# [solved] rkhunter --propupd [package name]

## Seron

After an extensive log from rkhunter on changes of tracked files I tried to use the --propupd [package name] option in stead of listing each file on a comma-separated list on the command line. According to the man-page 'only those files in the database which are part of the specified package will be updated' by using the --propupd [package name] option. However, when I try this with the package coreutils I get the response 'File or package name is not in the "rkhunter.dat" file: coreutils'.

Is rkhunter not compatible with portage? Is there a way to accomplish this?

[edit:]

I now use the following script to find out which packages are concerned. There may be better and more concise ways. Improvements are welcome. 

```
#!/bin/bash

grep 'File:' "$1" | sed -r 's/.*File: (\/.+)\\/\1/' | xargs equery -q b | sed s/a^/a^/
```

The last pipe is supposed make no changes to the output and is there to get equery's brief pipe-detecting output, which I don't know how to get unless equery is piped to something.

After I can use this script to update rkhunter properties for the files concerned.

```
#!/bin/bash

grep 'File:' "$1" | sed -r 's/.*File: (\/.+)\\/\1/' | tr '\n' ',' | xargs rkhunter --propupd
```

Further improvements could be to put both those scripts in one, have eix show when the packages were updated and ask for rkhunter --propupd confirmation before running it.

----------

## hujuice

I feel this limitation of rkhunter@gentoo as a weakness.

When tenth of files are changed after an update, I can only "close my eyes" and perform a whole propupd.

Thanks for the script.

I think that a reverse way should be adopted.

Something starting from 'equery f package' to be executed after an update.

HUjuice,

Regards

----------

## mr.sande

You could use something like this for each package.

```
quark sandman # cat rkhunter.sh 

#!/bin/bash

for FILE in `equery -q f $1`; do

   if [[ ! -d $FILE ]]; then

      rkhunter --propupd $FILE

   fi

done

```

But it will run slow, because rkhunter --propupd will be called once per file.

----------

