Nagios Check for Critical Updates

If you are tired of scanning all kind of CERT advisories in your mailbox and you are running a nice Debian-based landscape using mostly package-based software, you should consider using check_apt from the Nagios plugins.

Just run check_apt, that will check for available updates and is turning into CRITICAL, if security updates are available. For Debian and Ubuntu the default pattern for security-related updates will do fine.

It’s a good idea to setup a cron job, that will update the package database like this:

30 */12 * * * root /usr/bin/apt-get -qq update

You can also let check_apt do this, but leaving that to cron will drop the need for privileged access, a constraint in runtime constraints of NRPE and SNMP. The check itself is doing a fake upgrade, which is also allowed for non-privileged users.

An option for the all-in-one call is sudo.

By the way my APT service checks on Debian-based hosts are normally setup with lower frequency (normal_check_interval, retry_check_interval, notification_interval). It should work as a useful notification during daylight, but I don’t want to wake-up in the middle of the night triggered by a check_apt.

Update for Ubuntu

Most probably you have to re-order the /etc/apt/sources.list in a Standard Ubuntu Installaton, so the references to security repositories come first.

Ubuntu will put critical updates in all repos, and the first match will determine the response level of the Nagios check.

So, if the non-security repo is included on top, the check will just go into WARNING instead of CRITICAL, even though the package is also located in a repo matching the security pattern.