Cybersecurity Triage
Risk: safeDry-Run Unattended Security Upgrades
You need to inspect what unattended-upgrades would select without installing packages.
Command
unattended-upgrade --dry-run --debug 2>&1 | sed -n '/Packages that will be upgraded:/,/^$/p'Before you run this
Risk: safe. Do not run without --dry-run unless you intend to perform unattended package upgrades.
Expected output
A dry-run section listing packages that unattended-upgrades would upgrade.
System impact
Nothing changes. unattended-upgrade runs in dry-run mode and sed extracts the selected package summary.
Recovery / rollback: no state is changed.
When to use it
Use when checking automatic patch coverage, security origins, or why a package was not auto-selected.
When not to use it
Do not run without --dry-run unless you intend to perform unattended package upgrades.
Watch this command run
Example output from a temporary Linux lab
This example uses disposable sample files and sanitized output so you can inspect the shape of the result before touching a real system.
$ unattended-upgrade --dry-run --debug
Initial blacklist:
Initial whitelist:
Packages that will be upgraded: openssl curl
Checking: openssl ([<Origin component:'main' archive:'noble-security' origin:'Ubuntu' label:'Ubuntu'>])
Checking: curl ([<Origin component:'main' archive:'noble-updates' origin:'Ubuntu' label:'Ubuntu'>])
Package nginx is not allowed to be upgraded unattended
Dry-run, no packages were installed.$ unattended-upgrade --dry-run --debug 2>&1 | sed -n '/Packages that will be upgraded:/,/^$/p'
Packages that will be upgraded: openssl curl
Checking: openssl ([<Origin component:'main' archive:'noble-security' origin:'Ubuntu' label:'Ubuntu'>])
Checking: curl ([<Origin component:'main' archive:'noble-updates' origin:'Ubuntu' label:'Ubuntu'>])
Package nginx is not allowed to be upgraded unattended
Dry-run, no packages were installed.View reproducible demo details
This page shows the sanitized shell transcript and the setup steps needed to reproduce the example.
Lab setup steps
unattended-upgrade --dry-run --debugunattended-upgrade --dry-run --debug 2>&1 | sed -n '/Packages that will be upgraded:/,/^$/p'
next steps
Related commands
Find Held Packages Blocking Patches
A held package can quietly keep a security update out of production.
apt-mark showhold | sed 's/^/held: /'
Review Kept-Back Packages Before Patching
Kept-back packages are where simple upgrade plans stop being simple.
apt-get -s upgrade | sed -n '/kept back:/,/^Inst/p'
Simulate Security Package Upgrades
Security patch triage starts by seeing what apt would change, without changing it.
apt-get -s upgrade | awk '/^Inst/ && /security/ {print}'
Prove a Package Candidate Is From Security
The package name is not enough; the candidate repository tells the patch story.
apt-cache policy openssl | sed -n '/Installed:/p;/Candidate:/p;/security/p'
Inspect Container Environment Names
Check what environment variables exist without printing their secret values.
docker inspect --format '{{range .Config.Env}}{{println .}}{{end}}' api | sed 's/=.*$/=<redacted>/'
Study mapping
Use this as independent command practice: read the notes, predict the output, then compare it with the example before using a real shell.
Useful for
- LPIC-1 style command-line practice
- LFCS style performance tasks
- Linux+ style troubleshooting review
Independent study support only. No affiliation, endorsement, exam dumps, or real exam questions.