree by evaluating an expression.
The syntax of the find command is as follows:
Find [path] [expression]
The [path] argument specifies the directory where the files matching the
[expression]will be searched. If the path is not specified, the current directory is used for searching files. Similarly, if no expression is given, the expression
-printis used, which prints the output on the screen. The findcommand exits with status 0if all files are searched successfully. If an error occurs, a value greater than 0is returned. For example, to search for all the files with the .txt extension in the current directory, you execute the following command:
find *.txt
Similarly, to find all the files in the root directory that were accessed in the last three days, you execute the following command:
find / -atime 3
You can use the find command to search for a file that might be created as a result of unauthorized user activity or some virus activity. In case of intrusion detection, this command can also be used to detect the files modified during a specific period.
grep
The grepcommand prints lines that match a specified pattern. You can specify different patterns by using the options available for the grepcommand. You can use the grepcommand to search for some specific strings in the log files. Thus,
you can identify any unexpected entries in the log files. These entries could be cre-ated as a result of intrusions, virus attacks, or any other security breach. Two vari-ant programs of the grep command, egrep and fgrep, are also available. The
egrepcommand is the same as the grep –ecommand, and the fgrep command is the same as the grep -fcommand. The –eoption of the grepcommand is used to search for specific patterns, while the –foption is used to search specified pat-terns from the selected file.
Input to the grepcommand can be provided in the form of a file name, output from another command, or directly as a parameter. The grepcommand accepts a number of parameters to perform search on the input data. The syntax of the grep command is shown here:
grep [options] [search_text] [filenames]
Some important parameters of the grepcommand are listed here:
◆ -n. This parameter returns the line(s) containing the search phrase along with the line number.
◆ -v. This parameter returns output that does not contain the search phrase or word.
◆ ^<word>. This parameter returns all the lines starting with <word>.
◆ <word>$. This parameter returns all the lines ending with <word>.
slocate
The slocate (secure locate) command is the security-enhanced version of the GNU Locatecommand. Secure locate provides a secure way to index and search quickly for files on your computer. It uses incremental encoding to compress its database to search faster. The command also stores file permissions and ownership details of files so that users will not be able to view files they do not have access to. The syntax of the slocatecommand is as follows:
slocate [options] [path] [search_string]
finger
The finger command displays information about the user. The following list tells you about the options of the finger command and the user information it displays.
◆ -s. This option displays the user’s login name, real name, terminal name, write status, idle time, login time, office location, and office phone num-ber. Login time is displayed as month, day, hours, and minutes.
Unknown devices, as well as non-existent idle and login times, are dis-played as single asterisks.
◆ -l. This option shows a multi-line format output that displays all infor-mation described for the -s option. This option also displays details of the user’s home directory, home phone number, login shell, mail status, and the contents of the .plan, .project, and .forward files from the user’s home directory.
Suppose that you have created a user named John, and you want to view his user information. To do so, you can execute the following command:
finger –ls john
The output of the preceding command looks like this:
Login: john Name: (null) Directory: /home/john Shell: /bin/bash Never logged in.
No mail.
No Plan.
The fingercommand, when used by unauthorized users, can reveal user infor-mation. Therefore, its usage should be restricted.
which
The whichcommand shows the full path of shell commands. This command takes one or more arguments. For each of the command’s arguments, it prints to
stdoutthe full path of the executables. These are executed when the arguments are entered at the shell prompt. The which command searches for an executable or script in the directories listed in the environment variable,PATH,using the same algorithm as bash (1). This command can be useful in detecting trojans. An administrator can find the exact location of the trojan that is present in the mem-ory. This tool can also help to verify the correct location of files for a particular service.
For example, execute the following command:
which which
The output of the command is displayed here:
which alias | /usr/bin/which —tty-only —read-alias —show-dot —show-tilde /usr/bin/which
whereis
The whereis command locates the binary, source, and manual page files for a command. The supplied names are first stripped of leading pathname components and any trailing extension.whereis then locates the desired program in a list of system directories in your Linux computer.
If you execute the following command:
whereis which
the following output is displayed:
whereis: /usr/bin/whereis
updatedb
The updatedb program updates the slocatedatabase.Updatedb is simply a link to slocate,which implies the -uoption.
An example of the usage of updatedbis displayed here:
updatedb -uv