25

Let me start by saying I have been forbidden to enable automatic updates on our Ubuntu servers, for both security and regular packages.

When I log into any of my four Ubuntu servers, the welcome message contains this:

39 packages can be updated.
26 updates are security updates.

However, when I run the Nagios plugin that monitors APT, I get:

% /usr/lib/nagios/plugins/check_apt
APT WARNING: 33 packages available for upgrade (0 critical updates).

I need to know how to properly detect that there are pending security updates, and regular updates. Once I can do that, I plan to write a Nagios script that will return WARNING for pending regular updates, and CRITICAL for pending security updates.

Anyone know how to detect those two conditions?

Mak Kolybabi
  • 895
  • 2
  • 8
  • 13

4 Answers4

31

Turns out that the number of pending regular updates can be found using:

/usr/lib/update-notifier/apt-check 2>&1 | cut -d ';' -f 1

And the number of pending security updates can be found using:

/usr/lib/update-notifier/apt-check 2>&1 | cut -d ';' -f 2

In the end, my Nagios plugin was as follows:

#!/bin/sh
#
# Standard Nagios plugin return codes.
STATUS_OK=0
STATUS_WARNING=1
STATUS_CRITICAL=2
STATUS_UNKNOWN=3

# Query pending updates.
updates=$(/usr/lib/update-notifier/apt-check 2>&1)
if [ $? -ne 0 ]; then
    echo "Querying pending updates failed."
    exit $STATUS_UNKNOWN
fi

# Check for the case where there are no updates.
if [ "$updates" = "0;0" ]; then
    echo "All packages are up-to-date."
    exit $STATUS_OK
fi

# Check for pending security updates.
pending=$(echo "${updates}" | cut -d ";" -f 2)
if [ "$pending" != "0" ]; then
    echo "${pending} security update(s) pending."
    exit $STATUS_CRITICAL
fi

# Check for pending non-security updates.
pending=$(echo "${updates}" | cut -d ";" -f 1)
if [ "$pending" != "0" ]; then
    echo "${pending} non-security update(s) pending."
    exit $STATUS_WARNING
fi

# If we've gotten here, we did something wrong since our "0;0" check should have
# matched at the very least.
echo "Script failed, manual intervention required."
exit $STATUS_UNKNOWN
Community
  • 1
Mak Kolybabi
  • 895
  • 2
  • 8
  • 13
12

The Nagios plugin /usr/lib/nagios/plugins/check_apt does not detect critical updates in Ubuntu correctly due how it detects critical updates via apt combined with how Ubuntu non-critical updates are published. More details are in the bug here: https://bugs.launchpad.net/bugs/1031680

Using /usr/lib/update-notifier/apt-check instead is a reliable workaround.

Robie Basak
  • 236
  • 3
  • 5
1

Why not simply using the apt-get command?:

apt-get -s dist-upgrade | grep "^Inst" | grep -i security | wc -l
Matías
  • 241
  • 2
  • 4
  • 2
    This hack will not reliably distinguish between security and non-security updates. For example, on Ubuntu, security updates are also published to the updates pocket. If the updates pocket is listed first in `sources.list`, your suggestion will lead to missing security update notifications. apt will choose to download them from the updates pocket instead, and so your grep will miss them. – Robie Basak Jan 25 '16 at 01:04
  • The problem identified by @RobieBasak can be corrected as per my answer at https://serverfault.com/a/856769/134053 – mc0e Jun 20 '17 at 13:13
0

Once Nagios has reported you have security updates, this is how you get a list of which ones are needed.

grep security /etc/apt/sources.list > /tmp/security.list
sudo apt-get upgrade -oDir::Etc::Sourcelist=/tmp/security.list -s

You could also use these commands piped into wc -l to give you a count, but the answers above are probably more efficient and appropriate for a Nagios script.

flickerfly
  • 971
  • 10
  • 14