Time and Timestamps
Linux filesystems track three distinct timestamps for every file. Understanding the difference between them is essential for accurate log rotation, backup scripts, and forensic analysis.
The Three Timestamps
| Timestamp | Flag | Definition | When is it updated? |
|---|---|---|---|
| mtime | -mtime | Modification Time | When the file's contents are changed. |
| ctime | -ctime | Change Time | When the file's metadata (permissions, owner, name) OR contents are changed. |
| atime | -atime | Access Time | When the file is read. (Note: Many modern systems mount disks with noatime or relatime to save I/O, making atime unreliable). |
Numeric Arguments (Days vs. Minutes)
find calculates time in two units:
- Days (24-hour blocks):
-mtime,-ctime,-atime - Minutes:
-mmin,-cmin,-amin
The numeric argument you pass to these flags uses a prefix to dictate the search window. This is often the most confusing part of find.
| Prefix | Meaning | Example | Translation |
|---|---|---|---|
+n | Greater than n | -mtime +7 | Modified more than 7 days ago (Older than 7 days) |
-n | Less than n | -mtime -7 | Modified less than 7 days ago (Newer than 7 days) |
n | Exactly n | -mtime 7 | Modified exactly 7 days ago (Between 7 and 8 days) |
The "Days" Calculation Trap
When find calculates days for -mtime, it rounds fractional days down. Thus, -mtime 1 means between 24 and 48 hours ago. -mtime 0 means less than 24 hours ago.
If you need precise timing, always use minutes (-mmin).
# Find files modified less than 24 hours ago
find /var/log -type f -mtime -1
# Find files modified less than 60 minutes ago
find /var/log -type f -mmin -60
Practical Workflows
1. Log Retention
Find old logs to archive or delete.
# Find logs older than 30 days
find /var/log/nginx -type f -name "*.log" -mtime +30
2. Forensic Auditing
Find what configurations were modified recently on a server.
# Find files in /etc modified in the last 48 hours (120 minutes)
find /etc -type f -mmin -2880
3. Comparing to Reference Files (-newer)
Instead of calculating time offsets, you can ask find to compare timestamps against a reference file.
# Find files modified after deployment.tar.gz was extracted
find /var/www/html -type f -newer /var/www/deployment.tar.gz