Listing cron jobs in Linux provides clear visibility into recurring automation such as backups, log rotation, monitoring, and cleanup tasks. Understanding what is scheduled reduces surprises, helps troubleshoot performance issues, and makes compliance audits easier.

The cron subsystem is usually implemented by the cron or crond daemon, which reads configuration from user crontabs and system-wide files. User-specific schedules live in per-account crontabs, while packages and administrators often add entries under /etc/ and related cron directories.

Access to cron configuration depends on file permissions and user privileges. Some locations are world-readable, while others require sudo. Direct edits to system cron files can affect the entire machine, so viewing and auditing entries safely is important before making changes.

Related: How to check for persistence via cron and systemd in Linux
Related: How to start program at Linux boot automatically

Steps to list cron jobs in Linux:

  1. Open a terminal session on the Linux system.
  2. List the current user’s cron jobs using the crontab command. 
    $ crontab -l
# m h  dom mon dow   command
0 5 * * * /usr/local/bin/backup.sh
15 * * * * /usr/local/bin/rotate-logs.sh

    The crontab -l command prints only the crontab for the user running the command.

  3. View cron jobs for a specific user such as root. 
    $ sudo crontab -l -u root
# m h  dom mon dow   command
0 5 * * * /usr/local/bin/backup.sh
15 * * * * /usr/local/bin/rotate-logs.sh

    Listing or editing another user’s crontab requires appropriate privileges and may affect system-wide behavior when targeting root.

  4. Display the main system-wide cron file under /etc/. 
    $ sudo cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
 
SHELL=/bin/sh
# You can also override PATH, but by default, newer versions inherit it from the environment
#PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 
# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name command to be executed
17 *	* * *	root	cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || { cd / && run-parts --report /etc/cron.daily; }
47 6	* * 7	root	test -x /usr/sbin/anacron || { cd / && run-parts --report /etc/cron.weekly; }
52 6	1 * *	root	test -x /usr/sbin/anacron || { cd / && run-parts --report /etc/cron.monthly; }
#

    In /etc/crontab the first five fields are the schedule, followed by the user account that runs the command, then the command itself.

  5. List additional system cron definitions provided by packages in /etc/cron.d/. 
    $ sudo ls -1 /etc/cron.d
e2scrub_all
sysstat

    Files in /etc/cron.d/ follow crontab syntax and are usually installed by system packages or configuration management.

  6. List periodic cron script directories such as hourly, daily, weekly, and monthly. 
    $ sudo ls -1 /etc/cron.hourly /etc/cron.daily /etc/cron.weekly /etc/cron.monthly
/etc/cron.daily:
apt-compat
dpkg
logrotate
sysstat
 
/etc/cron.hourly:
 
/etc/cron.monthly:
 
/etc/cron.weekly:

    These directories hold executable scripts that run at fixed intervals, typically orchestrated by entries in /etc/crontab or anacron.

  7. Inspect per-user cron spool files to see configured crontabs for all accounts. 
    $ sudo ls -1 /var/spool/cron /var/spool/cron/crontabs
/var/spool/cron:
crontabs
 
/var/spool/cron/crontabs:
alice
appuser
backupuser
root

    Directly editing files under /var/spool/cron or /var/spool/cron/crontabs can corrupt crontabs; use crontab -e for changes instead of editing these files by hand.

  8. Optionally search across all cron-related locations for specific commands or patterns. 
    $ sudo sh -c 'grep --line-number --ignore-case "backup" /etc/crontab /etc/cron.d/* /etc/cron.hourly/* /etc/cron.daily/* /etc/cron.weekly/* /etc/cron.monthly/* /var/spool/cron/crontabs/* 2>/dev/null'
/etc/cron.daily/dpkg:8:/usr/libexec/dpkg/dpkg-db-backup
/var/spool/cron/crontabs/backupuser:4:# Run backup command every day at midnight, sending the logs to a file.
/var/spool/cron/crontabs/backupuser:5:0 0 * * * rsync -av --delete /home/backupuser/folder_01/ backupuser@localhost:backup_folder/folder_01 >>/home/backupuser/.backup.log 2>&1
/var/spool/cron/crontabs/root:5:0 5 * * * /usr/local/bin/backup.sh

    Using grep across cron paths quickly reveals where a particular command or keyword is scheduled.

  9. Verify that the cron daemon is active so that listed jobs are actually being scheduled. 
    $ systemctl status cron
● cron.service - Regular background program processing daemon
     Loaded: loaded (/usr/lib/systemd/system/cron.service; enabled; preset: enabled)
     Active: active (running) since Tue 2026-01-13 01:13:32 UTC; 21h ago
       Docs: man:cron(8)
   Main PID: 7319 (cron)
      Tasks: 1 (limit: 14999)
     Memory: 532.0K (peak: 2.6M)
        CPU: 1.209s
     CGroup: /system.slice/cron.service
             └─7319 /usr/sbin/cron -f -P
 
Jan 13 22:05:01 host.example.net CRON[13761]: pam_unix(cron:session): session closed for user root
Jan 13 22:15:01 host.example.net CRON[13764]: pam_unix(cron:session): session opened for user root(uid=0) by root(uid=0)
Jan 13 22:15:01 host.example.net CRON[13765]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
Jan 13 22:15:01 host.example.net CRON[13764]: pam_unix(cron:session): session closed for user root
Jan 13 22:17:01 host.example.net CRON[13767]: pam_unix(cron:session): session opened for user root(uid=0) by root(uid=0)
Jan 13 22:17:01 host.example.net CRON[13768]: (root) CMD (cd / && run-parts --report /etc/cron.hourly)
Jan 13 22:17:01 host.example.net CRON[13767]: pam_unix(cron:session): session closed for user root
Jan 13 22:25:01 host.example.net CRON[15000]: pam_unix(cron:session): session opened for user root(uid=0) by root(uid=0)
Jan 13 22:25:01 host.example.net CRON[15001]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
Jan 13 22:25:01 host.example.net CRON[15000]: pam_unix(cron:session): session closed for user root

    On some distributions the service name is crond instead of cron, in which case systemctl status crond provides the same confirmation.