$ Linux One Liners
Back to lessons

Cybersecurity Triage

Risk: safe

Find Services Needing Restart After Patches

After security packages are applied, you need to see which services still need restarts.

Command

needrestart -b | sed -n 's/^NEEDRESTART-SVC: //p'

Before you run this

Risk: safe. Do not restart services blindly from this output; coordinate impact and maintenance windows.

Expected output

systemctl restart commands for services that need to load patched libraries.

System impact

Nothing changes. needrestart prints batch-mode restart findings and sed extracts service restart commands.

When to use it

Use after OpenSSL, libc, kernel, or web stack updates to plan service restarts and reboot decisions.

When not to use it

Do not restart services blindly from this output; coordinate impact and maintenance windows.

Recovery / rollback

No undo needed because this command only reports restart needs.

Watch this command run

Example output from a temporary Linux lab

This example uses disposable sample files and sanitized output so you can inspect the shape of the result before touching a real system.

demo@lab:~$

$ needrestart -b

NEEDRESTART-VER: 3.6
NEEDRESTART-KCUR: 6.8.0-60-generic
NEEDRESTART-KEXP: 6.8.0-63-generic
NEEDRESTART-KSTA: 3
NEEDRESTART-SVC: systemctl restart nginx.service
NEEDRESTART-SVC: systemctl restart ssh.service

$ needrestart -b | sed -n 's/^NEEDRESTART-SVC: //p'

systemctl restart nginx.service
systemctl restart ssh.service
View reproducible demo details

This page shows the sanitized shell transcript and the setup steps needed to reproduce the example.

Lab setup steps

  1. needrestart -b
  2. needrestart -b | sed -n 's/^NEEDRESTART-SVC: //p'

next steps

Related commands

Cybersecurity Triage Risk: safe

Find Held Packages Blocking Patches

A held package can quietly keep a security update out of production.

apt-mark showhold | sed 's/^/held: /'
Cybersecurity Triage Risk: safe

Check Whether Patches Require Reboot

Some security fixes are not complete until the host boots the new kernel or libraries.

test -f /var/run/reboot-required && printf 'reboot-required\n' && cat /var/run/reboot-required.pkgs
Cybersecurity Triage Risk: safe

Prove a Package Candidate Is From Security

The package name is not enough; the candidate repository tells the patch story.

apt-cache policy openssl | sed -n '/Installed:/p;/Candidate:/p;/security/p'
Cybersecurity Triage Risk: safe

Dry-Run Unattended Security Upgrades

Unattended upgrades can explain what they would patch before they patch it.

unattended-upgrade --dry-run --debug 2>&1 | sed -n '/Packages that will be upgraded:/,/^$/p'
Cybersecurity Triage Risk: safe

Summarize sudo Commands by User

Privilege history is easier to review when users and commands are separated.

sed -n 's/.*sudo: *\([^: ]*\).*COMMAND=\(.*\)$/\1 -> \2/p' fixtures/user-access-audit/logs/auth.log | sort
Study mapping

Use this as independent command practice: read the notes, predict the output, then compare it with the example before using a real shell.

  • lpic1:103-gnu-unix-commands
  • lpic1:110-security
  • lfcs:essential-commands
  • lfcs:security-hygiene
  • linuxplus:automation-scripting
  • linuxplus:provisional
  • risk:read-only

Useful for

  • LPIC-1 style command-line practice
  • LFCS style performance tasks
  • Linux+ style troubleshooting review

Independent study support only. No affiliation, endorsement, exam dumps, or real exam questions.