Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 2. Set up the Red Hat Lightspeed malware detection service

Learn how to set up the Red Hat Lightspeed malware detection service on RHEL systems by installing and configuring the insights-client, assigning User Access roles for malware detection administrators and viewers, running an on-demand malware detection scan, and reviewing scan results in the Hybrid Cloud Console.

Some procedures require root privileges on the system and others require that the administrator performing the actions be a member of a User Access group with the Malware detection administrator role.

Set up the malware detection service by learning which access and privileges you need to make changes to your Red Hat Enterprise Linux systems. The following table lists the main actions, what each step involves, and the access you need.

Expand
ActionDescriptionRequired privileges

Install YARA

Install the YARA application.

Root privileges

Configure the insights-client

Configure the insights-client to use the malware detection service; enable the collector for the malware detection service.

Root privileges

Configure User Access in the Red Hat Hybrid Cloud Console

In the Red Hat Hybrid Cloud Console > the Settings icon (⚙) > Identity & Access Management > User Access > Groups, create malware detection groups and then add the appropriate roles and members to the groups.

Organization Administrator role on the Red Hat account

Optional: Enable process scanning

Optionally enable process scanning in /etc/insights-client/malware-detection-config.yml by setting scan_processes to true and running the malware detection collector.

Root privileges

Scan your Red Hat Enterprise Linux systems

Run the malware detection collector scan on your Red Hat Enterprise Linux systems.

Root privileges

View results

See the results of system scans in the Hybrid Cloud Console.

Membership in a User Access group with the Malware detection viewer role

To start running malware detection scans and reporting data to the Red Hat Lightspeed application, install YARA and the malware detection collector on the RHEL system.

Prerequisites

  • You are installing YARA and the malware detection collector on a RHEL 8 or later system.
  • You have root privileges on the system.

Procedure

  1. Install YARA. (Yara RPMs for RHEL 8 and later are available on the Red Hat Customer Portal.) 

    $ sudo dnf install yara
    Note

    Red Hat Lightspeed malware detection is not supported on RHEL 7.

  2. Register the system with Red Hat Lightspeed.

    Important

    Using the malware detection service requires that you have the insights-client package installed on the system and the system registered with Red Hat Lightspeed.

    1. Install the insights-client RPM. 

      $ sudo yum install insights-client

    2. Test the connection to Red Hat Lightspeed. 

      $ sudo insights-client --test-connection

    3. Register the system with Red Hat Lightspeed. 

      $ sudo insights-client --register

  3. Run the insights-client malware detection collector to create a malware detection configuration file in /etc/insights-client/malware-detection-config.yml, perform a test scan and upload the results to Red Hat Lightspeed. 

    $ sudo insights-client --collector malware-detection
    Note

    This is a very minimal scan of your system that helps verify the malware detection service is working correctly. By design, the scan detects some matches to show you that the service is functioning. Results from the test scan will not appear in the malware detection service.

  4. Perform a full filesystem scan.

    1. Edit /etc/insights-client/malware-detection-config.yml and set the test_scan option to false. 

      test_scan: false

      Consider setting the following options to minimize scan time:

      • filesystem_scan_only - to only scan certain directories on the system
      • filesystem_scan_exclude - to exclude certain directories from being scanned
      • filesystem_scan_since - to scan only recently modified files

    2. Run the insights-client --collector again: 

      $ sudo insights-client --collector malware-detection

      To optionally scan processes after a full filesystem scan, see Enable process scanning for malware detection.

Verification

  • To confirm that YARA installed, from the command line, run: 

    $ yara --version

    If YARA is installed, the command will display the version information.

  • From the command line, run: 

    $ sudo insights-client --test-connection

    If the system is properly registered with Red Hat Lightspeed, the command will complete successfully and display a message that the connection test was successful.

  • To confirm that you created the YAML configuration file, locate the /etc/insights-client/malware-detection-config.yml file and confirm that it contains test_scan: false after your edit.
  • To confirm that malware detection run completed without errors, and the Red Hat Lightspeed malware detection service shows the scan results, navigate to Security > Malware > Signatures. For a test scan, you should see only a few matches that are designed to be detected in a test scan.

