check_apt always report 0 critical updates

Reproduced on precise:

ubuntu@precise-test:~$ /usr/lib/update-notifier/apt-check --human-readable
17 packages can be updated.
12 updates are security updates.
ubuntu@precise-test:~$ /usr/lib/nagios/plugins/check_apt
APT WARNING: 14 packages available for upgrade (0 critical updates).
ubuntu@precise-test:~$

Checking Quantal is a bit more involved, since there won't be any "critical" updates for Quantal until after it is released.

It looks like this is due to how check_apt is checking for "critical" updates. Since Ubuntu publishes security updates in both the -updates and -security pockets, it only works if the security pocket is listed first in sources.list.

Workaround: move the security lines in /etc/apt/sources.list to the top.

Now I get:

ubuntu@precise-test:~$ /usr/lib/update-notifier/apt-check --human-readable
17 packages can be updated.
12 updates are security updates.
ubuntu@precise-test:~$ /usr/lib/nagios/plugins/check_apt
APT CRITICAL: 14 packages available for upgrade (9 critical updates).

Not an exact match, but better. This is probably due to how exactly check_apt is checking apt-get's output.

It seems suboptimal to me. Now that /usr/lib/update-notifier/apt-check exists, check_apt could use it instead. But this would be a fundamental change in how check_apt works, so this should probably be sent for discussion upstream.

Changing to Importance: Medium as a workaround is available.

It turns out that somebody has already arranged a better workaround for Nagios here: http://superuser.com/q/199869/97683

Another workaround is to reorder sources.list to have -security before -updates like this:

$ cat /etc/apt/sources.list
deb http://archive.ubuntu.com/ubuntu/ precise main universe
deb http://archive.ubuntu.com/ubuntu/ precise-security main universe
deb http://archive.ubuntu.com/ubuntu/ precise-updates main universe

$ /usr/lib/nagios/plugins/check_apt -d
APT CRITICAL: 5 packages available for dist-upgrade (4 critical updates).

I also can confirm both this bug and Robie's explanation for it. Additionally, I attached a copy of a potential replacement check plugin to Bug #1167621 along with some changes needed to update-notifier in order for that to work.

not knowing about security updates are a security issue; changed the but type

I've reported this upstream, since I don't see that this bug will get fixed any other way: https://sourceforge.net/tracker/?func=detail&aid=3614595&group_id=29880&atid=397597

I'm dubious about calling this a security vulnerability. I can see your logic, but this bug's root cause is the fundamental design of check_apt (fragile apt-get simulation parsing) causing it to not work for security purposes at all. I'd love to see this fixed, but it might be better to just write an entirely separate plugin based on calling /usr/lib/update-notifier/apt-check instead. In that case, it might be better to just say that check_apt is unsuitable for detecting security updates on Ubuntu, and what you really have is a wishlist bug for a different plugin that *is* capable of it. Since /usr/lib/update-notifier/apt-check is machine readable, such an alternative plugin could be about five lines of shell. I have asked if such a contribution would be welcome in the upstream bug.

Anyway, how to classify this bug isn't really going to change anything. I have asked upstream for comments on a suitable fix. A working interface to get the required information is available. We can follow whatever they decide to do.

I too needed to know when security packages were available so I cooked my own (*) wrapper around /usr/lib/update-notifier/apt-check. It works well and also provides perf_data for those who'd like to visualize the package availability.

*: https://github.com/simondeziel/custom-nagios-plugins/blob/master/plugins/check_apt_upgrade

Sorry guys .. this ist _NOT_ a security issue (at least no one of nagios-plugins).

Opening a but upstream might a good idea, but upstream doesn't work on debian systems. So it's up to you guys to present (useful and senseful) patches which might be adopted upstream.

If anybody want to rely on apt-check, you should spin off a separate plugin and try to incorporate that into the nagios-plugins-contrib package! Anyways ... nagios-plugins-contrib also provides check_packages, maybe you give it a go.

Cheers, Jan (with Debian Nagios-Plugins Maintainers hat on).

