Red Hat SummitEste conteúdo não está disponível no idioma selecionado.
Chapter 2. Set up the Red Hat Lightspeed malware detection service
Learn how to set up the Red Hat Lightspeed malware detection service on RHEL systems by installing and configuring the insights-client, assigning User Access roles for malware detection administrators and viewers, running an on-demand malware detection scan, and reviewing scan results in the Hybrid Cloud Console.
While some procedures require root privileges on the system, others require an administrator who is a member of a User Access group with at least one of the following roles:
- Malware detection administrator
- RHEL administrator
2.1. Malware detection service setup actions and required access
Learn which access and privileges you need to set up and enable the malware detection service. Then make the required access changes to your Red Hat Enterprise Linux systems.
The following table lists the main actions needed to set up the malware detection service, what each step involves, and the required access.
| Action | Description | Required privileges |
|---|---|---|
| Install YARA | Install the YARA application. | Root privileges |
| Configure the insights-client | Configure the insights-client to use the malware detection service; enable the collector for the malware detection service. | Root privileges |
| Configure User Access in the Red Hat Hybrid Cloud Console | In User Access groups, create malware detection groups and then add the appropriate roles and members to the groups. | Organization Administrator role on the Red Hat account |
| Optional: Download CrowdStrike signatures |
| Root privileges; CrowdStrike Falcon Adversary Intelligence Premium license |
| Optional: Enable process scanning |
Optionally enable process scanning in | Root privileges |
| Scan your Red Hat Enterprise Linux systems | Run the malware detection collector scan on your Red Hat Enterprise Linux systems. | Root privileges |
| View results | See the results of system scans in the Hybrid Cloud Console. | Membership in a User Access group with the Malware detection viewer role |
2.2. Install YARA and configure the insights-client
To start running malware detection scans and reporting data to the Red Hat Lightspeed application, install YARA and the malware detection collector on the RHEL system.
Prerequisites
- You are installing YARA and the malware detection collector on a RHEL 8 or later system.
- You have root privileges on the system.
Procedure
Install YARA. (Yara RPMs for RHEL 8 and later are available on the Red Hat Customer Portal.)
$ sudo dnf install yaraTo confirm that YARA is installed, run the following command from the command line:
$ yara --versionIf YARA is installed, the command will display the version information.
NoteRed Hat Lightspeed malware detection is not supported on RHEL 7.
Register the system with Red Hat Lightspeed.
ImportantUsing the malware detection service requires that you have the insights-client package installed on the system and the system registered with Red Hat Lightspeed.
Install the insights-client RPM.
$ sudo yum install insights-clientTest the connection to Red Hat Lightspeed. If the system is properly registered with Red Hat Lightspeed, the command will complete successfully and display a message that the connection test was successful.
$ sudo insights-client --test-connectionRegister the system with Red Hat Lightspeed.
$ sudo insights-client --register
Run the insights-client malware detection collector to create a malware detection configuration file in
/etc/insights-client/malware-detection-config.yml, perform a test scan and upload the results to Red Hat Lightspeed.$ sudo insights-client --collector malware-detectionNoteThis is a very minimal scan of your system that helps verify the malware detection service is working correctly. The scan detects some matches to show you that the service is functioning.
To confirm the test scan completed, navigate to
in the Red Hat Hybrid Cloud Console. You should see a few test matches that are designed to be detected. Perform a full filesystem scan.
Edit
/etc/insights-client/malware-detection-config.ymland set thetest_scanoption to false.test_scan: falseConsider setting the following options to minimize scan time:
-
filesystem_scan_only- to only scan certain directories on the system -
filesystem_scan_exclude- to exclude certain directories from being scanned -
filesystem_scan_since- to scan only recently modified files
-
Run the insights-client --collector again:
$ sudo insights-client --collector malware-detectionTo optionally scan processes after a full filesystem scan, see Enable process scanning for malware detection.
Verification
To confirm that the full filesystem scan completed without errors and the Red Hat Lightspeed malware detection service shows the scan results:
2.3. Enable process scanning for malware detection
Extend threat detection by enabling the malware detection collector to scan running processes. When enabled, the collector performs a filesystem scan first, then scans processes for malware.
Prerequisites
- You have root privileges on the system.
-
You have a
/etc/insights-client/malware-detection-config.ymlfile (created when you first run the malware collector) and have settest_scantofalsewhich allows a full filesystem scan.
Procedure
Edit
/etc/insights-client/malware-detection-config.ymland setscan_processestotrue.scan_processes: trueNoteConsider setting these related options while you are changing the configuration for process scanning. These options can help you manage performance when scanning processes, but they are not required to be set to enable process scanning:
-
processes_scan_only- to only scan certain processes on the system -
processes_scan_exclude- to exclude certain processes from being scanned -
processes_scan_since- to scan only recently started processes
-
Run the collector again which performs a filesystem scan first, followed by a process scan when
scan_processesis enabled. When the run completes, view results at. $ sudo insights-client --collector malware-detection
Verification
-
From the command line, locate the
/etc/insights-client/malware-detection-config.ymlfile to confirm that thescan_processesvalue istrue. - The collector run completes without errors.
-
In
on the Red Hat Hybrid Cloud Console, the latest scan shows the signatures that affect systems and processes.
2.4. Add CrowdStrike YARA signatures to extend protection to RHEL systems
To detect threats on RHEL systems, you can integrate CrowdStrike YARA signatures with the malware detection service. You can download signature rules manually from the CrowdStrike Falcon console or automate the process by using an Ansible playbook.