2.3. Enable process scanning for malware detection
Copy link

You can extend detection of threats on your RHEL systems by enabling the malware detection collector to scan processes in addition to files. By default, scanning processes is disabled. Process scanning is optional, but with it enabled, the collector still runs a filesystem scan first, then scans processes to find malware. Results appear in Security > Malware.

Prerequisites

  • You have root privileges on the system.
  • You have a /etc/insights-client/malware-detection-config.yml file (created when you first run the malware collector) and have set test_scan to false which allows a full filesystem scan.

Procedure

  1. Edit /etc/insights-client/malware-detection-config.yml and set scan_processes to true. 

    scan_processes: true
    Note

    Consider setting these related options while you are changing the configuration for process scanning. These options can help you manage performance when scanning processes, but they are not required to be set to enable process scanning:

    • processes_scan_only - to only scan certain processes on the system
    • processes_scan_exclude - to exclude certain processes from being scanned
    • processes_scan_since - to scan only recently started processes

  2. Run the collector again which performs a filesystem scan first, followed by a process scan when scan_processes is enabled. When the run completes, view results at Security > Malware. 

    $ sudo insights-client --collector malware-detection

Verification

  • From the command line, locate the /etc/insights-client/malware-detection-config.yml to confirm that scan_processes value is true.
  • The collector run completes without errors.
  • In Security > Malware, the latest scan shows the signatures that affect systems and processes.

Manage user permissions to control access to Red Hat Lightspeed applications. Use the User Access feature to apply role-based access control (RBAC). Red Hat provides predefined groups and a set of predefined roles to make it easier for Organization Administrators to assign, restrict, and remove user permissions to Red Hat Lightspeed.

2.4.1. User Access overview
Copy link

Understand how the role-based access control (RBAC) User Access feature of the Red Hat Hybrid Cloud Console manages user permissions through roles instead of individual user assignments. User Access simplifies permission management by assigning specific permissions to roles, which can then be assigned to user groups.

You can also create custom groups and roles to provide more fine-tuned control over specific features of Red Hat Lightspeed to suit the needs of your organization.

If you are an Organization Administrator, you can use the User Access feature under Identity & Access Management in the Hybrid Cloud Console to:

  • Control user permissions and organize roles.
  • Create groups that include roles and their corresponding permissions.
  • Assign users to these groups, allowing them to inherit the permissions associated with their group’s roles.

All users on your account have access to most of the data in Red Hat Lightspeed.

2.4.2. Predefined groups in User Access
Copy link

Understand the two predefined groups available in User Access: Default access and Default admin access. Create custom groups to align permissions with specific personas, job functions, or teams in your organization.

The Default access group
By default, the Default access group is assigned many granular predefined roles, so that group members have basic visibility. Because all users in your organization are members of the Default access group, they inherit all permissions assigned to that group. The Default access group is automatically updated by Red Hat.
Important

If your Organization Administrator modifies the Default access group, the group is automatically renamed to Custom default access. Once converted, this group is no longer automatically updated by Red Hat.

The Default admin access group
The Default admin access group contains only users who have Organization Administrator permissions. This group is automatically maintained, and users and roles in this group cannot be changed.

The Default admin access group includes many (but not all) predefined roles that provide update and delete permissions. The roles in this group usually include administrator in their names.

Tip

For a list of explicitly defined roles that are included in the Default access and Default admin access groups, log in to the Hybrid Cloud Console, go to Groups and select the respective group.

2.4.3. Predefined roles assigned to groups
Copy link

Understand how predefined roles in Red Hat Hybrid Cloud Console bundle permissions across multiple Red Hat Lightspeed applications to align with common user personas. Use predefined roles to reduce administrative effort, or create custom roles for more fine-tuned control over specific features.

The predefined roles are a starting point to help you to control and manage user permissions. You can then use these roles to create custom roles that are tailored to your specific use cases and organization. For example, you can use the predefined granular roles to create custom roles that provide more fine-tuned control over specific features of Red Hat Lightspeed.

Tip

Across the Red Hat Lightspeed product documentation, the Prerequisites section for each procedure lists which predefined roles provide the permissions needed to use the features in that procedure. For example, if a procedure requires permissions to view and manage remediations, the Prerequisites section for that procedure lists the Remediations administrator or other valid role as a recommended predefined role to use for that procedure.

