Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 2. Get started using the Red Hat Lightspeed malware detection service

To begin using the malware detection service, you must perform the following actions. Procedures for each action follow in this chapter.

Note

Some procedures require sudo access on the system and others require that the administrator performing the actions be a member of a User Access group with the Malware detection administrator role.

Expand
Table 2.1. Procedure and access requirements to set up malware detection service.
ActionDescriptionRequired privileges

Install YARA and configure the Red Hat Lightspeed client

Install the YARA application and configure the Red Hat Lightspeed client to use the malware detection service

Sudo access

Configure User Access on the Red Hat Hybrid Cloud Console

In Red Hat Hybrid Cloud Console > the Settings icon (⚙) > Identity & Access Management > User Access > Groups, create malware detection groups, and then add the appropriate roles and members to the groups

Organization Administrator on the Red Hat account

View results

See the results of system scans in the Hybrid Cloud Console

Membership in a User Access group with the Malware detection viewer role

Perform the following procedure to install YARA and the malware detection controller on the RHEL system, then run test and full malware detection scans and report data to the Red Hat Lightspeed application.

Prerequisites

  • The system operating system version must be RHEL 8 or RHEL 9.
  • The administrator must have sudo access on the system.
  • The system must have the Red Hat Lightspeed client package installed, and be registered to Red Hat Lightspeed.

Procedure

  1. Install YARA.

    Yara RPMs for RHEL 8 and RHEL 9 are available on the Red Hat Customer Portal: 

    $ sudo dnf install yara
    Copy to Clipboard Toggle word wrap
    Note

    Red Hat Lightspeed malware detection is not supported on RHEL 7.

  2. If not yet completed, register the system with Red Hat Lightspeed.

    Important

    The Red Hat Lightspeed client package must be installed on the system and the system registered with Red Hat Lightspeed before the malware detection service can be used.

    1. Install the Red Hat Lightspeed client RPM. 

      $ sudo yum install insights-client
      Copy to Clipboard Toggle word wrap

    2. Test the connection to Red Hat Lightspeed. 

      $ sudo insights-client --test-connection
      Copy to Clipboard Toggle word wrap

    3. Register the system with Red Hat Lightspeed. 

      $ sudo insights-client --register
      Copy to Clipboard Toggle word wrap

  3. Run the Red Hat Lightspeed client malware detection collector. 

    $ sudo insights-client --collector malware-detection
    Copy to Clipboard Toggle word wrap

    The collector takes the following actions for this initial run:

    • Creates a malware detection configuration file in /etc/insights-client/malware-detection-config.yml

    • Performs a test scan and uploads the results

      Note

      This is a very minimal scan of your system with a simple test rule. The test scan is mainly to help verify that the installation, operation, and uploads are working correctly for the malware detection service. There will be a couple of matches found but this is intentional and nothing to worry about. Results from the initial test scan will not appear in the malware detection service UI.

  4. Perform a full filesystem scan.

    1. Edit /etc/insights-client/malware-detection-config.yml and set the test_scan option to false. 

      test_scan: false
      Copy to Clipboard Toggle word wrap

      Consider setting the following options to minimize scan time:

      • filesystem_scan_only - to only scan certain directories on the system
      • filesystem_scan_exclude - to exclude certain directories from being scanned
      • filesystem_scan_since - to scan only recently modified files

    2. Re-run the client collector: 

      $ sudo insights-client --collector malware-detection
      Copy to Clipboard Toggle word wrap

  5. Optionally, scan processes. This will scan the filesystem first, followed by a scan of all processes. After the filesystem and process scans are complete, view the results at Security > Malware.

    Important

    By default, scanning processes is disabled. There is an issue with YARA and scanning processes on Linux systems that may cause poor system performance. This problem will be fixed in an upcoming release of YARA, but until then it is recommended to NOT scan processes.

