While apt-get upgrade shows all available updates, administrators often need to specifically identify security-related patches. Here are several CLI approaches:
The safest way to preview security updates without actually installing them:
apt-get -s upgrade | grep -i security
This will output lines like:
Inst linux-image-generic [4.15.0.76.78] (4.15.0.76.78 Ubuntu:18.04/bionic-security [amd64])
First verify your security sources are configured:
grep -r security /etc/apt/sources.list*
Typical output should include lines like:
deb http://security.ubuntu.com/ubuntu bionic-security main
This package maintains detailed logs of security updates:
cat /var/log/unattended-upgrades/unattended-upgrades.log | grep "Packages that will be upgraded"
For more detailed security update information:
apt list --upgradable | grep -i security
To see which repository each update comes from:
apt-get -s upgrade -o Debug::pkgProblemResolver=yes | grep -A2 "upgrade "
Create a cron job to email security updates:
#!/bin/bash
apt-get update > /dev/null
UPDATES=$(apt-get -s upgrade | grep -i security)
if [ -n "$UPDATES" ]; then
echo "$UPDATES" | mail -s "Security Updates Available" admin@example.com
fi
For more sophisticated monitoring:
debsums- Verify installed package files against MD5 checksumsapticron- Sends daily emails about pending updatesneedrestart- Checks which services need restarting after updates
For system administrators and developers working with Debian/Ubuntu servers, identifying security updates separately from regular package updates is crucial for maintaining system security. Here's how to achieve this through the command line.
While apt-get upgrade shows all available updates, it doesn't distinguish between security and non-security updates. This can be problematic when you need to prioritize critical security patches.
You can simulate an upgrade while filtering for security updates:
sudo apt-get update apt-get upgrade --just-print | grep -i security
This will display packages with security updates that would be installed during an upgrade.
For a more detailed view, aptitude provides security update information:
sudo aptitude update aptitude search '~U ~ODebian-Security'
For Ubuntu systems, replace with:
aptitude search '~U ~Oubuntu-security'
The /usr/lib/update-notifier/apt-check utility provides security update counts:
/usr/lib/update-notifier/apt-check --human-readable
Output example:
3 packages can be updated. 2 updates are security updates.
The package maintains logs of applied security updates:
cat /var/log/unattended-upgrades/unattended-upgrades.log | grep "Security upgrades"
For regular monitoring, create a script:
#!/bin/bash apt-get update > /dev/null SEC_UPDATES=$(apt-get upgrade --just-print | grep -i security | wc -l) echo "$SEC_UPDATES security updates available"
Make it executable and add to cron:
chmod +x /usr/local/bin/check-sec-updates (crontab -l ; echo "0 12 * * * /usr/local/bin/check-sec-updates") | crontab -
Ensure your system is configured to receive security updates by checking repositories:
grep -r "security" /etc/apt/sources.list*
Typical security repositories include:
deb http://security.debian.org/debian-security bullseye-security main deb http://security.ubuntu.com/ubuntu focal-security main
- Always test security updates in staging before production
- Maintain a change log of applied security patches
- Consider using
apt-get upgrade --only-upgradefor security fixes - Monitor the Debian Security Advisory (DSA) or Ubuntu Security Notice (USN) mailing lists