Tech Tip: Monitoring Critical Debian and Ubuntu Updates With Nagios

This month Tony Yarusso, a member of the Nagios Technical Team, shares his tips on how to monitor critical updates for Debian and Ubuntu with Nagios.

With any operating system, staying up to date with patches and updates is a critical piece of security. Additionally, non-security updates may close bugs that affect your organization’s users. As such, it can be very handy for a system administrator to be notified automatically when such updates are available, rather than having to constantly be checking for them manually. Thankfully, it is possible for Nagios to take care of this in some environments, including the Debian and Ubuntu Linux distributions.

In Debian and Ubuntu (and derivatives), all software on the system is already tracked by the APT package manager, which in turn connects to online repositories for all of the system packages. Thus, to make Nagios track available updates it merely needs to check the status of APT. This can be done for instance with the following Nagios plugin:

check_debian_packages:
http://exchange.nagios.org/directory/Plugins/Uncategorized/Operating-Systems/Linux/check-debian-packages/details

This plugin (written in Perl) calls apt-get in simulation-only mode (apt-get -s upgrade), which allows it to find out which packages would be upgraded if an upgrade were to be run, and then return the number, source, and names of those to Nagios. It does not refresh the APT database to download new information about available packages from the sources, nor actually perform the upgrade – it only checks the status of the APT database against your system. The former should be performed by cron on a daily basis, and is set up to do so out of the box on both distributions. The latter should be performed manually by the system administrator after being notified that updates are available.

The plugin will set the notification status level according to the source of the package updates available. If there are security updates available, it will set the status to Critical. All other updates types return a Warning. While there are a handful of other plugins available with similar functionality, the author liked this one because of this distinction.

It should be noted that while the plugin’s download page in the Exchange states that it needs sudo access, this is not actually the case. Since the plugin runs apt-get only in simulation mode, the priviledges that would be needed normally are not required. Additionally, the plugin is written with Debian in mind. While the basic functionality is the same for Ubuntu, their repository naming scheme is slightly different, so you will want to apply the patch linked below for use on Ubuntu systems.

Get the Ubuntu patch at http://exchange.nagios.org/directory/Plugins/Operating-Systems/Linux/check_ubuntu_packages-2Epatch/details