It's not a security issue, per se, just closely related. It is indeed bug on ubuntu system and it is ubuntu specific in some ways. We should provide improved checks by default, and if possible, in an unstreamable way. I have targeted this bug for saucy, such that hopefully this can be resolved this cycle.

I've made some suggestions here:

https://lists.ubuntu.com/archives/ubuntu-server/2013-July/006675.html

Reading cyco's comment, I suppose another route would be to get Simon's plugin into nagios-plugins-contrib?

Also an option is to port check_apt to use libapt-pkg[1]. This has the advantage that libapt-pkg is providing a stable api and we don't need to parse output of apt-get/aptitude.

The easiest way to get changes into upstream is to send pull requests[2].

[1] http://packages.debian.org/wheezy/libapt-pkg4.12
[2] https://github.com/nagios-plugins/nagios-plugins

Dropping Saucy target, as I don't think it's realistic.

Anyways ... please fill pull requests over there in https://github.com/monitoring-plugins/monitoring-plugins, the upstream has changed it's name.

quantal has seen the end of its life and is no longer receiving any updates. Marking the quantal task for this ticket as "Won't Fix".

raring has seen the end of its life and is no longer receiving any updates. Marking the raring task for this ticket as "Won't Fix".

If after 5 years this plugin still hasn't been fixed such that it can fulfil its primary function, then perhaps it's time to remove it from ubuntu's repositories?

nagios-plugins has in fact not been present in a release since Vivid.

I think the problematic check_apt is now shipped by monitoring-plugins(-basic) that replaced nagios-plugins. For those interested, I'm still maintaining a working check_apt_upgrade [1]. I'm also about to package it along with some other checks in a PPA.

1: https://github.com/simondeziel/monitoring-plugins-sdeziel.info/blob/master/plugins/check_apt_upgrade

I just tested on a Xenial VM and check_apt (monitoring-plugins) doesn't count the same way as apt-check (update-notifier-common):

# /usr/lib/nagios/plugins/check_apt
APT CRITICAL: 15 packages available for upgrade (4 critical updates). |available_upgrades=15;;;0 critical_updates=4;;;0

# /usr/lib/update-notifier/apt-check --human-readable
17 packages can be updated.
5 updates are security updates.

The pending list looks like that:

The following NEW packages will be installed:
   linux-image-4.4.0-77-generic (4.4.0-77.98)
The following packages will be upgraded:
   apt (1.2.19 => 1.2.20)
   apt-utils (1.2.19 => 1.2.20)
   distro-info-data (0.28ubuntu0.2 => 0.28ubuntu0.3)
   dpkg (1.18.4ubuntu1.1 => 1.18.4ubuntu1.2)
   libapt-inst2.0 (1.2.19 => 1.2.20)
   libapt-pkg5.0 (1.2.19 => 1.2.20)
   libdns-export162 (1:9.10.3.dfsg.P4-8ubuntu1.5 => 1:9.10.3.dfsg.P4-8ubuntu1.6)
   libfreetype6 (2.6.1-0.1ubuntu2.1 => 2.6.1-0.1ubuntu2.2)
   libisc-export160 (1:9.10.3.dfsg.P4-8ubuntu1.5 => 1:9.10.3.dfsg.P4-8ubuntu1.6)
   libpam-systemd (229-4ubuntu16 => 229-4ubuntu17)
   libsystemd0 (229-4ubuntu16 => 229-4ubuntu17)
   libudev1 (229-4ubuntu16 => 229-4ubuntu17)
   linux-image-virtual (4.4.0.72.78 => 4.4.0.77.83)
   systemd (229-4ubuntu16 => 229-4ubuntu17)
   systemd-sysv (229-4ubuntu16 => 229-4ubuntu17)
   udev (229-4ubuntu16 => 229-4ubuntu17)

So I'd guess that check_apt doesn't count the new kernel to be installed as being critical.

@mc0e, from the above output, it seems that check_apt/monitoring-plugins is working at least in Xenial and newer.

The Precise Pangolin has reached end of life, so this bug will not be fixed for that release