With updates going on in the last couple of months for various packages, such as OpenSSL and GLibC which have fixed a number of important security vulnerabilities, I thought I might share a one liner that might save you one day.

sudo lsof -n | grep -v \#prelink\# | grep -e '\.so' | grep -e DEL | grep -e lib | grep -v ^init | sed -re 's|^([^0-9]*)\s*([0-9]*)[^/]*(\/.*)$|\1 (\2) \3|' | sort -u

Running lsof will list all of the currently opened files from processes running on your system. -n will stop lsof from resolving hostnames for processes that have opened network ports to different processes (such as your webserver, mail server etc)

Running grep a couple of times will ensure that we find all the processes that have loaded a shared binary that has been deleted.

Note that the “init” process has been excluded. This is done on purpose. init can not be restarted without rebooting or otherwise killing the system.

The sed magic will show a list of all the processes and their PID’s, along with the library that was deleted that triggered it being listed as an application that should be restarted.

tim@srv215.production [~]# REGEX='^([^0-9]*)\s*([0-9]*)[^/]*(\/.*)$|\1 (\2) \3' tim@srv215.production [~]# sudo lsof -n | grep -v \#prelink\# \ | grep -e '\.so' | grep -e DEL | grep -e lib \ | grep -v ^init \ | sed -re "s|$REXEG|" | sort -u auditd (1802) /lib64/ld-2.12.so auditd (1802) /lib64/libc-2.12.so auditd (1802) /lib64/libm-2.12.so auditd (1802) /lib64/libnsl-2.12.so auditd (1802) /lib64/libnss_files-2.12.so auditd (1802) /lib64/libpthread-2.12.so auditd (1802) /lib64/librt-2.12.so