Monitor operating system updates

Ever had one of those days? You just arrived at work, haven’t yet had your first coffee, and some customers are calling or maybe your boss is standing in your office, asking you about the newest published security issues in e.g. kernel modules, OpenSSH, OpenSSL… whatever… certainly the question if and maybe why we are still affected by this bug is in sight. And maybe why you don’t know about it yet… You definitely don’t like days like this :slight_smile:

So this is an approach to prepare you for such situations.

Update Monitor

First of all, you need this bash script in /etc/cron.hourly/check-for-updates.
In this state it only supports Debian operating systems. Feel free to add other versions.

 #!/bin/bash
 APTCHECK=`/usr/lib/update-notifier/apt-check 2>&1`
 if [ "$APTCHECK" == "0;0" ] ; then
   echo 0 > /var/tmp/updatestatus.txt
   exit 0
 fi
 echo 1 > /var/tmp/updatestatus.txt

The script creates a file /var/tmp/updatestatus.txt with content 1 if updates are available. 0 if not.

You also have to extend your snmpd configuration /etc/snmpd/snmpd.conf with this entry. Reloading snmpd is required!

extend update /bin/cat /var/tmp/updatestatus.txt

If you have a configuration management tool like
Puppet, Ansible or Saltstack it should be easy to distribute the script and the snmpd.conf entry.

Certainly you also need a service definition in ‘’’/etc/poller-configuration.xml’’’.

<service name="Update" interval="300000" user-defined="true" status="on">
    <parameter key="retry" value="1"/>
    <parameter key="timeout" value="3000"/>
    <parameter key="port" value="161"/>
    <parameter key="oid" value=".1.3.6.1.4.1.8072.1.3.2.4.1.2.6.117.112.100.97.116.101.1"/>
    <parameter key="operator" value="&lt;"/>
    <parameter key="operand" value="1"/>
</service>
<monitor service="Update" class-name="org.opennms.netmgt.poller.monitors.SnmpMonitor"/>

Finally assign the service Update to your Debian nodes. And that’s it. The service will go down, if updates are available!

Conclusion

Depending on your environment size and structure it could be a good idea to create a service detectors for both services. One way or the other be careful with these pollers. For the first time you could create a lot of work… :wink:

Have fun!