$ Linux One Liners
Back to commands

Cybersecurity Triage

Read-only

Find Services Needing Restart After Patches

After security packages are applied, you need to see which services still need restarts.

Command

needrestart -b | sed -n 's/^NEEDRESTART-SVC: //p'

Before you run this

System impact: Read-only. Low when scoped to the shown target.

When not to use it: Do not restart services blindly from this output; coordinate impact and maintenance windows.

Expected output

systemctl restart commands for services that need to load patched libraries.

System impact

Read-only. Nothing changes. needrestart prints batch-mode restart findings and sed extracts service restart commands.

When to use it

Use after OpenSSL, libc, kernel, or web stack updates to plan service restarts and reboot decisions.

When not to use it

Do not restart services blindly from this output; coordinate impact and maintenance windows.

Recovery / rollback

No undo needed because this command only reports restart needs.

Watch this command run

Command transcript

This sanitized transcript shows the commands and output shape without exposing host details.

demo@lab:~$

$ needrestart -b

NEEDRESTART-VER: 3.6
NEEDRESTART-KCUR: 6.8.0-60-generic
NEEDRESTART-KEXP: 6.8.0-63-generic
NEEDRESTART-KSTA: 3
NEEDRESTART-SVC: systemctl restart nginx.service
NEEDRESTART-SVC: systemctl restart ssh.service

$ needrestart -b | sed -n 's/^NEEDRESTART-SVC: //p'

systemctl restart nginx.service
systemctl restart ssh.service
View commands shown

These are the commands shown in the sanitized transcript.

Commands shown

  1. needrestart -b
  2. needrestart -b | sed -n 's/^NEEDRESTART-SVC: //p'

next steps

Related commands

Cybersecurity Triage Read-only

Find Held Packages Blocking Patches

A held package can quietly keep a security update out of production.

apt-mark showhold | sed 's/^/held: /'
Cybersecurity Triage Read-only

Check Whether Patches Require Reboot

Some security fixes are not complete until the host boots the new kernel or libraries.

test -f /var/run/reboot-required && printf 'reboot-required\n' && cat /var/run/reboot-required.pkgs
Cybersecurity Triage Read-only

Prove a Package Candidate Is From Security

The package name is not enough; the candidate repository tells the patch story.

apt-cache policy openssl | sed -n '/Installed:/p;/Candidate:/p;/security/p'
Cybersecurity Triage Dry run

Dry-Run Unattended Security Upgrades

Unattended upgrades can explain what they would patch before they patch it.

unattended-upgrade --dry-run --debug 2>&1 | sed -n '/Packages that will be upgraded:/,/^$/p'
Cybersecurity Triage Sensitive output

Summarize sudo Commands by User

Privilege history is easier to review when users and commands are separated.

sed -n 's/.*sudo: *\([^: ]*\).*COMMAND=\(.*\)$/\1 -> \2/p' fixtures/user-access-audit/logs/auth.log | sort
Study mapping

Use this as independent command practice: read the notes, predict the output, then compare it with the example before using a real shell.

  • lpic1:103-gnu-unix-commands
  • lpic1:110-security
  • lfcs:essential-commands
  • lfcs:security-hygiene
  • linuxplus:automation-scripting
  • linuxplus:provisional
  • risk:read-only

Useful for

  • LPIC-1 style command-line practice
  • LFCS style performance tasks
  • Linux+ style troubleshooting review

Independent study support only. No affiliation, endorsement, exam dumps, or real exam questions.