We have Intel servers with megaraid RAID devices. Personal opinions aside and putting on my responsible sys-admins hat, we do need monitoring of the raid devices/disks and so we have the "RAID Web Console 2" software installed - as provided by Intel, but basically just a re-wrap of the original LSI tool. It's an absolutely dreadful piece of Java based software, and to cut a long story short, it runs an API/service on ports that is being detected as suspicious - and I would like to white-list them.
Here it is in the log file:
[06:25:51] Checking for TCP port 33369 [ Found ]
[06:25:51] Warning: Network TCP port 33369 is being used by /usr/local/RAID. Possible rootkit: Volc Rootkit SSH server (divine)
Use the 'lsof -i' or 'netstat -an' command to check this.
The problem is that the install location for the software is a folder name with spaces in it, and this is being truncated by rkhunter. It is the default location and can not (as far as I can tell) actually be changed.
I have added this option to my local configuration:
PORT_WHITELIST="/usr/local/RAID Web Console 2/Framework/startup.sh TCP:33369"
But then when I run rkhunter, it complains with the following:
russell@neptune ~ $ sudo rkhunter -c -sk
Invalid PORT_WHITELIST configuration option - non-existent pathname specified: /usr/local/RAID
Invalid entry specified in PORT_WHITELIST configuration option: Web
Invalid entry specified in PORT_WHITELIST configuration option: Console
Invalid entry specified in PORT_WHITELIST configuration option: 2/Framework/startup.sh
I have tried adding a "\" escape character, but that doesn't work, and I've added tried adding the truncated form of just "/usr/local/RAID", but this then gets met with a "non-existent pathname specified" error.
It would be great if white spaces could be permitted - much like 'filesystem' check now does.