← All Categories
🐧
Linux Sysadmin Cron Expressions
Essential crontab schedules for Linux system administration — disk monitoring, log rotation, memory alerts, package updates, process cleanup, and system maintenance.
Featured Patterns
0 * * * *
Linux Disk Usage Check — Hourly
Hourly disk usage monitoring on Linux servers using 'df -h'. Alerts when any filesystem exceeds 80% capacity, preventing disk-full outages. Logs usage trends for capacity planning.
Linux df disk check hourlyFilesystem 80% alert cron
0 0 * * *
Linux Log Rotation — Daily Midnight
Daily log rotation via logrotate at midnight. Compresses previous day's logs, removes files older than retention policy (30 days default), and signals daemons to reopen log file handles.
logrotate daily midnightLinux log file rotation cron
0 3 * * *
Linux /tmp Cleanup — Daily 3 AM
Daily cleanup of temporary files in /tmp and /var/tmp at 3:00 AM. Removes files not accessed in 24+ hours, preventing disk exhaustion from leaked temp files and stale session data.
Linux /tmp cleanup dailyTemp file purge cron 3am
*/15 * * * *
Linux Memory Usage Alert — Every 15 Minutes
Memory usage monitor running every 15 minutes. Checks free memory, swap usage, and OOM killer events. Sends alert when memory pressure exceeds 90% before processes are killed.
Linux memory alert every 15 minOOM killer prevention cron
0 2 * * *
Linux System Backup — Daily 2 AM
Full Linux system backup running at 2:00 AM using rsync, tar, or Restic. Archives configuration files, user data, and critical system directories to offsite storage before business hours.
Linux rsync backup daily 2amRestic full backup cron
0 8 * * 0
Linux Package Update Check — Sunday 8 AM
Weekly check for available OS package updates on Sunday at 8:00 AM. Runs 'apt-get update && apt list --upgradable' or 'yum check-update'. Reports security patches and schedules maintenance window.
apt-get update check weeklyyum check-update Sunday
15 * * * *
Zombie Process Check — Every Hour :15
Hourly zombie process detection at the :15 mark. Identifies defunct processes using 'ps aux | grep defunct', reports to monitoring, and attempts parent-process SIGCHLD to reap zombies before they accumulate.
Zombie process detection hourlyps aux defunct check cron
*/30 * * * *
Linux Swap Usage Monitor — Every 30 Minutes
Swap space usage monitor running every 30 minutes. Alerts when swap usage exceeds 50%, indicating memory pressure. Logs swappiness and identifies top memory consumers for capacity review.
Linux swap monitor 30 minSwap usage alert cron
0 9 * * 1
Linux Crontab Audit — Monday 9 AM
Weekly audit of all crontabs across system users every Monday at 9 AM. Detects unauthorized cron entries (persistence mechanisms), duplicate jobs, and orphaned tasks from deleted users.
Linux crontab security auditUnauthorized cron detection
0 2 1 * *
Linux Kernel Update Check — 1st of Month 2 AM
Monthly kernel update availability check on the 1st at 2 AM. Compares running kernel with latest stable release, flags critical security patches (CVE-tagged), and prepares update runbook for scheduled maintenance.
Linux kernel update monthlyKernel CVE patch check cron
0 6 * * *
Linux Inode Usage Check — Daily 6 AM
Daily inode exhaustion check at 6:00 AM. Filesystems with >85% inode usage trigger alerts — inode exhaustion prevents new file creation even when disk space is available.
Linux inode check dailydf -i inode monitor cron
0 7 * * *
Failed Login Report — Daily 7 AM
Daily failed login attempt report at 7:00 AM. Parses /var/log/auth.log (Debian) or /var/log/secure (RHEL) for failed SSH, sudo, and su attempts. Highlights IP addresses with >10 failures (brute-force candidates).
SSH failed login report dailyBrute force detection daily
0 4 * * 0
Core Dump Cleanup — Sunday 4 AM
Weekly cleanup of core dump files every Sunday at 4 AM. Removes stale .core files from /tmp, /var/crash, and app directories. Archives recent crashes for post-mortem before deletion.
Core dump cleanup weeklyLinux crash file cleanup
0 5 * * *
Open Ports Scan — Daily 5 AM
Daily open port inventory using 'ss -tlnp' or 'netstat -tuln' at 5:00 AM. Compares against an approved allowlist and alerts on unexpected new listeners — a common indicator of compromise or misconfiguration.
Linux open port scan dailyss -tlnp audit cron
0 9 1 * *
SSH Authorized Keys Audit — 1st of Month
Monthly audit of all SSH authorized_keys files across all user home directories. Identifies unauthorized keys, keys without comments (unknown origin), and orphaned keys for deprovisioned employees.
SSH key audit monthlyauthorized_keys review cron
Related Patterns
* * * * *
Every Minute
Runs every single minute of every hour, every day. This is the highest possible cron frequency — 1,440 executions per day.
*/5 * * * *
Every 5 Minutes
Runs every 5 minutes, 288 times per day. One of the most popular cron schedules for frequent background jobs.
*/30 * * * *
Every 30 Minutes
Runs twice per hour (at :00 and :30), 48 times per day. Very common for periodic background jobs.
*/45 * * * *
Every 45 Minutes
Runs every 45 minutes. Note: because 45 doesn't divide 60 evenly, runs occur at :00 and :45 each hour.
0 * * * *
Every Hour (at :00)
Runs once at the top of every hour (:00), 24 times per day. The standard hourly cron schedule.
15 * * * *
Hourly at :15
Runs at 15 minutes past every hour (:15), 24 times per day. Useful when you want to offset from other hourly jobs.
30 * * * *
Hourly at :30
Runs at 30 minutes past every hour (:30), 24 times per day.
45 * * * *
Hourly at :45
Runs at 45 minutes past every hour (:45), 24 times per day.