I need  bash commands to investigate a 1 gig addition to our systems.

Posted on 2014-08-29
Last Modified: 2014-08-30
We manage systems and have customers.   Many of our systems have used an extra gig of space today and I can not figure out what the customer has done.

I need Linux commands to:
1) find all directories created in the last week
2) all files that were installed in the last week
3) the size of each directory and subdirectory so in the future I can compare the growth.
4) hair because at this point I have it pulled out

I did check the rpm's and none were installed in the last 2 months.

Redhat 5 and above, bash, and I can not install any software.
Question by:TIMFOX123
    LVL 34

    Accepted Solution

    find all directories created in the last week

    find -type d -mtime -7 (mtime is modification time)

    all files that were installed in the last week

    find -type f -mtime -7

    the size of each directory and subdirectory so in the future I can compare the growth

    du -hsc */ (replace */ with any folder name if not the current)

    hair because at this point I have it pulled out

    linux can't help with hair loss restoration
    LVL 76

    Expert Comment

    Lsof /var if that is the filesystemwherethe extra space is.

    Likely issue is that you have a process that is writing to a log file that could have been deleted.
    I.e. If you restart the correct service, the space will be released.

    I.e. Process writing into /var/log/testfile, you then issue an rm /var/log/testfile
    The filehandle/inode will continue to be used by the writing process, even though nothing on the filesystemi.e. Du, find, ls etc. will not be able to see it.
    Lsof can be used to scan the running processes and the partition to identify the resource.
    LVL 34

    Expert Comment

    by:Seth Simmons
    lsof is for currently open files
    if the extra file system space is used by a file that isn't currently in use, lsof is useless
    LVL 8

    Assisted Solution

    Sometimes open files are deleted but still open and occupying space so yes that is a viable explanation.

    Best is to check the directory space used by files against space free on filesystem
    # fs free space
    df -k
    # for each mount point, e.g. /, /home, /var
    du -xsk / /home /var

    Open in new window

    The -x flag will prevent du from crossing mount-point borders, i.e. "du -xsk /" won't include the rest.
    If you see that for one of the filesystems there is a significant difference between used space reported by df and by du (df shows more space used), then it is an open file deleted. In that case you can use lsof to find it:
    lsof -X <filesystem> | grep deleted

    Open in new window

    If there are no (significant amount of) deleted open files, then you may use find to identify single large files like this, e.g. for files greater than 10m:
    find / -type f -mtime -7 -size +10240k

    Open in new window

    LVL 8

    Expert Comment

    4) hair restoration is best done by:
    been there, done that. Honest.
    LVL 61

    Assisted Solution

    You should be using some system integrity checking solution.

    # rpm -Va
    will verify if all rpm-installed files are intact and with good permissions *no binaries should have been changed, sure it is ok that config files are adapted

    I suggest you install some rootkit check like rkhunter from EPEL (you can run download from, but epel is configured to not give false positives on default RHEL system)

    Author Closing Comment

    Thank you all
    LVL 61

    Expert Comment

    I would say that you forgot one comment that addressed 4th part of question...

    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    Join & Write a Comment

    This document is written for Red Hat Enterprise Linux AS release 4 and ORACLE 10g.  Earlier releases can be installed using this document as well however there are some additional steps for packages to be installed see Metalink. Disclaimer: I hav…
    In my business, I use the LTS (Long Term Support) versions of Linux. My workstations do real work, and so I rarely have the patience to deal with silly problems caused by an upgraded kernel that had experimental software on it to begin with from a r…
    Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
    Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

    731 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now