Getting the automatic update to be restricted to only the files actually part of the upgraded package certainly makes sense.
However, when I experimented with this I found the <package name> option only works if the rkhunter.dat file was originally built using the DPKG value for the --pkgmgr, which isn't the default configuration for the Ubuntu package. (In fact, the rkhunter.conf file specifically explains "NONE is the default for Debian as well, as running --propupd takes about 4 times longer when it's set to DPKG".) Additionally, I noticed that switching to a --pkgmgr DPKG database means that the file hash is also changed from the default of sha1 to using md5 instead.
However, for what it's worth, if I found that given the name of the package that has been updated I can build a command line explicitly listing the files that rkhunter should include in it's --propupd run, thus (hopefully) accomplishing the same goal without relying on the --pkgmgr function.
I did this by first finding a list of all the file names that are found in both the package and the rkhunter database, then replacing the spaces in the space-separated list with commas to get the command line that rkhunter expects. So, for example, after updating the coreutils package, I ran:
# FILELIST="$(cat /var/lib/dpkg/info/coreutils.list /var/lib/rkhunter/db/rkhunter_prop_list.dat | sort | uniq -d)"
# FILELIST="echo $FILELIST| sed -e "s/ /,/g"
# rkhunter --propupd $FILELIST
[ Rootkit Hunter version 1.3.6 ]
File updated: searched for 162 files, found 41 of 136
(If more than one package was updated, the first line above can be replaced with:
# FILELIST=""; for P in bsd-mailx binutils sudo dpkg ; do FILELIST="$FILELIST $(cat /var/lib/dpkg/info/$P.list /var/lib/rkhunter/db/rkhunter_prop_list.dat | sort | uniq -d)"; done
to get a combined list.)
Getting the automatic update to be restricted to only the files actually part of the upgraded package certainly makes sense.
However, when I experimented with this I found the <package name> option only works if the rkhunter.dat file was originally built using the DPKG value for the --pkgmgr, which isn't the default configuration for the Ubuntu package. (In fact, the rkhunter.conf file specifically explains "NONE is the default for Debian as well, as running --propupd takes about 4 times longer when it's set to DPKG".) Additionally, I noticed that switching to a --pkgmgr DPKG database means that the file hash is also changed from the default of sha1 to using md5 instead.
However, for what it's worth, if I found that given the name of the package that has been updated I can build a command line explicitly listing the files that rkhunter should include in it's --propupd run, thus (hopefully) accomplishing the same goal without relying on the --pkgmgr function.
I did this by first finding a list of all the file names that are found in both the package and the rkhunter database, then replacing the spaces in the space-separated list with commas to get the command line that rkhunter expects. So, for example, after updating the coreutils package, I ran:
# FILELIST="$(cat /var/lib/ dpkg/info/ coreutils. list /var/lib/ rkhunter/ db/rkhunter_ prop_list. dat | sort | uniq -d)"
# FILELIST="echo $FILELIST| sed -e "s/ /,/g"
# rkhunter --propupd $FILELIST
[ Rootkit Hunter version 1.3.6 ]
File updated: searched for 162 files, found 41 of 136
(If more than one package was updated, the first line above can be replaced with: dpkg/info/ $P.list /var/lib/ rkhunter/ db/rkhunter_ prop_list. dat | sort | uniq -d)"; done
# FILELIST=""; for P in bsd-mailx binutils sudo dpkg ; do FILELIST="$FILELIST $(cat /var/lib/
to get a combined list.)