$ Linux One Liners
Back to lessons

Cybersecurity Triage

Risk: safe

Prove a Package Candidate Is From Security

A package is upgradable and you need to confirm whether the candidate version comes from the security pocket.

Command

apt-cache policy openssl | sed -n '/Installed:/p;/Candidate:/p;/security/p'

Before you run this

Risk: safe. Do not use it to install the package; this is only metadata inspection.

Expected output

Installed and candidate versions plus a security repository line for the candidate.

System impact

Nothing changes. apt-cache reads local apt metadata and sed extracts the version and security-origin lines.

Recovery / rollback: no state is changed.

When to use it

Use when documenting why a specific package is being patched or when comparing update and security pockets.

When not to use it

Do not use it to install the package; this is only metadata inspection.

Watch this command run

Example output from a temporary Linux lab

This example uses disposable sample files and sanitized output so you can inspect the shape of the result before touching a real system.

demo@lab:~$

$ apt-cache policy openssl

openssl:
  Installed: 3.0.13-0ubuntu3.5
  Candidate: 3.0.13-0ubuntu3.6
  Version table:
     3.0.13-0ubuntu3.6 500
        500 http://example.com/ubuntu noble-security/main amd64 Packages
 *** 3.0.13-0ubuntu3.5 100
        100 /var/lib/dpkg/status

$ apt-cache policy openssl | sed -n '/Installed:/p;/Candidate:/p;/security/p'

  Installed: 3.0.13-0ubuntu3.5
  Candidate: 3.0.13-0ubuntu3.6
        500 http://example.com/ubuntu noble-security/main amd64 Packages
View reproducible demo details

This page shows the sanitized shell transcript and the setup steps needed to reproduce the example.

Lab setup steps

  1. apt-cache policy openssl
  2. apt-cache policy openssl | sed -n '/Installed:/p;/Candidate:/p;/security/p'

next steps

Related commands

Cybersecurity Triage Risk: safe

Simulate Security Package Upgrades

Security patch triage starts by seeing what apt would change, without changing it.

apt-get -s upgrade | awk '/^Inst/ && /security/ {print}'
Cybersecurity Triage Risk: safe

Find Held Packages Blocking Patches

A held package can quietly keep a security update out of production.

apt-mark showhold | sed 's/^/held: /'
Cybersecurity Triage Risk: safe

Dry-Run Unattended Security Upgrades

Unattended upgrades can explain what they would patch before they patch it.

unattended-upgrade --dry-run --debug 2>&1 | sed -n '/Packages that will be upgraded:/,/^$/p'
Study mapping

Use this as independent command practice: read the notes, predict the output, then compare it with the example before using a real shell.

  • lpic1:102-package-management
  • lpic1:103-gnu-unix-commands
  • lpic1:110-security
  • lfcs:essential-commands
  • lfcs:operations-deployment
  • lfcs:security-hygiene
  • linuxplus:automation-scripting
  • linuxplus:provisional
  • linuxplus:system-management
  • risk:read-only

Useful for

  • LPIC-1 style command-line practice
  • LFCS style performance tasks
  • Linux+ style troubleshooting review

Independent study support only. No affiliation, endorsement, exam dumps, or real exam questions.