Cybersecurity Triage
Find Services Needing Restart After Patches
After security packages are applied, you need to see which services still need restarts.
Command
needrestart -b | sed -n 's/^NEEDRESTART-SVC: //p'What changed
Nothing changes. needrestart prints batch-mode restart findings and sed extracts service restart commands.
Danger
safe
When to use it
Use after OpenSSL, libc, kernel, or web stack updates to plan service restarts and reboot decisions.
When not to use it
Do not restart services blindly from this output; coordinate impact and maintenance windows.
Undo or recovery
No undo needed because this command only reports restart needs.
Expected output
systemctl restart commands for services that need to load patched libraries.
demo script
Disposable terminal steps
needrestart -bneedrestart -b | sed -n 's/^NEEDRESTART-SVC: //p'
simulated output
What it looks like
::fixture-ready::
$ needrestart -b
NEEDRESTART-VER: 3.6
NEEDRESTART-KCUR: 6.8.0-60-generic
NEEDRESTART-KEXP: 6.8.0-63-generic
NEEDRESTART-KSTA: 3
NEEDRESTART-SVC: systemctl restart nginx.service
NEEDRESTART-SVC: systemctl restart ssh.service
::exit-code::0
$ needrestart -b | sed -n 's/^NEEDRESTART-SVC: //p'
systemctl restart nginx.service
systemctl restart ssh.service
::exit-code::0
YouTube Short
Patching is not always enough.
After library updates, running services may still hold old code. Use needrestart to plan the restart step.
LinkedIn hook
A patched library does not protect a process still using the old one.
Question: Do your patch windows track service restarts separately from package installation?
experiments
A/B tests to run
Metric: save_rate
A: Installed does not mean loaded.
B: Find services still using old libraries.