If you are running a Linux server that don’t have rebootless kernel patching like KernelCare or Canonical Livepatch then chances are you are running an out of date kernel. And that is understandable because keep tracking of new kernels and rebooting your servers isn’t fun. But Nagios can do that job for you, or at least the part of looking for a new kernel, and then notify you of when it’s time to reboot! That way you don’t have to worry about being vulnerable to known kernel exploits just because you haven’t rebooted your server.
In this guide I will assume you already have a working Nagios server and you know how to use NRPE. If you don’t have that I recommend you follow this guide from Digital Ocean that will show you how to set it up.
First you need to install the package needrestart on all the servers you want to check.
# For Centos/Fedora yum install needrestart # For Ubuntu/Debian apt install needrestart
You can then just run needrestart and see what it finds. For me it doesn’t find anything since I’ve already fixed all the problems I had.
[~]# needrestart Scanning processes... Scanning processor microcode... Scanning linux images... Running kernel seems to be up-to-date. Failed to check for processor microcode upgrades. No services need to be restarted. No containers need to be restarted. No user sessions are running outdated binaries.
The microcode check unfortunately has a bug on CentOS, you can read more about it here.
If you run needrestart with the -h flag you will see it has a built in feature to format the output for Nagios using the -p flag. You can also choose to only check the kernel, libraries or microcode. I made this into three different NRPE checks by adding this to my NRPE-configuration.
command[check_kernel]=sudo /usr/sbin/needrestart -p -k command[check_microcode]=sudo /usr/sbin/needrestart -p -w command[check_libraries]=sudo /usr/sbin/needrestart -p -l
You can now add these checks on your Nagios server, this is how I added it.
define service {
use generic-service-daily
hostgroup_name needrestart
service_description Kernel
check_command check_nrpe!check_kernel
}
define service {
use generic-service-daily
hostgroup_name needrestart
service_description Updated Libraries
check_command check_nrpe!check_libraries
}
define service {
use generic-service-daily
hostgroup_name needrestart
service_description Microcode
check_command check_nrpe!check_microcode
}
As you can see I created a hostgroup named needrestart. To add all three checks to one server I now only need to add the needrestart hostgroup to that server, just don’t forget to define the hostgroup.