Check number of pending security updates in Ubuntu

linux ubuntu bash shell nagios

24,153

Solution 1

The Nagios plugin /usr/lib/nagios/plugins/check_apt does not detect critical updates in Ubuntu correctly due how it detects critical updates via apt combined with how Ubuntu non-critical updates are published. More details are in the bug here: https://bugs.launchpad.net/bugs/1031680

Using /usr/lib/update-notifier/apt-check instead is a reliable workaround.

Solution 2

Turns out that the number of pending regular updates can be found using:

/usr/lib/update-notifier/apt-check 2>&1 | cut -d ';' -f 1

And the number of pending security updates can be found using:

/usr/lib/update-notifier/apt-check 2>&1 | cut -d ';' -f 2

In the end, my Nagios plugin was as follows:

#!/bin/sh
#
# Standard Nagios plugin return codes.
STATUS_OK=0
STATUS_WARNING=1
STATUS_CRITICAL=2
STATUS_UNKNOWN=3

# Query pending updates.
updates=$(/usr/lib/update-notifier/apt-check 2>&1)
if [ $? -ne 0 ]; then
    echo "Querying pending updates failed."
    exit $STATUS_UNKNOWN
fi

# Check for the case where there are no updates.
if [ "$updates" = "0;0" ]; then
    echo "All packages are up-to-date."
    exit $STATUS_OK
fi

# Check for pending security updates.
pending=$(echo "${updates}" | cut -d ";" -f 2)
if [ "$pending" != "0" ]; then
    echo "${pending} security update(s) pending."
    exit $STATUS_CRITICAL
fi

# Check for pending non-security updates.
pending=$(echo "${updates}" | cut -d ";" -f 1)
if [ "$pending" != "0" ]; then
    echo "${pending} non-security update(s) pending."
    exit $STATUS_WARNING
fi

# If we've gotten here, we did something wrong since our "0;0" check should have
# matched at the very least.
echo "Script failed, manual intervention required."
exit $STATUS_UNKNOWN

Solution 3

Why not simply using the apt-get command?:

apt-get -s dist-upgrade | grep "^Inst" | grep -i security | wc -l

24,153

Mak Kolybabi

Updated on September 17, 2022

Comments

Mak Kolybabi over 1 year
Let me start by saying I have been forbidden to enable automatic updates on our Ubuntu servers, for both security and regular packages.

When I log into any of my four Ubuntu servers, the welcome message contains this:
```
39 packages can be updated.
26 updates are security updates.
```
However, when I run the Nagios plugin that monitors APT, I get:
```
% /usr/lib/nagios/plugins/check_apt
APT WARNING: 33 packages available for upgrade (0 critical updates). 
```
I need to know how to properly detect that there are pending security updates, and regular updates. Once I can do that, I plan to write a Nagios script that will return WARNING for pending regular updates, and CRITICAL for pending security updates.

Anyone know how to detect those two conditions?
Robie Basak over 8 years

This hack will not reliably distinguish between security and non-security updates. For example, on Ubuntu, security updates are also published to the updates pocket. If the updates pocket is listed first in sources.list, your suggestion will lead to missing security update notifications. apt will choose to download them from the updates pocket instead, and so your grep will miss them.
mc0e almost 7 years

The problem identified by @RobieBasak can be corrected as per my answer at serverfault.com/a/856769/134053
Travis van der Font almost 7 years

Is "-oDir" a typo ?!