How to find recent file changes in Linux

Unexpected file changes can reveal misconfiguration, broken deployments, or an intrusion that replaces binaries or edits security-critical settings.

Linux tracks multiple timestamps per file, including mtime (content changes) and ctime (metadata changes like ownership or permissions), and the find command can filter directories by these timestamps to narrow results to a recent window.

Large scans can be slow or noisy due to permission errors and pseudo filesystems (/proc, /sys), so prioritizing high-signal paths such as /etc, /boot, /usr/bin, /usr/sbin typically produces more useful leads than sweeping the entire filesystem first.

Steps to find recent file changes with find and stat in Linux:

Open a terminal session with sudo access.
```
$ whoami
root
```
Commands use sudo when scanning system directories that are not readable by normal users.

List files modified in the last 24 hours under /etc, /boot, /usr/bin, /usr/sbin.

$ sudo find /etc /boot /usr/bin /usr/sbin -type f -mtime -1 -printf '%T+ %p\n' 2>/dev/null | sort -r | head -n 10
2026-01-10+19:51:55.6040000770 /usr/bin/new-helper
2026-01-10+19:51:55.6040000770 /etc/sgdemo
2026-01-10+19:51:31.0150000650 /etc/hosts
2026-01-10+19:51:31.0100000650 /etc/fstab
2026-01-10+19:51:17.0430000580 /etc/subuid
2026-01-10+19:51:17.0430000580 /etc/subgid
2026-01-10+19:51:17.0420000580 /etc/gshadow
2026-01-10+19:51:17.0410000580 /etc/group
2026-01-10+19:51:17.0400000580 /etc/shadow
2026-01-10+19:51:17.0400000580 /etc/passwd

Adjust the window with -mtime (days), -mmin (minutes), or use -newermt with an explicit timestamp for incident timelines.

List files with recent status changes under /etc to catch permission, owner, group updates.

$ sudo find /etc -type f -ctime -1 -printf '%C+ %p\n' 2>/dev/null | sort -r | head -n 10
2026-01-10+19:51:55.6040000770 /etc/sgdemo
2026-01-10+19:51:31.0150000650 /etc/hosts
2026-01-10+19:51:31.0100000650 /etc/fstab
2026-01-10+19:51:17.0440000580 /etc/subgid
2026-01-10+19:51:17.0430000580 /etc/subuid-
2026-01-10+19:51:17.0430000580 /etc/subuid
2026-01-10+19:51:17.0430000580 /etc/subgid-
2026-01-10+19:51:17.0420000580 /etc/gshadow-
2026-01-10+19:51:17.0420000580 /etc/gshadow
2026-01-10+19:51:17.0420000580 /etc/group

-ctime reports metadata changes, so it can surface chmod/chown activity even when -mtime does not move.

List recently modified files under /home while pruning common cache, trash paths.

$ sudo find /home -type f -mtime -1 -not -path '*/.cache/*' -not -path '*/.local/share/Trash/*' -printf '%T+ %p\n' 2>/dev/null | sort -r | head -n 10
2026-01-10+19:51:30.6080000650 /home/user/.ssh/authorized_keys
2026-01-10+19:51:17.0580000580 /home/user/sg-work/recent.txt

Replacing /home with a specific user directory reduces noise on multi-user hosts.

Check for newly written executable files in /tmp, /var/tmp, /dev/shm.
```
$ sudo find /tmp /var/tmp /dev/shm -type f -mtime -1 -perm /111 -printf '%T+ %M %u:%g %p\n' 2>/dev/null | sort -r | head -n 10
2026-01-10+19:51:55.6040000770 -rwxr-xr-x root:root /tmp/sg-run.sh
```
Executing unknown files from writable directories can compromise the system further, so treat results as artifacts for review rather than programs to run.

List SUID, SGID binaries modified recently.

$ sudo find / $begin:math:text$ \-path \/proc \-o \-path \/sys \-o \-path \/dev \-o \-path \/run $end:math:text$ -prune -o -type f $begin:math:text$ \-perm \-4000 \-o \-perm \-2000 $end:math:text$ -mtime -7 -printf '%T+ %M %u:%g %p\n' 2>/dev/null | sort -r | head -n 20
2026-01-10+19:59:13.9430000480 -rwsr-xr-x root:root /usr/local/bin/sg-suid-demo

Adding -xdev limits traversal across mount points, but it can miss binaries stored on separate filesystems.

Check metadata for a suspicious file.

$ sudo stat /usr/bin/new-helper
  File: /usr/bin/new-helper
  Size: 0         	Blocks: 0          IO Block: 4096   regular empty file
Device: 252,0	Inode: 1091319     Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2026-01-10 19:51:55.604000077 +0800
Modify: 2026-01-10 19:51:55.604000077 +0800
Change: 2026-01-10 19:51:55.604000077 +0800
 Birth: 2026-01-10 19:51:55.604000077 +0800

Replace /usr/bin/new-helper with the suspicious path.

Compute a checksum for the suspicious file.
```
$ sudo sha256sum /usr/bin/new-helper
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855  /usr/bin/new-helper
```
A saved hash supports later comparison against a known-good copy or other hosts.

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.