Comment 2 for bug 1451477

Getting the automatic update to be restricted to only the files actually part of the upgraded package certainly makes sense.

However, when I experimented with this I found the <package name> option only works if the rkhunter.dat file was originally built using the DPKG value for the --pkgmgr, which isn't the default configuration for the Ubuntu package. (In fact, the rkhunter.conf file specifically explains "NONE is the default for Debian as well, as running --propupd takes about 4 times longer when it's set to DPKG".) Additionally, I noticed that switching to a --pkgmgr DPKG database means that the file hash is also changed from the default of sha1 to using md5 instead.

However, for what it's worth, if I found that given the name of the package that has been updated I can build a command line explicitly listing the files that rkhunter should include in it's --propupd run, thus (hopefully) accomplishing the same goal without relying on the --pkgmgr function.

I did this by first finding a list of all the file names that are found in both the package and the rkhunter database, then replacing the spaces in the space-separated list with commas to get the command line that rkhunter expects. So, for example, after updating the coreutils package, I ran:

  # FILELIST="$(cat /var/lib/dpkg/info/coreutils.list /var/lib/rkhunter/db/rkhunter_prop_list.dat | sort | uniq -d)"
  # FILELIST="echo $FILELIST| sed -e "s/ /,/g"
  # rkhunter --propupd $FILELIST
  [ Rootkit Hunter version 1.3.6 ]
  File updated: searched for 162 files, found 41 of 136

(If more than one package was updated, the first line above can be replaced with:
  # FILELIST=""; for P in bsd-mailx binutils sudo dpkg ; do FILELIST="$FILELIST $(cat /var/lib/dpkg/info/$P.list /var/lib/rkhunter/db/rkhunter_prop_list.dat | sort | uniq -d)"; done
to get a combined list.)