$ Linux One Liners
Back to lessons

Cybersecurity Triage

Build a Recent Apt Patch Timeline

You need to prove what package changes happened recently and which command triggered them.

Command

awk '/^(Start-Date|Commandline|Upgrade|End-Date)/ {print}' /var/log/apt/history.log

What changed

Nothing changes. awk filters apt history to the fields useful for patch timelines.

Danger

safe

When to use it

Use during incident response, audit follow-up, or post-maintenance validation.

When not to use it

Do not assume rotated logs are included; inspect compressed history files if you need older activity.

Undo or recovery

No undo needed because the command is read-only.

Expected output

Start dates, command lines, upgrade rows, and end dates from apt history.

demo script

Disposable terminal steps

  1. cat /var/log/apt/history.log
  2. awk '/^(Start-Date|Commandline|Upgrade|End-Date)/ {print}' /var/log/apt/history.log
Terminal transcript Demo JSON

simulated output

What it looks like

disposable vessel 
::fixture-ready::
$ cat /var/log/apt/history.log
Start-Date: 2026-06-25  02:10:01
Commandline: /usr/bin/unattended-upgrade
Upgrade: openssl:amd64 (3.0.13-0ubuntu3.5, 3.0.13-0ubuntu3.6), curl:amd64 (8.5.0-2ubuntu10.6, 8.5.0-2ubuntu10.7)
End-Date: 2026-06-25  02:10:18

Start-Date: 2026-06-24  21:30:44
Commandline: apt-get -y install nginx
Install: nginx:amd64 (1.24.0-2ubuntu7.3)
End-Date: 2026-06-24  21:30:59

Start-Date: 2026-06-23  03:12:04
Commandline: apt-get upgrade
Upgrade: libc6:amd64 (2.39-0ubuntu8.3, 2.39-0ubuntu8.4), linux-image-generic:amd64 (6.8.0-60.63, 6.8.0-63.66)
End-Date: 2026-06-23  03:14:39
::exit-code::0
$ awk '/^(Start-Date|Commandline|Upgrade|End-Date)/ {print}' /var/log/apt/history.log
Start-Date: 2026-06-25  02:10:01
Commandline: /usr/bin/unattended-upgrade
Upgrade: openssl:amd64 (3.0.13-0ubuntu3.5, 3.0.13-0ubuntu3.6), curl:amd64 (8.5.0-2ubuntu10.6, 8.5.0-2ubuntu10.7)
End-Date: 2026-06-25  02:10:18
Start-Date: 2026-06-24  21:30:44
Commandline: apt-get -y install nginx
End-Date: 2026-06-24  21:30:59
Start-Date: 2026-06-23  03:12:04
Commandline: apt-get upgrade
Upgrade: libc6:amd64 (2.39-0ubuntu8.3, 2.39-0ubuntu8.4), linux-image-generic:amd64 (6.8.0-60.63, 6.8.0-63.66)
End-Date: 2026-06-23  03:14:39
::exit-code::0

YouTube Short

Prove what apt changed.

When someone says the server was patched, apt history gives you timestamps, commands, and upgraded packages.

LinkedIn hook

Apt history turns patch claims into timestamps and package names.

Question: When validating patch work, do you check apt history or only current package versions?

experiments

A/B tests to run

Metric: copy_rate

A: Patch claims need timestamps.

B: Apt history shows what changed.