Red Hat SummitChapter 2. Get started using the Red Hat Lightspeed malware detection service
To begin using the malware detection service, you must perform the following actions. Procedures for each action follow in this chapter.
Some procedures require sudo access on the system and others require that the administrator performing the actions be a member of a User Access group with the Malware detection administrator role.
| Action | Description | Required privileges |
|---|---|---|
| Install YARA and configure the Red Hat Lightspeed client | Install the YARA application and configure the Red Hat Lightspeed client to use the malware detection service | Sudo access |
| Configure User Access on the Red Hat Hybrid Cloud Console | In Red Hat Hybrid Cloud Console > the Settings icon (⚙) > Identity & Access Management > User Access > Groups, create malware detection groups, and then add the appropriate roles and members to the groups | Organization Administrator on the Red Hat account |
| View results | See the results of system scans in the Hybrid Cloud Console | Membership in a User Access group with the Malware detection viewer role |
2.1. Installing YARA and configuring the Red Hat Lightspeed client
Perform the following procedure to install YARA and the malware detection controller on the RHEL system, then run test and full malware detection scans and report data to the Red Hat Lightspeed application.
Prerequisites
- The system operating system version must be RHEL 8 or RHEL 9.
- The administrator must have sudo access on the system.
- The system must have the Red Hat Lightspeed client package installed, and be registered to Red Hat Lightspeed.
Procedure
Install YARA.
Yara RPMs for RHEL 8 and RHEL 9 are available on the Red Hat Customer Portal:
sudo dnf install yara
$ sudo dnf install yaraCopy to Clipboard Copied! Toggle word wrap Toggle overflow NoteRed Hat Lightspeed malware detection is not supported on RHEL 7.
If not yet completed, register the system with Red Hat Lightspeed.
ImportantThe Red Hat Lightspeed client package must be installed on the system and the system registered with Red Hat Lightspeed before the malware detection service can be used.
Install the Red Hat Lightspeed client RPM.
sudo yum install insights-client
$ sudo yum install insights-clientCopy to Clipboard Copied! Toggle word wrap Toggle overflow Test the connection to Red Hat Lightspeed.
sudo insights-client --test-connection
$ sudo insights-client --test-connectionCopy to Clipboard Copied! Toggle word wrap Toggle overflow Register the system with Red Hat Lightspeed.
sudo insights-client --register
$ sudo insights-client --registerCopy to Clipboard Copied! Toggle word wrap Toggle overflow
Run the Red Hat Lightspeed client malware detection collector.
sudo insights-client --collector malware-detection
$ sudo insights-client --collector malware-detectionCopy to Clipboard Copied! Toggle word wrap Toggle overflow The collector takes the following actions for this initial run:
-
Creates a malware detection configuration file in
/etc/insights-client/malware-detection-config.yml Performs a test scan and uploads the results
NoteThis is a very minimal scan of your system with a simple test rule. The test scan is mainly to help verify that the installation, operation, and uploads are working correctly for the malware detection service. There will be a couple of matches found but this is intentional and nothing to worry about. Results from the initial test scan will not appear in the malware detection service UI.
-
Creates a malware detection configuration file in
Perform a full filesystem scan.
Edit
/etc/insights-client/malware-detection-config.ymland set thetest_scanoption to false.test_scan: false
test_scan: falseCopy to Clipboard Copied! Toggle word wrap Toggle overflow Consider setting the following options to minimize scan time:
-
filesystem_scan_only- to only scan certain directories on the system -
filesystem_scan_exclude- to exclude certain directories from being scanned -
filesystem_scan_since- to scan only recently modified files
-
Re-run the client collector:
sudo insights-client --collector malware-detection
$ sudo insights-client --collector malware-detectionCopy to Clipboard Copied! Toggle word wrap Toggle overflow
Optionally, scan processes. This will scan the filesystem first, followed by a scan of all processes. After the filesystem and process scans are complete, view the results at Security > Malware.
ImportantBy default, scanning processes is disabled. There is an issue with YARA and scanning processes on Linux systems that may cause poor system performance. This problem will be fixed in an upcoming release of YARA, but until then it is recommended to NOT scan processes.
