icinga2-checks/check_apt_critical.sh

#!/bin/bash
# https://github.com/nagios-plugins/nagios-plugins/blob/master/plugins/check_apt.c

usage() {
  echo "usage: check_apt_critical.sh [-h] [--warn WARN] [--crit CRIT]

options:
  -h, --help            Show this help message and exit.
  --warn WARN           The number of critical updates needed to trigger WARNING.
  --crit CRIT           The number of critical updates needed to trigger CRITICAL.

If --warn or --crit is not provided, any number of updates will trigger CRITICAL."
  exit 3
}

WARN_LEVEL=0
CRIT_LEVEL=0

while [ "$1" != "" ]; do
  case $1 in
    --warn ) shift
            WARN_LEVEL=$1
            ;;
    --crit ) shift
             CRIT_LEVEL=$1
             ;;
    * ) usage
  esac
  shift
done

CRITICAL_RE='^Inst [^\(]*\(.* (Debian-Security:|Ubuntu:[^/]*/[^-]*-security)'
APT_PATH=$(which apt-get)
CRITICAL_UPDATES=$($APT_PATH --just-print upgrade -o 'Debug::NoLocking=true' -s -qq | grep -oE "$CRITICAL_RE" )
NUM_CRIT_UPDATES=$(echo "$CRITICAL_UPDATES" | wc -l)

if [[ $NUM_CRIT_UPDATES -eq 0 ]]; then
  echo "OK - $NUM_CRIT_UPDATES critical updates available. | critical_updates=$NUM_CRIT_UPDATES"
  exit 0
fi

if [[ $CRIT_LEVEL -gt 0 ]] || [[ $WARN_LEVEL -gt 0 ]]; then
  # Only use the levels if the user has set one of them.
  if [[ $CRIT_LEVEL -gt 0 ]] && [[ $NUM_CRIT_UPDATES -ge $CRIT_LEVEL ]]; then
    # If the crit level is 0, that means the user has only set the --warn flag. We'll just ignore the crit level since that's what they did.
    echo "CRITICAL - $NUM_CRIT_UPDATES critical updates available. | critical_updates=$NUM_CRIT_UPDATES"
    exit 2
  elif [[ $NUM_CRIT_UPDATES -ge $WARN_LEVEL ]]; then
    echo "WARNING - $NUM_CRIT_UPDATES critical updates available. | critical_updates=$NUM_CRIT_UPDATES"
    exit 1
  else
      echo "OK - $NUM_CRIT_UPDATES critical updates available. | critical_updates=$NUM_CRIT_UPDATES"
      exit 0
  fi
else
  echo "CRITICAL - $NUM_CRIT_UPDATES critical updates available. | critical_updates=$NUM_CRIT_UPDATES"
  exit 2
fi