Finding Files and File Contents

Libraries: If you want this lab, consider one of these libraries.
Cloud

Finding Files and File Contents

In this lab, we'll use the `find` command and its options to find all sorts of files on our system. Once we have found certain files, we'll use the execute function on them to run commands that will further display useful information about those files. Then, we'll use the `grep` command to show the contents of files, display additional context for what is found, show what lines those instances occur on, and more.

Get started Contact sales

Lab Info

Level

Beginner

Last updated

Sep 01, 2025

Duration

45m

Challenge

Use the `find` Command to Search for Files
Run find:
```
find
```
See how many files it finds there:
```
find | wc -l
```
Run find on /home and its subdirectory contents:
```
find /home
```
See how many files are there:
```
find /home | wc -l
```
Search the /etc directory for files whose names include .conf (the -name flag means it will be case sensitive):
```
find /etc -name *.conf 2> /dev/null
```
See how many files are returned:
```
find /etc -name *.conf 2> /dev/null | wc -l
```
Now, run a similar search, but this time, the -iname flag makes it case insensitive:
```
find /etc -iname *.conf 2> /dev/null | wc -l
```
Look for everything in the directory:
```
find /etc -iname *.* 2> /dev/null | wc -l
```
Instead, add quotation marks to the command:
```
find /etc -iname "*.*" 2> /dev/null | wc -l
```
Let's say you made a backup. Let's run touch on it:
```
touch lastbackup
```
See what the timestamps are on it:
```
ls -l lastbackup
```
See more info about it:
```
stat lastbackup
```
Run touch on a range of files:
```
touch file{1..10}
```
Run ls.

Compare the dates and times of lastbackup and the files we just looked at:
```
ls -l lastbackup file*
```
Find what files have changed since a particular backup or event:
```
find /home -newer lastbackup 2> /dev/null
```
Take a look at files that are 128k or larger:
```
find /etc -size +128k 2> /dev/null
```
Run a similar search, but this time we'll get more information:
```
find /etc -size +128k -exec ls -l {} \; 2> /dev/null
```
Change the size specification:
```
find /etc -size +512k -exec ls -l {} \; 2> /dev/null
```
Run the following to see the sizes in bytes:
```
find /etc -size +512k -exec ls -lh {} \; 2> /dev/null
```
Run touch on file99:
```
touch file99
```
Run ls -l:
```
ls -l file99
```
Create a hard link to file99:
```
ln file99 hardlink2file99
```
Run ls -l again:
```
ls -l *file99
```
This time, we'll see both files.

Run ls -li:
```
ls -li *file99
```
We'll see they share the same inode number.

Run a search:
```
find /home -samefile file99 -exec ls -li {} \; 2> /dev/null
```
Challenge

Find File Contents and Display the Results Using the `grep` Command
Run the ps aux command, pipe it to grep, and look for ssh:
```
ps aux | grep ssh
```
We should see we get a few entries.

Find out more about ssh:
```
pstree -a | grep ssh
```
Get the process number of sshd:
```
pstree -ap | grep sshd
```
Insert the process number you received in the previous command output:
```
pstree -ap <sshd_PROCESS_NUMBER>
```
This will give us a tree of everything, and their process IDs, running through sshd.

Use grep to search for a user in multiple files:
```
grep cloud_user /etc/passwd /etc/group /etc/shadow
```
Search for zip in /usr/share/doc/packages:
```
grep -i zip /usr/share/doc/packages
```
It won't work because it's a directory.

Try this instead:
```
grep -ir zip /usr/share/doc/packages
```
-ir tells it to look recursively from wherever we're pointing it to. This time, we'll see a ton of files.

Get a count of the files:
```
grep -ir zip /usr/share/doc/packages | wc -l
```
There should be thousands (somewhere around 3800).

Search specifically for zip on its own as a word:
```
grep -irw zip /usr/share/doc/packages | wc -l
```
This time, there are still a lot (close to 2000), but not as many.

Search for ZIP:
```
grep -rw ZIP /usr/share/doc/packages | wc -l
```
There should be even fewer this time (in the 150 range).

Run the following to search for src:
```
grep -rw ZIP /usr/share/doc/packages | grep src
```
Get even more information:
```
grep -rwn ZIP /usr/share/doc/packages | grep -n src
```
Open one of the files in the list:
```
vim /usr/share/doc/packages/p7zip/DOC/src-history.txt +174
```
Quit the file with :q.

Find the accounts that are on your system:
```
lastlog
```
Search forward with to find the accounts that have never logged in:
```
lastlog | grep "Never"
```
This time, cloud_user won't be on the list, as we've logged in.

Invert the search to see everything that doesn't have "Never" in it:
```
lastlog | grep -v "Never"
```

About the author

Pluralsight Skills

Pluralsight Skills gives leaders confidence they have the skills needed to execute technology strategy. Technology teams can benchmark expertise across roles, speed up release cycles and build reliable, secure products. By leveraging our expert content, skill assessments and one-of-a-kind analytics, keep up with the pace of change, put the right people on the right projects and boost productivity. It's the most effective path to developing tech skills at scale.

Real skill practice before real-world application

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Learn by doing

Engage hands-on with the tools and technologies you’re learning. You pick the skill, we provide the credentials and environment.

Follow your guide

All labs have detailed instructions and objectives, guiding you through the learning process and ensuring you understand every step.

Turn time into mastery

On average, you retain 75% more of your learning if you take time to practice. Hands-on labs set you up for success to make those skills stick.