I need bash commands to investigate a 1 gig addition to our systems.

We manage systems and have customers.   Many of our systems have used an extra gig of space today and I can not figure out what the customer has done.

I need Linux commands to:
1) find all directories created in the last week
2) all files that were installed in the last week
3) the size of each directory and subdirectory so in the future I can compare the growth.
4) hair because at this point I have it pulled out


I did check the rpm's and none were installed in the last 2 months.

Redhat 5 and above, bash, and I can not install any software.
TIMFOX123Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Seth SimmonsSr. Systems AdministratorCommented:
find all directories created in the last week

find -type d -mtime -7 (mtime is modification time)

all files that were installed in the last week

find -type f -mtime -7

the size of each directory and subdirectory so in the future I can compare the growth

du -hsc */ (replace */ with any folder name if not the current)

hair because at this point I have it pulled out

linux can't help with hair loss restoration
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
arnoldCommented:
Lsof /var if that is the filesystemwherethe extra space is.

Likely issue is that you have a process that is writing to a log file that could have been deleted.
I.e. If you restart the correct service, the space will be released.

I.e. Process writing into /var/log/testfile, you then issue an rm /var/log/testfile
The filehandle/inode will continue to be used by the writing process, even though nothing on the filesystemi.e. Du, find, ls etc. will not be able to see it.
Lsof can be used to scan the running processes and the partition to identify the resource.
0
Seth SimmonsSr. Systems AdministratorCommented:
lsof is for currently open files
if the extra file system space is used by a file that isn't currently in use, lsof is useless
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

SurranoSystem EngineerCommented:
Sometimes open files are deleted but still open and occupying space so yes that is a viable explanation.

Best is to check the directory space used by files against space free on filesystem
# fs free space
df -k
# for each mount point, e.g. /, /home, /var
du -xsk / /home /var

Open in new window

The -x flag will prevent du from crossing mount-point borders, i.e. "du -xsk /" won't include the rest.
If you see that for one of the filesystems there is a significant difference between used space reported by df and by du (df shows more space used), then it is an open file deleted. In that case you can use lsof to find it:
lsof -X <filesystem> | grep deleted

Open in new window


If there are no (significant amount of) deleted open files, then you may use find to identify single large files like this, e.g. for files greater than 10m:
find / -type f -mtime -7 -size +10240k

Open in new window

0
SurranoSystem EngineerCommented:
4) hair restoration is best done by:
http://www.vargacseppek.hu/
been there, done that. Honest.
0
gheistCommented:
You should be using some system integrity checking solution.

# rpm -Va
will verify if all rpm-installed files are intact and with good permissions *no binaries should have been changed, sure it is ok that config files are adapted

I suggest you install some rootkit check like rkhunter from EPEL (you can run download from sf.net, but epel is configured to not give false positives on default RHEL system)
0
TIMFOX123Author Commented:
Thank you all
0
gheistCommented:
I would say that you forgot one comment that addressed 4th part of question...
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.