2.4.4. Check your permissions
Copy link

Verify your current permissions and the roles or groups assigned to you in the Red Hat Hybrid Cloud Console. Check your permissions to troubleshoot access issues or understand your level of access to Red Hat Lightspeed applications.

Note

Only users with the Organization Administrator role can view the permissions of other users in the User Access settings and manage user permissions to Red Hat Lightspeed services. For more information, see the Configure user permissions section.

Prerequisites

  • You are logged in to the Red Hat Hybrid Cloud Console.

Procedure

  1. In the Hybrid Cloud Console, click the Settings icon (⚙), then navigate to My User Access.
  2. If you try to access Red Hat Lightspeed features and see a message that you do not have permission to perform this action, contact your Organization Administrator or a user with the User Access administrator role to request the permissions required to access those features and complete the actions you want to perform.

Results

All of the applications that you have permissions to access are listed on this page and are grouped by product, for example, RHEL, OpenShift Container Platform, and Ansible Automation Platform.

You can also filter your permissions by application, for example, by advisor, cost management, inventory, and remediations.

2.4.5. Configure user permissions
Copy link

If you are an Organization Administrator, you can view and manage user permissions for all users in your organization. Control access to Red Hat Lightspeed and other Red Hat Hybrid Cloud Console services through the User Access interface.

Important

If you are not an Organization Administrator, you will be unable to complete this task. However, you can check your own permissions for different applications by navigating to My User Access. Contact your Organization Administrator to request more permissions.

Prerequisites

  • You have logged in to the Red Hat Hybrid Cloud Console as an Organization Administrator, or you have the required administrator User Access role permissions.

Procedure

Results

From here, you can create and manage:

  • Roles to determine permissions to Red Hat Lightspeed services and features
  • Groups to include one or more roles to align with a specific persona, job function, or team in your organization
  • Users and their assignment to groups to inherit permissions from the roles assigned to those groups

Understand the predefined roles that control access to malware detection features in Red Hat Lightspeed. Use these role definitions to assign appropriate permissions to users based on their responsibilities.

Important

There is no "default-group" role for malware detection service users.

To view data or control settings in the malware detection service, users must be members of the User Access group with one of the following roles:

Expand
Table 2.1. Permissions provided by the User Access roles
User Access roleGrants permissions to …​

Malware detection administrator

  • Read all malware detection data
  • Set user acknowledgment
  • Delete hits
  • Disable signature permissions

Malware detection viewer

  • Read All

2.5. Run a malware detection scan
Copy link

Run the malware detection collector on a registered RHEL host when you need an on-demand scan. After the scan completes, review the results in the Red Hat Lightspeed malware detection service. Scan time depends on configuration, how much of the system is scanned, and processes included in the scan.

Prerequisites

  • You have sudo access on the system when you run the insights-client command.

Procedure

  1. To scan a system, run 

    $ sudo insights-client --collector malware-detection

  2. View results at Security > Malware.

    Note

    You can configure a cron job to run malware detection scans at scheduled intervals. For steps and examples, see Setting up recurring scans for Red Hat Lightspeed services.

Verification

You can confirm that the scan ran successfully and results are in the malware detection service by checking the following:

  • The sudo insights-client --collector malware-detection command exits successfully.
  • Security > Malware shows a new or updated scan for the host.

View results of system scans on the Red Hat Hybrid Cloud Console to see threats that are a risk to your systems.

Prerequisites

  • YARA and the insights-client are installed and configured on the RHEL system.
  • You have logged in to the Hybrid Cloud Console as a user who is a member of a User Access group with at least the Malware detection viewer role.

Procedure

  1. Navigate to Security > Malware > Systems.
  2. View the dashboard to get a quick summary of all of your RHEL systems that have malware detection enabled and are reporting results.
  3. To view results for a specific system, use Filter by name in the search box.
  4. Click the name of a system to view its specific match details.

Verification

You can confirm that you are viewing the correct results for your system by checking the following:

  • After you filter by name in Security > Malware > Systems, the selected system’s detail view matches the system you intended.
  • After you click a system name, the malware detection service shows specific match details for that system.
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top