When you're monitoring security update availability using Zabbix or some other monitoring tool, you'll need a method to discern regular updates from security updates.

I've seen my collegues do this:

$ /usr/lib/update-notifier/apt-check --human-readable | grep security | awk '{print $1}'

But that requires an install of the update-notifier-common package. (Note the -common. The main package has tons of requirements you don't need.)

In the quest for less dependencies — less installed packages — I used aptitude to get the info. That one is commonly installed anyway.

$ set +o histexpand  # (I hate histexpand because it is impossible to escape properly)
$ archive=`sed '/^deb .*security/!d;s/^deb [^ ]* \([^ ]*\) .*/\1/;q' /etc/apt/sources.list`
$ /usr/bin/aptitude -F%p search "?upgradable ?archive($archive)" 2>/dev/null </dev/null | wc -l

But the numbers do turn out differently at times:

$ /usr/lib/update-notifier/apt-check --human-readable
163 packages can be updated.
96 updates are security updates.

Versus:

$ for x in wHaTeVeR security; do
  archive=`sed '/^deb .*'$x'/!d;s/^deb [^ ]* \([^ ]*\) .*/\1/;q' /etc/apt/sources.list`
  n=`/usr/bin/aptitude -F%p search "?upgradable ?archive($archive)" 2>/dev/null </dev/null | wc -l`
  echo $n $x
  done
158 wHaTeVeR
103 security

Is that a problem? The missing 5 items can be explained by the "The following NEW packages will be installed" bit. Those aren't counted.

As for the 7 that I count as security updates while they "aren't", today I saw an firefox-locale-nl being classified as security update by apt-check. It itself had no security updates whatsoever.

Then I guess a few extra false positives aren't a problem.

Here's the debian-updates.conf for in your /etc/zabbix/zabbix_agentd.d. Obviously this works for Ubuntu too.

# Check for debian updates
UserParameter=debian_updates[*], aptitude -F%p search "?upgradable ?archive(`sed '/^deb .*$1/!d;s/^deb [^ ]* \([^ ]*\) .*/\1/;q' /etc/apt/sources.list`)" 2>/dev/null | wc -l
# Increase the global timeout (unfortunately), or zabbix killing
# aptitude will leave a /tmp/aptitude-zabbix.* directory turd every
# now and then.
Timeout=12

zabbix ubuntu monitoring updates debian