This is a compact, practical set of commands for quickly understanding what a Linux host is doing. No theory — just the checks I reach for when something feels off.
0) Context: what am I looking at?
# who am I / where am I
whoami
hostname
pwd
date
# OS + kernel
uname -a
cat /etc/os-release 2>/dev/null || lsb_release -a 2>/dev/null
# uptime + load
uptime
1) CPU / memory / disk pressure
# live view
top
# better process view if installed
htop 2>/dev/null
# memory summary
free -h
# disk usage
df -hT
du -xh /var 2>/dev/null | sort -h | tail -n 20
2) What changed recently?
# recently changed files (last 7 days) in common system paths
# change -7 to match your investigation window
sudo find /etc /usr/bin /usr/sbin /bin /sbin -type f -mtime -7 -ls 2>/dev/null | head -n 200
# recently installed packages (Debian/Ubuntu)
zcat /var/log/dpkg.log* 2>/dev/null | tail -n 50
# recently installed packages (RHEL/CentOS/Fedora)
sudo rpm -qa --last 2>/dev/null | head -n 50
3) Process triage (what is running, and who spawned it?)
# quick "what's eating the box"
ps aux --sort=-%cpu | head -n 20
ps aux --sort=-%mem | head -n 20
# process tree (readable lineage)
ps -eo pid,ppid,user,etimes,cmd --forest | less
# environment + open files for a suspicious PID
PID=1234
tr '\0' '\n' < /proc/$PID/environ 2>/dev/null | head -n 50
ls -l /proc/$PID/exe 2>/dev/null
sudo lsof -p $PID 2>/dev/null | head -n 50
4) Network triage (who is talking out?)
# active sockets with process info
sudo ss -tupan
# quick view of listening services
sudo ss -tulpen
# DNS config
cat /etc/resolv.conf
# route table
ip route
ip addr
5) Users, logins, and auth signals
# recent logins
last -a | head -n 30
lastlog | head -n 30
# current sessions
w
who
# sudo usage (Debian/Ubuntu)
sudo grep -i "sudo" /var/log/auth.log 2>/dev/null | tail -n 50
# sudo usage (RHEL/CentOS/Fedora)
sudo grep -i "sudo" /var/log/secure 2>/dev/null | tail -n 50
6) Persistence inventory (the usual places)
# systemd: enabled units
systemctl list-unit-files --state=enabled
# recently changed unit files
sudo find /etc/systemd/system /lib/systemd/system -type f -mtime -14 -print 2>/dev/null
# cron locations
ls -la /etc/cron.* /etc/crontab 2>/dev/null
sudo ls -la /var/spool/cron 2>/dev/null
# shell startup (per-user)
ls -la ~/.bashrc ~/.profile ~/.bash_profile 2>/dev/null
7) Logs: fastest high-signal reads
# journal (systemd)
sudo journalctl -p err -n 100
sudo journalctl --since "2 hours ago" | tail -n 200
# kernel messages
dmesg -T | tail -n 120
# auth logs (Debian/Ubuntu)
sudo tail -n 120 /var/log/auth.log 2>/dev/null
# auth logs (RHEL/CentOS/Fedora)
sudo tail -n 120 /var/log/secure 2>/dev/null
8) Useful one-liners (quick answers)
# biggest files (fast triage)
sudo find / -xdev -type f -size +200M -printf '%s %p\n' 2>/dev/null | sort -n | tail -n 20
# suspicious: recently executed binaries (if auditd exists and is configured)
# (environment-specific; may not work on all hosts)
# check for unexpected setuid binaries
sudo find / -xdev -perm -4000 -type f 2>/dev/null
Notes
- Start broad, then narrow. Time windows matter: change
-mtime -7and log ranges to match the suspected incident window. - Prefer correlation (process lineage + recent changes + network activity) over single indicators.
- This list is designed for triage and incident response, not performance tuning.