$ Linux One Liners
Back to lessons

Cybersecurity Triage

Simulate Security Package Upgrades

You need to identify pending security updates on a Debian or Ubuntu host before a maintenance window.

Command

apt-get -s upgrade | awk '/^Inst/ && /security/ {print}'

What changed

Nothing changes. apt-get runs in simulation mode and awk prints only install lines from security pockets.

Danger

safe

When to use it

Use before patch windows, incident response, or compliance notes when you need a read-only security update list.

When not to use it

Do not treat simulation output as a completed patch; it only describes what apt would try to do.

Undo or recovery

No undo needed because the command is read-only simulation.

Expected output

Inst rows for packages whose candidate version comes from a security repository.

demo script

Disposable terminal steps

  1. apt-get -s upgrade
  2. apt-get -s upgrade | awk '/^Inst/ && /security/ {print}'
Terminal transcript Demo JSON

simulated output

What it looks like

disposable vessel 
::fixture-ready::
$ apt-get -s upgrade
Reading package lists... Done
Building dependency tree... Done
Calculating upgrade... Done
The following packages have been kept back:
  app-agent linux-image-generic
The following packages will be upgraded:
  curl nginx openssl
3 upgraded, 0 newly installed, 0 to remove and 2 not upgraded.
Inst curl [8.5.0-2ubuntu10.6] (8.5.0-2ubuntu10.7 Ubuntu:24.04/noble-updates [amd64])
Inst nginx [1.24.0-2ubuntu7.3] (1.24.0-2ubuntu7.4 Ubuntu:24.04/noble-updates [amd64])
Inst openssl [3.0.13-0ubuntu3.5] (3.0.13-0ubuntu3.6 Ubuntu:24.04/noble-security [amd64])
Conf curl (8.5.0-2ubuntu10.7 Ubuntu:24.04/noble-updates [amd64])
Conf nginx (1.24.0-2ubuntu7.4 Ubuntu:24.04/noble-updates [amd64])
Conf openssl (3.0.13-0ubuntu3.6 Ubuntu:24.04/noble-security [amd64])
::exit-code::0
$ apt-get -s upgrade | awk '/^Inst/ && /security/ {print}'
Inst openssl [3.0.13-0ubuntu3.5] (3.0.13-0ubuntu3.6 Ubuntu:24.04/noble-security [amd64])
::exit-code::0

YouTube Short

Preview security updates.

Before installing anything, simulate the upgrade and filter for security-origin package changes.

LinkedIn hook

Security patch triage starts by seeing what apt would change, without changing it.

Question: Do you capture apt simulation output before approving security patch windows?

experiments

A/B tests to run

Metric: save_rate

A: Simulate before patching.

B: What security updates would apt install?