Change exit codes to use needrestart as nagios-plugin

[ludovic-gasc]

hi,

needrestart is an useful piece of code to track daemons need to be started after a security update.
The only thing we missed, is to use needrestart as nagios-plugin, to receive alerts in Shinken/Tanto/Nagios/Icinga...
The only thing we need is that needrestart returns an exit code different to 0 when you have kernel or libraries upgrades: https://nagios-plugins.org/doc/guidelines.html#RETURNCODES
By convention, we use 1 for kernel restart and 2 for daemons restart, because daemons restart is often critical for security compare to kernel security alerts, the kernel exploits are very often only locally exploitable, compare to daemons like with openssl security upgrades.
This pull request is a quick'n'dirty fix to add several exit codes with needrestart, we aren't Perl specialists, we're a Python company.
If you want to reimplement this feature, or give us some tips to improve our pull request, feel free.
Nevertheless, this feature should interest people that monitor with security-minded their infrastructure.

Regards.

[liske]

Hi,

this sounds like a useful enhancement. I won't merge you pull request directly due to some patch & coding issues (i.e. touching whitespaces, nagios friendly output) and implement it by myself. I think I'll add some command line options and performance data, too.

Thanks,
Thomas

[ludovic-gasc]

Thank you.
If you want, when you have code something, we could be beta-testers.

[liske]

Could you please give e35c674 a try? Calling needrestart -p as root should make needrestart behave nagios plugin compliant.

How would you call needrestart from nagios?

TIA & HTH,
Thomas

[ludovic-gasc]

I've tested on a VM, the output is really better for monitoring:

root@XXXXX:~# needrestart -rl -p
OK - Kernel: 3.2.0-4-amd64, Services: 7 (!), Sessions: none|Kernel=-1;;0;0;1 Services=-1;0;;0 Sessions=-1;0;;0

Nevertheless, the exit code is still 0:

root@XXXXX:~# echo $?
0

How would you call needrestart from nagios?

In fact, we use Shinken and Tanto, because we don't have a remote access of the infrastructure of our clients (we use NSCA mode instead of NRPE).
In our case, it's Tanto that launches needrestart and use the exit code to give the status of the check.

[liske]

Re,

there was a bug in the evaluation of the correct return code (beside some other bugs ;-) - hoping fe494e5 is now working for you!

HTH,
Thomas

[ludovic-gasc]

Thanks a lot, it works like a charm !
We'll test more deeply this week => No news from us, it will be a good news ;-)

[glensc]

this is cool feature. actually it's why i found needrestart in first place (i used check_libs, and then someone pointed me here)

without looking deeper how nagios mode operates, but i think it should NOT invoke any notify.d and hook.d stuff?

[ludovic-gasc]

@liske BTW, it's now on production here, for now, no bugs, everything works. Thanks again.