Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 2. Get started using the Insights for RHEL malware detection service

To begin using the malware detection service, you must perform the following actions. Procedures for each action follow in this chapter.

Note

Some procedures require sudo access on the system and others require that the administrator performing the actions be a member of a User Access group with the Malware detection administrator role.

Table 2.1. Procedure and access requirements to set up malware detection service.
ActionDescriptionRequired privileges

Install YARA and configure the Insights client

Install the YARA application and configure the Insights client to use the malware detection service

Sudo access

Configure User Access on the Red Hat Hybrid Cloud Console

In Red Hat Hybrid Cloud Console > the Settings icon (⚙) > Identity & Access Management > User Access > Groups, create malware detection groups, and then add the appropriate roles and members to the groups

Organization Administrator on the Red Hat account

View results

See the results of system scans in the Hybrid Cloud Console

Membership in a User Access group with the Malware detection viewer role

2.1. Installing YARA and configuring the Insights client

Perform the following procedure to install YARA and the malware detection controller on the RHEL system, then run test and full malware detection scans and report data to the Insights for Red Hat Enterprise Linux application.

Prerequisites

  • The system operating system version must be RHEL8 or RHEL9.
  • The administrator must have sudo access on the system.
  • The system must have the Insights client package installed, and be registered to Insights for Red Hat Enterprise Linux.

Procedure

  1. Install YARA.

    Yara RPMs for RHEL8 and RHEL9 are available on the Red Hat Customer Portal: 

    $ sudo dnf install yara
    Note

    Insights for Red Hat Enterprise Linux malware detection is not supported on RHEL7.

  2. If not yet completed, register the system with Insights for Red Hat Enterprise Linux.

    Important

    The Insights client package must be installed on the system and the system registered with Insights for Red Hat Enterprise Linux before the malware detection service can be used.

    1. Install the Insights client RPM. 

      $ sudo yum install insights-client

    2. Test the connection to Insights for Red Hat Enterprise Linux. 

      $ sudo insights-client --test-connection

    3. Register the system with Insights for Red Hat Enterprise Linux. 

      $ sudo insights-client --register

  3. Run the Insights client malware detection collector. 

    $ sudo insights-client --collector malware-detection

    The collector takes the following actions for this initial run:

    • Creates a malware detection configuration file in /etc/insights-client/malware-detection-config.yml

    • Performs a test scan and uploads the results

      Note

      This is a very minimal scan of your system with a simple test rule. The test scan is mainly to help verify that the installation, operation, and uploads are working correctly for the malware detection service. There will be a couple of matches found but this is intentional and nothing to worry about. Results from the initial test scan will not appear in the malware detection service UI.

  4. Perform a full filesystem scan.

    1. Edit /etc/insights-client/malware-detection-config.yml and set the test_scan option to false. 

      test_scan: false

      Consider setting the following options to minimize scan time:

      • filesystem_scan_only - to only scan certain directories on the system
      • filesystem_scan_exclude - to exclude certain directories from being scanned
      • filesystem_scan_since - to scan only recently modified files

    2. Re-run the client collector: 

      $ sudo insights-client --collector malware-detection

  5. Optionally, scan processes. This will scan the filesystem first, followed by a scan of all processes. After the filesystem and process scans are complete, view the results at Security > Malware.

    Important

    By default, scanning processes is disabled. There is an issue with YARA and scanning processes on Linux systems that may cause poor system performance. This problem will be fixed in an upcoming release of YARA, but until then it is recommended to NOT scan processes.

    1. To enable process scanning, set scan_processes: true in /etc/insights-client/malware-detection-config.yml. 

      scan_processes: true
Note

Consider setting these processes related options while you are there: processes_scan_only - to only scan certain processes on the system processess_scan_exclude - to exclude certain processes from being scanned processes_scan_since - to scan only recently started processes

  1. Save the changes and run the collector again. 

    $ sudo insights-client --collector malware-detection

2.2. User Access settings in the Red Hat Hybrid Cloud Console

User Access is the Red Hat implementation of role-based access control (RBAC). Your Organization Administrator uses User Access to configure what users can see and do on the Red Hat Hybrid Cloud Console (the console):

  • Control user access by organizing roles instead of assigning permissions individually to users.
  • Create groups that include roles and their corresponding permissions.
  • Assign users to these groups, allowing them to inherit the permissions associated with their group’s roles.

2.2.1. Predefined User Access groups and roles

To make groups and roles easier to manage, Red Hat provides two predefined groups and a set of predefined roles.

2.2.1.1. Predefined groups

The Default access group contains all users in your organization. Many predefined roles are assigned to this group. It is automatically updated by Red Hat.

Note

If the Organization Administrator makes changes to the Default access group its name changes to Custom default access group and it is no longer updated by Red Hat.

The Default admin access group contains only users who have Organization Administrator permissions. This group is automatically maintained and users and roles in this group cannot be changed.

On the Hybrid Cloud Console navigate to Red Hat Hybrid Cloud Console > the Settings icon (⚙) > Identity & Access Management > User Access > Groups to see the current groups in your account. This view is limited to the Organization Administrator.

2.2.1.2. Predefined roles assigned to groups

The Default access group contains many of the predefined roles. Because all users in your organization are members of the Default access group, they inherit all permissions assigned to that group.

The Default admin access group includes many (but not all) predefined roles that provide update and delete permissions. The roles in this group usually include administrator in their name.

On the Hybrid Cloud Console navigate to Red Hat Hybrid Cloud Console > the Settings icon (⚙) > Identity & Access Management > User Access > Roles to see the current roles in your account. You can see how many groups each role is assigned to. This view is limited to the Organization Administrator.

See User Access Configuration Guide for Role-based Access Control (RBAC) for additional information.

2.2.2. Access permissions

The Prerequisites for each procedure list which predefined role provides the permissions you must have. As a user, you can navigate to Red Hat Hybrid Cloud Console > the Settings icon (⚙) > My User Access to view the roles and application permissions currently inherited by you.

If you try to access Insights for Red Hat Enterprise Linux features and see a message that you do not have permission to perform this action, you must obtain additional permissions. The Organization Administrator or the User Access administrator for your organization configures those permissions.

Use the Red Hat Hybrid Cloud Console Virtual Assistant to ask "Contact my Organization Administrator". The assistant sends an email to the Organization Administrator on your behalf.

2.2.3. User Access roles for the Malware detection service

The following predefined roles on the Red Hat Hybrid Cloud Console enable access to malware detection features in Insights for Red Hat Enterprise Linux.

Important

There is no "default-group" role for malware detection service users. For users to be able to view data or control settings in the malware detection service, they must be members of the User Access group with one of the following roles:

Table 2.2. Permissions provided by the User Access roles
User Access RolePermissions

Malware detection viewer

  • Read All

Malware detection editor

  • Read All
  • Set user acknowledgment

Malware detection administrator

  • Read All
  • Set user acknowledgment
  • Delete hits
  • Disable signatures permissions

2.3. Viewing malware detection scan results in the Red Hat Hybrid Cloud Console

View results of system scans on the Hybrid Cloud Console.

Prerequisites

  • YARA and the Insights client are installed and configured on the RHEL system.
  • You must be logged into the Hybrid Cloud Console.
  • You are a member of a Hybrid Cloud Console User Access group with the Malware detection administrator or Malware detection viewer role.

Procedures

  1. Navigate to Security > Malware > Systems.
  2. View the dashboard to get a quick synopsis of all of your RHEL systems with malware detection enabled and reporting results.
  3. To see results for a specific system, use the Filter by name search box to search for the system by name.
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.