search

matteocorti / check_updates

check_updates is a Nagios plugin to check if RedHat or Fedora system is up-to-date
https://matteocorti.github.io/check_updates/
GNU General Public License v3.0
20 stars 18 forks source link

--number-only makes returned state always "OK" if used with --security-only #48

Closed log1-c closed 2 years ago

log1-c commented 2 years ago

Hi there :) First of all: Thank you for the plugin!

We currently have configured to check for:

  1. all pending updates /usr/lib64/nagios/plugins/check_updates --no-boot-check --number-only -c 100 -t 30 -w 50 This checks works as expected and the status changes depending on the number of total updates pending e.g. CHECK_UPDATES WARNING - 26 security updates and 40 non-security updates available

  2. only security updates /usr/lib64/nagios/plugins/check_updates --no-boot-check --number-only --security-only -c 10 -t 30 -w 5 This check is always in an OK state e.g. CHECK_UPDATES OK - 26 security updates and 40 non-security updates available

I would have expected the second check to be in a critical state, because 26>10 It looks like there is a comparison missing, that check the warn and crit thresolds. Maybe somewhere around here https://github.com/matteocorti/check_updates/blob/2bc11871793fe3eea258493dd6e0f062464a83cb/check_updates#L796 ?

Maybe adding two new options for warning and critical thresholds only for security updates would be a nice addition to the script?

System (please complete the following information):

Cheers log1c

matteocorti commented 2 years ago

This is an expected behaviour. The --number-only option does not make sense with --security-only. In the case of --security-only the non-security updates are not considered.

matteocorti commented 2 years ago

Added a sanity check in 4e9eb1d

log1-c commented 2 years ago

Thanks for quickly clearing that up. Then I jumped to the wrong conclusions reading the options :) Maybe this was because the thresholds are still displayed at the total_updates output as well CHECK_UPDATES OK - 24 non-security updates available | total_updates=24;5;10 security_updates=0;5;10

log1-c commented 2 years ago

hm, there still seems to be an issue. I have now removed the --number-only from my check and now have (at least) one check with this outcome: CHECK_UPDATES CRITICAL - 1 security update available

Command is /usr/lib64/nagios/plugins/check_updates --no-boot-check --security-only -c 10 -t 30 -w 5

this was the reason why I added the --number-only

edit: found out that this machine is missing the yum security plugin, thats the reason where the output is critical

/usr/lib64/nagios/plugins/check_updates --no-boot-check --security-only -c 10 -t 30 -w 5 -v
Checking a linux system
Running on Red Hat Enterprise Linux release 8.2 (Ootpa)
Using Yum or DNF
no security plugin: every update could be a security problem
CHECK_UPDATES CRITICAL - 2 security updates available

maybe the missing security plugin could be mentioned in the output somewhere as well?

matteocorti commented 2 years ago

I get your point. The general idea is that by security the number is not really relevant. If you have one package that is outdated, the statue is critical. I dot really see the point in saying: I want to be warned just when I have at least 10 security issues (without even knowing which ones).

log1-c commented 2 years ago

Our reasoning behind this implementation is that we normally deploy security updates automatically on a daily basis and non-security updates once every month. But we don't want to be notified immediately when a security update becomes available, because it just might become available after the automatism has been executed.

But after removing --number-only for the security-check made both work as expected. Thanks for clearing that up and for the sanity check :)

matteocorti commented 2 years ago

I see your point ....