To enable process scanning, set
scan_processes: truein/etc/insights-client/malware-detection-config.yml.scan_processes: true
scan_processes: trueCopy to Clipboard Copied! Toggle word wrap Toggle overflow
Consider setting these processes related options while you are there: processes_scan_only - to only scan certain processes on the system processess_scan_exclude - to exclude certain processes from being scanned processes_scan_since - to scan only recently started processes
Save the changes and run the collector again.
sudo insights-client --collector malware-detection
$ sudo insights-client --collector malware-detectionCopy to Clipboard Copied! Toggle word wrap Toggle overflow
2.2. User Access settings in the Red Hat Hybrid Cloud Console
User Access is the Red Hat implementation of role-based access control (RBAC). Your Organization Administrator uses User Access to configure what users can see and do on the Red Hat Hybrid Cloud Console (the console):
- Control user access by organizing roles instead of assigning permissions individually to users.
- Create groups that include roles and their corresponding permissions.
- Assign users to these groups, allowing them to inherit the permissions associated with their group’s roles.
2.2.1. Predefined User Access groups and roles
To make groups and roles easier to manage, Red Hat provides two predefined groups and a set of predefined roles:
Predefined groups
The Default access group contains all users in your organization. Many predefined roles are assigned to this group. It is automatically updated by Red Hat.
NoteIf the Organization Administrator makes changes to the Default access group its name changes to Custom default access group and it is no longer updated by Red Hat.
The Default admin access group contains only users who have Organization Administrator permissions. This group is automatically maintained and users and roles in this group cannot be changed.
On the Hybrid Cloud Console navigate to Red Hat Hybrid Cloud Console > the Settings icon (⚙) > Identity & Access Management > User Access > Groups to see the current groups in your account. This view is limited to the Organization Administrator.
Predefined roles assigned to groups
The Default access group contains many of the predefined roles. Because all users in your organization are members of the Default access group, they inherit all permissions assigned to that group.
The Default admin access group includes many (but not all) predefined roles that provide update and delete permissions. The roles in this group usually include administrator in their name.
On the Hybrid Cloud Console navigate to Red Hat Hybrid Cloud Console > the Settings icon (⚙) > Identity & Access Management > User Access > Roles to see the current roles in your account. You can see how many groups each role is assigned to. This view is limited to the Organization Administrator.
2.2.2. Access permissions
The Prerequisites for each procedure list which predefined role provides the permissions you must have. As a user, you can navigate to Red Hat Hybrid Cloud Console > the Settings icon (⚙) > My User Access to view the roles and application permissions currently inherited by you.
If you try to access Red Hat Lightspeed features and see a message that you do not have permission to perform this action, you must obtain additional permissions. The Organization Administrator or the User Access administrator for your organization configures those permissions.
Use the Red Hat Hybrid Cloud Console Virtual Assistant to ask "Contact my Organization Administrator". The assistant sends an email to the Organization Administrator on your behalf.
Additional resources
For more information about user access and permissions, see User Access configuration guide for role-based access control (RBAC).
2.2.3. User Access roles for the Malware detection service
The following predefined roles on the Red Hat Hybrid Cloud Console enable access to malware detection features in Red Hat Lightspeed.
There is no "default-group" role for malware detection service users. For users to be able to view data or control settings in the malware detection service, they must be members of the User Access group with one of the following roles:
| User Access Role | Permissions |
|---|---|
| Malware detection viewer |
|
| Malware detection editor |
|
| Malware detection administrator |
|
2.3. Viewing malware detection scan results in the Red Hat Hybrid Cloud Console
View results of system scans on the Hybrid Cloud Console.
Prerequisites
- YARA and the Red Hat Lightspeed client are installed and configured on the RHEL system.
- You must be logged into the Hybrid Cloud Console.
- You are a member of a Hybrid Cloud Console User Access group with the Malware detection administrator or Malware detection viewer role.
Procedures
- Navigate to Security > Malware > Systems.
- View the dashboard to get a quick synopsis of all of your RHEL systems with malware detection enabled and reporting results.
- To see results for a specific system, use the Filter by name search box to search for the system by name.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}