On your clients you have to modify /etc/snmp/snmpd.conf:

com2sec paranoid default public

com2sec readonly default public
exec .1.3.6.1.4.1.2021.8.3 aptupdate /usr/local/bin/nagios-check-apt-updates

Get the check script to the client:

# wget --no-check-certificate \
https://kosh.ganneff.de/ganneffutils/nagios/nagios-check-apt-updates \
-O /usr/local/bin/nagios-check-apt-updates
# chmod +x /usr/local/bin/nagios-check-apt-updates

Allow the snmp user to make use of apt-get:

# echo "snmp  ALL=(ALL) NOPASSWD: /usr/bin/apt-get update" >> /etc/sudoers
# echo "snmp  ALL=(ALL) NOPASSWD: /usr/bin/apt-get --simulate upgrade" >> /etc/sudoers

Restart the snmpd:

# /etc/init.d/snmpd restart
Restarting network management services: snmpd.

On the nagios monitoring system you have to run something like this:

# /usr/lib/nagios/plugins/check_snmp -H <client> -t30 \
-C public -o .1.3.6.1.4.1.2021.8.3.101.1 \
-r "No updates available"
SNMP CRITICAL - *"Security updates (1): libkrb53; "* | iso.3.6.1.4.1.2021.8.3.101.1="Security updates (1): libkrb53; "

After upgrading the client you should get:

# /usr/lib/nagios/plugins/check_snmp -H <client> -t30 \
-C public -o .1.3.6.1.4.1.2021.8.3.101.1 \
-r "No updates available"
SNMP OK - "No updates available" | iso.3.6.1.4.1.2021.8.3.101.1="No updates available"