February 17, 2009
Find, the Power
I was doing some work on a very large log correlation server recently. By large I mean copious amounts of log files, not necessarily large in size. Essentially, the chief task was that I needed to audit what was being kept as online history. As you, dedicated readers, remember PCI-DSS requires one year of history to be kept with 90 days active and online. That can mean quite a bit of data in most cases. Being both technically-adept and
lazy, I turned to the “find” command.
Naturally, I first needed to confirm that enough history was present. To do so, I went with some find-fu along these lines:
find -mtime +364 -type f -exec ls -lah {} ;
Let’s break that down a little:
1) find -gt; our basic find command
2) -mtime -gt; this means we’re going to be “finding” by modified time
3) -type f -gt; we’re searching for files of course
4) -exec -gt; run a command for me
5) ls -lah -gt; the command I want to run; I opted to list the directory because
I also want to see the files, their sizes, etc.
6) {} -gt; this gives our command string an empty parameter set to feed ouput into
(so, input kinda). Basically, this is how we’ll be able to see the file names, sizes,
etc.
7) ; -gt; this signals the end of the command
Cool. Now I have a list of files with a modified time older than 364 days (note: this
ran in the current working directory by intention), evidencing that at least one year
is being kept online. Cool enough but what other stuff can we do with the find command?
You can move files based on a size limit:
find -type f -size +10M | xargs -i -t mv {} /target/directory/to/move/files/to
The above would take all files (again, in the current path) that are greater than
10Megabytes and move them to a different directory. This can be useful for log rotations,
in preparation of purging data based on size requirements, etc.
Of course, everyone in security should know this one:
find / -type f ( -perm -4000 -o -perm -2000 ) -print
A free alcoholic beverage of your choice to the first person who identifies the above
correctly!