Check apt doesnt show some updates

I have a problem with check_apt on Debian 12. Doesnt show some updates. Example Xanmod kernel’s update. The problem is the check_apt use apt-get. I have a solution:
/usr/lib/nagios/plugins/check_apt -U"-o ‘Debug::NoLocking=true’ --with-new-pkgs -s -qq"

Now I try make custom apt commands, but doesnt work:

/etc/icinga2/zones.d/master/commands.conf (on Icinga2 server, and target server)

object CheckCommand "apt2" {
    command = [ "sudo", "/usr/lib/nagios/plugins/check_apt" ]

        arguments = {
                "-U\"-o 'Debug::NoLocking=true' --with-new-pkgs -s -qq\"" = { 
                        required = true
                }
        }
}

/etc/icinga2/zones.d/master/services.conf

apply Service "apt" {
  import "1day-service"
  check_command = "apt2"
  vars.apt_list = true
  command_endpoint = host.vars.client_endpoint
  assign where match("Linu*", host.vars.os)
}

I get the following error message in icinga2web:
sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper
sudo: a password is required

But when I run the following command on target server, the command is fine:
sudo -u nagios /usr/lib/nagios/plugins/check_apt -U"-o ‘Debug::NoLocking=true’ --with-new-pkgs -s -qq"

APT WARNING: 3 packages available for upgrade (0 critical updates). |available_upgrades=3;;;0 critical_updates=0;;;0

What is wrong?

System information:
Platform: Debian GNU/Linux
Platform version: 12 (bookworm)
Kernel: Linux
Kernel version: 6.1.0-25-amd64
Architecture: x86_64

Build information:
Compiler: GNU 12.2.0
Build host: x86-conova-01
OpenSSL version: OpenSSL 3.0.14 4 Jun 2024

Disabled features: command compatlog debuglog elasticsearch gelf icingadb influxdb influxdb2 journald livestatus opentsdb perfdata statusdata syslog
Enabled features: api checker ido-mysql mainlog notification

Thanks for your question. Luckily, you have found working parameters, which you could maybe share with the monitoring-plugins developers upstream.

Regarding your not working check command:

Then there is no need to prefix this command with a generic sudo in your CheckCommand’s command, as this would try to execute the command as the root user, which is forbidden, as the output says. Thus, try setting command = [ "/usr/lib/nagios/plugins/check_apt" ].

Thx for your reply. I deleted sudo, and now the error message is the following on the icingaweb:

Could not open pipe: /usr/bin/apt-get “-o ‘Debug::NoLocking=true’ --with-new-pkgs -s -qq” upgrade

Maybe this package kept back?
Hm, when I run:

  • apt-get upgrade → The following packages have been kept back:
    linux-xanmod-x64v3
  • apt upgrade → The following NEW packages will be installed:
    linux-headers-6.10.10-x64v3-xanmod1 linux-image-6.10.10-x64v3-xanmod1
    The following packages will be upgraded:
    linux-xanmod-x64v3

I found the solution. There is no need to make a separate command.
Only the following option in services.conf:

apply Service “apt” {
import “1day-service”
check_command = “apt”
vars.apt_list = true
vars.apt_dist_upgrade = true
command_endpoint = host.vars.client_endpoint
assign where match(“Linu*”, host.vars.os)
}