    1. To enable process scanning, set scan_processes: true in /etc/insights-client/malware-detection-config.yml. 

      scan_processes: true
      Copy to Clipboard Toggle word wrap
Note

Consider setting these processes related options while you are there: processes_scan_only - to only scan certain processes on the system processess_scan_exclude - to exclude certain processes from being scanned processes_scan_since - to scan only recently started processes

  1. Save the changes and run the collector again. 

    $ sudo insights-client --collector malware-detection
    Copy to Clipboard Toggle word wrap

User Access is the Red Hat implementation of role-based access control (RBAC). Your Organization Administrator uses User Access to configure what users can see and do on the Red Hat Hybrid Cloud Console (the console):

  • Control user access by organizing roles instead of assigning permissions individually to users.
  • Create groups that include roles and their corresponding permissions.
  • Assign users to these groups, allowing them to inherit the permissions associated with their group’s roles.

All users on your account have access to most of the data in Red Hat Lightspeed.

2.2.1. Predefined User Access groups and roles
Copy link

To make groups and roles easier to manage, Red Hat provides two predefined groups and a set of predefined roles:

  • Predefined groups

    The Default access group contains all users in your organization. Many predefined roles are assigned to this group. It is automatically updated by Red Hat.

    Note

    If the Organization Administrator makes changes to the Default access group its name changes to Custom default access group and it is no longer updated by Red Hat.

    The Default admin access group contains only users who have Organization Administrator permissions. This group is automatically maintained and users and roles in this group cannot be changed.

    On the Hybrid Cloud Console navigate to Red Hat Hybrid Cloud Console > the Settings icon (⚙) > Identity & Access Management > User Access > Groups to see the current groups in your account. This view is limited to the Organization Administrator.

  • Predefined roles assigned to groups

    The Default access group contains many of the predefined roles. Because all users in your organization are members of the Default access group, they inherit all permissions assigned to that group.

    The Default admin access group includes many (but not all) predefined roles that provide update and delete permissions. The roles in this group usually include administrator in their name.

    On the Hybrid Cloud Console navigate to Red Hat Hybrid Cloud Console > the Settings icon (⚙) > Identity & Access Management > User Access > Roles to see the current roles in your account. You can see how many groups each role is assigned to. This view is limited to the Organization Administrator.

2.2.2. Access permissions
Copy link

The Prerequisites for each procedure list which predefined role provides the permissions you must have. As a user, you can navigate to Red Hat Hybrid Cloud Console > the Settings icon (⚙) > My User Access to view the roles and application permissions currently inherited by you.

If you try to access Red Hat Lightspeed features and see a message that you do not have permission to perform this action, you must obtain additional permissions. The Organization Administrator or the User Access administrator for your organization configures those permissions.

Additional resources

For more information about user access and permissions, see User Access configuration guide for role-based access control (RBAC) with FedRAMP.

The following predefined roles on the Red Hat Hybrid Cloud Console enable access to malware detection features in Red Hat Lightspeed.

Important

There is no "default-group" role for malware detection service users. For users to be able to view data or control settings in the malware detection service, they must be members of the User Access group with one of the following roles:

Expand
Table 2.2. Permissions provided by the User Access roles
User Access RolePermissions

Malware detection viewer

  • Read All

Malware detection administrator

  • Read All
  • Set user acknowledgment
  • Delete hits
  • Disable signatures permissions

View results of system scans on the Hybrid Cloud Console.

Prerequisites

  • YARA and the Red Hat Lightspeed client are installed and configured on the RHEL system.
  • You must be logged into the Hybrid Cloud Console.
  • You are a member of a Hybrid Cloud Console User Access group with the Malware detection administrator or Malware detection viewer role.

Procedures

  1. Navigate to Security > Malware > Systems.
  2. View the dashboard to get a quick synopsis of all of your RHEL systems with malware detection enabled and reporting results.
  3. To see results for a specific system, use the Filter by name search box to search for the system by name.
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat