$ Linux One Liners
Back to commands

Cybersecurity Triage

Read-only

Find Held Packages Blocking Patches

Patch simulation shows kept-back packages and you need to see whether apt holds are part of the reason.

Command

apt-mark showhold | sed 's/^/held: /'

Before you run this

System impact: Read-only. Low when scoped to the shown target.

When not to use it: Do not remove holds automatically; confirm why each package was held and who owns the risk.

Expected output

Held package names prefixed with held: for quick review.

System impact

Read-only. Nothing changes. apt-mark prints held package names and sed labels them for incident notes.

Recovery / rollback: no state is changed.

When to use it

Use before blaming repositories, mirrors, or dependency conflicts for missing security updates.

When not to use it

Do not remove holds automatically; confirm why each package was held and who owns the risk.

Watch this command run

Command transcript

This sanitized transcript shows the commands and output shape without exposing host details.

demo@lab:~$

$ apt-mark showhold

app-agent
linux-image-generic

$ apt-mark showhold | sed 's/^/held: /'

held: app-agent
held: linux-image-generic
View commands shown

These are the commands shown in the sanitized transcript.

Commands shown

  1. apt-mark showhold
  2. apt-mark showhold | sed 's/^/held: /'

next steps

Related commands

Cybersecurity Triage Read-only

Prove a Package Candidate Is From Security

The package name is not enough; the candidate repository tells the patch story.

apt-cache policy openssl | sed -n '/Installed:/p;/Candidate:/p;/security/p'
Cybersecurity Triage Dry run

Dry-Run Unattended Security Upgrades

Unattended upgrades can explain what they would patch before they patch it.

unattended-upgrade --dry-run --debug 2>&1 | sed -n '/Packages that will be upgraded:/,/^$/p'
Cybersecurity Triage Read-only

Check Whether Patches Require Reboot

Some security fixes are not complete until the host boots the new kernel or libraries.

test -f /var/run/reboot-required && printf 'reboot-required\n' && cat /var/run/reboot-required.pkgs
Study mapping

Use this as independent command practice: read the notes, predict the output, then compare it with the example before using a real shell.

  • lpic1:102-package-management
  • lpic1:103-gnu-unix-commands
  • lpic1:110-security
  • lfcs:essential-commands
  • lfcs:operations-deployment
  • lfcs:security-hygiene
  • linuxplus:automation-scripting
  • linuxplus:provisional
  • linuxplus:system-management
  • risk:read-only

Useful for

  • LPIC-1 style command-line practice
  • LFCS style performance tasks
  • Linux+ style troubleshooting review

Independent study support only. No affiliation, endorsement, exam dumps, or real exam questions.