Check the CPU usage of the 5 most CPU-intensive processes:
ps -eo %cpu,comm,pid,user,etime --sort=-%cpu | head -6
Sometimes you'll want to use top instead of ps. Sometimes ps is inaccurate while top is accurate.
top -d 10 -o +%CPU
Check the memory usage of the 5 most memory-hungry processes:
ps -eo %mem,comm,pid,user,etime --sort=-%mem | head -6
See a process's full process tree along with its arguments:
pstree -pals [PID]
List all partitions:
df -h -x tmpfs -x devtmpfs
List only local partitions:
df -hl -x tmpfs -x devtmpfs
Find the 9 largest directories in /dir/:
du -hx -d 1 /dir/ | sort -hr | head
Find the 9 largest directories and files in /dir/:
du -hax -d 1 /dir/ | sort -hr | head
Recursively find the 20 largest files in /dir/ larger than 1 gibibyte:
find /dir/ -type f -size +1G -exec du -h "{}" \+ | sort -hr | head -20
For files smaller than 1 gibibyte: replace +1G with -1G
For files larger than 500 mebibytes: replace +1G with +500M
Recursively find the 20 largest files in /dir/ larger than 1 gibibyte, older than 1 year old, and give the total space used by all such files (not just the largest 20):
find /dir/ -type f -size +1G -mtime +365 -exec du -chx "{}" \+ | sort -h | tail -21
Find the 10 most recently modified files and directories in /dir/:
stat -c "%y %n" /dir/* | sort -hr | head -10
Recursively find the 10 most recently modified files in /dir/ that have been modified in the last 24 hours:
find /dir/ -type f -mtime -1 -exec stat --format '%Y :%y %n' "{}" \; | sort -nr | head -10 | cut -d ":" -f 2-
See which processes are writing the most to disk:
iotop -Po -d 10
Use the [LEFT] and [RIGHT] arrow keys to choose which column to sort the results by, and use the [R] key to reverse the sorting order.
See which files and directories a process is writing to:
lsof -p [PID]
Backup a directory to another location:
rsync -vazHAP [SOURCE] [DESTINATION]
Same as above but with root privileges on the remote machine:
rsync --rsync-path="sudo rsync" -vazHAP [SOURCE] [DESTINATION]
Same as above but using an AskPass program to provide a mandatory password upon sudo-ing:
rsync --rsync-path="export SUDO_ASKPASS=[PATH-TO-ASKPASS-PROGRAM]; sudo -A rsync" -vazHAP [SOURCE] [DESTINATION]
Check what processes are listening on what ports:
ss -tupln
Check what Docker containers are listening on what ports:
docker ps --format "table {{.Names}}\t{{.Ports}}"
Check what Podman containers are listening on what ports:
podman ps --format "table {{.Names}}\t{{.Ports}}"
List all virtual machines:
virsh list --all
List a virtual machine's allocated CPU's:
virsh vcpucount [VM-NAME]
List a virtual machine's allocated memory:
virsh dommemstat [VM-NAME] | grep actual
List the mount points of a virtual machine's drives:
virsh domblklist [VM-NAME]
Start, stop, or reboot a virtual machine:
virsh start [VM-NAME]
virsh shutdown [VM-NAME]
virsh reboot [VM-NAME]
Verify that one or more TLS certificates are valid:
openssl verify -CApath /etc/ssl/certs/ -CAfile [CA-BUNDLE.crt] [TLS.crt] [TLS-2.crt] [TLS-3.crt] [...]
Note that -CApath /etc/ssl/certs/ is necessary when the CA bundle doesn't contain the root CA certificate, which is normal and expected by most web browsers but not expected by openssl.
Record to the terminal the output of one or more commands every 5 seconds:
while sleep 5; do [ONE OR MORE COMMANDS SEPARATED BY SEMICOLONS]; echo; done
Stop it with [Ctrl + C]
Record in the background to a file the time (with time zone) and output of one or more commands every 5 seconds, and save the recording command's PID:
while sleep 5; do date +"%H:%M:%S %:z"; [COMMAND 1]; [COMMAND 2]; [...]; echo; done >> record.log & echo $! > recorder.pid
Monitor updates to that file:
tail -f record.log
Remember to kill it when you don't need it anymore, otherwise it will perpetually eat up drive space:
kill $(cat recorder.pid) && rm recorder.pid
In case you lose the recording command's PID, it will show up here if you're still in the same terminal session:
jobs -l
If you're not in the same terminal session, it will still show up here, though with unrelated processes, so try not to kill anything important:
ps -C bash -o pid,user,args
You can see the PID of the current terminal session with this:
echo $$
Search for SELinux denials:
ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent -c [COMMAND-OR-PROCESS-NAME]
If you think SELinux is denying operations inside a container, but don't see any denials from ausearch try:
semanage dontaudit off
and then run ausearch again. Don't forget to
semanage dontaudit on
when you're done testing.
SSH through a jump server:
ssh -J [USERNAME]@[JUMP-SERVER-IP] [USERNAME]@[TARGET-IP]
Create an SSH tunnel to a TCP socket through a jump server:
ssh -L localhost:[LOCAL-PORT]:[TARGET-IP]:[TARGET-PORT] -N [USERNAME]@[JUMP-SERVER-IP]
Completely clear your bash history:
cat /dev/null > ~/.bash_history && history -c
You might want to do this when you have sensitive information like passwords in your bash history.
List installed packages:
dnf ls --installed
List files in a package:
dnf rq -l [PACKAGE]
See what package/s provide a file:
dnf wp [FILENAME]
See patches already installed for a CVE:
dnf upif --list --with-cve --installed | grep [CVE]
See patches for a CVE that are available but not yet installed:
dnf upif --list --with-cve | grep [CVE]
List installed packages:
zypper se -i
List files in a package:
rpm -ql [PACKAGE]
See what package/s provide a file:
zypper se --provides --match-exact [FILENAME]
See patches for a CVE that are available but not yet installed:
zypper lp --cve=[CVE]