check_apt does not correctly report pending security updates as critical, as it is designed to do.
https://launchpad.net/bugs/1031680 The problem is the fundamental way it's designed. I reported this to upstream and they said the following: I agree with your stance on parsing apt-get output, and I'd love to see a replacement that does the job using an APT API. I'm less keen on having the behaviour depend on whether or not some tool is available, though; as that's problematic with respect to maintenance and support. And I guess update-notifier is a bit too Ubuntu-ish to add a hard dependency on apt-check ... There's a suitable replacement written by Simon Déziel here: https://github.com/simondeziel/custom-nagios-plugins/blob/master/plugins/check_apt_upgrade Here are some thoughts on fixing this properly: 1) We (Ubuntu Server) recommend against using the existing nagios-plugins check_apt for security purposes, since it will not report security updates as critical correctly. 2) We (Ubuntu Server) recommend use of /usr/lib/update-notifier/apt-check (provided by the update-notifier-common package) as a reliable way of getting the required information. This is because update-manager uses it too (AFAIK), so it should be better maintained in Ubuntu. 3) Perhaps we should adopt Simon Déziel's plugin, which uses /usr/lib/update-notifier/apt-check, in a delta of nagios-plugins and call it check_ubuntu_apt or something. He's licenced it under the ISC Licence, which AIUI is DFSG compliant so this shouldn't be a problem. nagios-plugins can depend on update-notifier-common. update-notifier-common appears in the server task already, so this shouldn't be a problem. 4) If we do adopt Simon Déziel's plugin, then we can recommend that upstream adopt it too, or try and get them to do it first so we don't even need a delta. 5) Given that we know that check_apt is bad to use in Ubuntu, perhaps we can deprecate it further by modifying it to provide a deprecation warning result in all cases, and then removing it altogether in a future delta to nagios-plugins. This is to protect Ubuntu users who mistakenly use it in the belief that it will alert them of security updates, when it will not necessarily do that correctly. The warning would provide information on using check_ubuntu_apt instead. Users who wish to override this may always pull in the upstream check_apt into /usr/local. An alternate approach for this might be to get upstream to check for Ubuntu and issue the deprecation warning there instead, and perhaps eventually make it always return a critical failure. What do you think? How far down my list should we go? Robie -- ubuntu-server mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
