/etc/apt/apt.conf.d/90rkhunter security loss

I'm not sure whether or not this is technically possible.

The manpage for "apt.conf" doesn't mention any parameters (such as the package names) that can passed to the "DPkg::Post-Invoke" hook.

If someone can find a clean way to do it, I think it's a good idea.

Getting the automatic update to be restricted to only the files actually part of the upgraded package certainly makes sense.

However, when I experimented with this I found the <package name> option only works if the rkhunter.dat file was originally built using the DPKG value for the --pkgmgr, which isn't the default configuration for the Ubuntu package. (In fact, the rkhunter.conf file specifically explains "NONE is the default for Debian as well, as running --propupd takes about 4 times longer when it's set to DPKG".) Additionally, I noticed that switching to a --pkgmgr DPKG database means that the file hash is also changed from the default of sha1 to using md5 instead.

However, for what it's worth, if I found that given the name of the package that has been updated I can build a command line explicitly listing the files that rkhunter should include in it's --propupd run, thus (hopefully) accomplishing the same goal without relying on the --pkgmgr function.

I did this by first finding a list of all the file names that are found in both the package and the rkhunter database, then replacing the spaces in the space-separated list with commas to get the command line that rkhunter expects. So, for example, after updating the coreutils package, I ran:

  # FILELIST="$(cat /var/lib/dpkg/info/coreutils.list /var/lib/rkhunter/db/rkhunter_prop_list.dat | sort | uniq -d)"
  # FILELIST="echo $FILELIST| sed -e "s/ /,/g"
  # rkhunter --propupd $FILELIST
  [ Rootkit Hunter version 1.3.6 ]
  File updated: searched for 162 files, found 41 of 136

(If more than one package was updated, the first line above can be replaced with:
  # FILELIST=""; for P in bsd-mailx binutils sudo dpkg ; do FILELIST="$FILELIST $(cat /var/lib/dpkg/info/$P.list /var/lib/rkhunter/db/rkhunter_prop_list.dat | sort | uniq -d)"; done
to get a combined list.)

> The manpage for "apt.conf" doesn't mention any parameters (such as the package names) that can passed to the "DPkg::Post-Invoke" hook.

Yeah, I agree that the DPkg::Post-Invoke hook doesn't seem to be passed any useful info....

I see that there is a Pre-Install-Pkgs hook, which is passed the list of deb files to be upgraded on stdin. It would be a pain but perhaps rkhunter could record the list of packages somewhere under /var/lib/rkhunter from that hook, and then use that list in the Post-Invoke hook to generate the necessary --propupd command line....

Status changed to 'Confirmed' because the bug affects multiple users.

(One thing not handled by the "cat /var/lib/dpkg/info/$P.list" approach described above is symlinks, e.g. /usr/bin/mail. These don't appear in the dpkg .list file [as the actual executable files do], but when the target of the symlink is changed then rkhunter will detect that as a property mismatch on the symlink entry in rkhunter.dat as well as the entry for the target.

I may be missing an easier approach, but one solution might be for the post-invoke hook to check the rkhunter.dat file for other entries that have the same hash value as the lines that it is planning to update, and go ahead and add the file-paths for those entries to the --propupd line as well.)

Wouldn't
    rkhunter --enable properties && rkhunter --propupd
as substitute for /usr/share/rkhunter/scripts/rkhupd.sh be a reasonable workaround?
It would run the database update only in case the concerned binaries were not manipulated in the meantime.