/ (root) overflow

Edit online

Check the following when the root file system (/) has become full.

  • Use the following command to read the contents of the /etc/security/failedlogin file: 
    who /etc/security/failedlogin
    The condition of TTYs recreating too rapidly can create failed login entries. To clear the file after reading or saving the output, execute the following command:
    cp /dev/null /etc/security/failedlogin
  • Check the /dev directory for a device name that is typed incorrectly. If a device name is typed incorrectly, such as rmto instead of rmt0, a file will be created in /dev called rmto. The command will normally proceed until the entire root file system is filled before failing. /dev is part of the root (/) file system. Look for entries that are not devices (that do not have a major or minor number). To check for this situation, use the following command: 
    cd /dev
ls -l | pg
    In the same location that would indicate a file size for an ordinary file, a device file has two numbers separated by a comma. For example: 
    crw-rw-rw-   1 root     system    12,0 Oct 25 10:19 rmt0
    If the file name or size location indicates an invalid device, as shown in the following example, remove the associated file: 
    crw-rw-rw-   1 root     system   9375473 Oct 25 10:19 rmto
    Note:
    • Do not remove valid device names in the /dev directory. One indicator of an invalid device is an associated file size that is larger than 500 bytes.
    • If system auditing is running, the default /audit directory can rapidly fill up and require attention.
  • Check for very large files that might be removed using the find command. For example, to find all files in the root (/) directory larger than 1 MB, use the following command: 
    find / -xdev -size  +2048 -ls |sort -r -n +6
    This command finds all files greater than 1 MB and sorts them in reverse order with the largest files first. Other flags for the find command, such as -newer, might be useful in this search. For detailed information, see the command description for the find command.
    Note: When checking the root directory, major and minor numbers for devices in the /dev directory will be interspersed with real files and file sizes. Major and minor numbers, which are separated by a comma, can be ignored.
    Before removing any files, use the following command to ensure a file is not currently in use by a user process: 
    fuser filename
    Where filename is the name of the suspect large file. If a file is open at the time of removal, it is only removed from the directory listing. The blocks allocated to that file are not freed until the process holding the file open is killed.