- This workflow supports only the official CrowdStrike integration. You cannot upload custom YARA rules to the malware detection service.
-
For information about automating signature downloads with Ansible, see the CrowdStrike Falcon Adversary Intelligence Premium documentation and the
crowdstrike.falconAnsible collection documentation.
Prerequisites
- The CrowdStrike integration is supported only on systems that run Red Hat Enterprise Linux 9 or 10 and have YARA 4.5.2 or later installed.
- You have installed the YARA tool and the insights-client.
- You have membership in a User Access group with at least the Malware detection viewer or RHEL viewer role.
- You have a CrowdStrike user account with permissions to access CrowdStrike Falcon Adversary Intelligence Premium and an active license enabled. For more information, see CrowdStrike Falcon® Counter Adversary Operations Elite documentation, and the Red Hat Knowledgebase article, Integrating Red Hat Lightspeed with CrowdStrike for enhanced malware detection coverage.
-
You have access to the latest CrowdStrike documentation for up-to-date procedures and YARA signature export and automation tools, such as the
crowdstrike.falconAnsible collection. - You are logged in to the Red Hat Hybrid Cloud Console.
Procedure
From the command line, create a target directory to store your CrowdStrike signatures.
$ sudo mkdir -p /etc/insights-client/signatures- In the CrowdStrike Falcon console, navigate to Counter Adversary Operations > Intelligence Operations > Hunting guides.
- Select Hunting queries and rules.
- Filter by Language: YARA.
- Filter by Environment: Any and Linux.
- Click Apply.
- Click Export to open the drop-down list that contains options to choose the file format of the download.
- Select YARA (tar.gz) from the list.
-
Extract the contents of the downloaded
.tar.gzfile into/etc/insights-client/signatures.
Verification
Confirm that the CrowdStrike signatures are extending protection for your RHEL systems, run a scan of your RHEL system and review the scan results in the malware detection service.
From the command line, run a full scan of your system:
$ sudo insights-client --collector malware-detection-
Navigate to
. Confirm that the Source column displays CrowdStrike. The default view is for all matched and unmatched signatures to display.
NoteOn first use, the default view shows CrowdStrike and IBM signatures, but you can select the cards with the IBM or CrowdStrike logos to see the IBM signatures or the CrowdStrike signatures.
2.5. Manage user permissions for Red Hat Lightspeed services
Manage user permissions to control access to Red Hat Lightspeed applications. Use the User Access feature to apply role-based access control (RBAC). Red Hat provides predefined groups and a set of predefined roles to make it easier for Organization Administrators to assign, restrict, and remove user permissions to Red Hat Lightspeed.
2.5.1. User Access overview
Understand how the role-based access control (RBAC) User Access feature of the Red Hat Hybrid Cloud Console manages user permissions through roles instead of individual user assignments. User Access simplifies permission management by assigning specific permissions to roles, which can then be assigned to user groups.
You can also create custom groups and roles to provide more fine-tuned control over specific features of Red Hat Lightspeed to suit the needs of your organization.
If you are an Organization Administrator, you can use the User Access feature under Identity & Access Management in the Hybrid Cloud Console to:
- Control user permissions and organize roles.
- Create groups that include roles and their corresponding permissions.
- Assign users to these groups, allowing them to inherit the permissions associated with their group’s roles.
2.5.2. Predefined groups in User Access
Understand the two predefined groups available in User Access: Default access and Default admin access. Create custom groups to align permissions with specific personas, job functions, or teams in your organization.
- The Default access group
- By default, the Default access group is assigned many granular predefined roles, so that group members have basic visibility. Because all users in your organization are members of the Default access group, they inherit all permissions assigned to that group. The Default access group is automatically updated by Red Hat.
If your Organization Administrator modifies the Default access group, for example, by removing roles to restrict access to specific applications or to use the consolidated roles, the group is automatically renamed to Custom default access. Once converted, this group is no longer automatically updated by Red Hat.
- The Default admin access group
- The Default admin access group contains only users who have Organization Administrator permissions. This group is automatically maintained, and users and roles in this group cannot be changed.
The Default admin access group includes many (but not all) predefined roles that provide update and delete permissions. The roles in this group usually include administrator in their names.
For a list of explicitly defined roles that are included in the Default access and Default admin access groups, log in to the Hybrid Cloud Console, go to Groups and select the respective group.
2.5.3. Predefined roles assigned to groups
Understand how predefined roles in Red Hat Hybrid Cloud Console bundle permissions across multiple Red Hat Lightspeed applications to align with common user personas. Use predefined roles to reduce administrative effort, or create custom roles for more fine-tuned control over specific features.
The predefined roles are a starting point to help you to control and manage user permissions. You can then use these roles to create custom roles that are tailored to your specific use cases and organization. For example, you can use the predefined granular roles to create custom roles that provide more fine-tuned control over specific features of Red Hat Lightspeed.
By default, Red Hat provides a set of consolidated roles and a set of granular roles in the Red Hat Hybrid Cloud Console User Access UI. The consolidated roles significantly reduce the administrative effort required to manage user permissions, while the granular roles provide more fine-tuned control over specific features of Red Hat Lightspeed.
You can use the predefined consolidated and granular roles in User Access simultaneously, but using consolidated roles can significantly reduce the administrative effort.
- Select from the predefined consolidated roles library
The Red Hat Hybrid Cloud Console provides three predefined, consolidated User Access roles to help you manage user permissions to Red Hat Lightspeed applications and services that run on registered Red Hat Enterprise Linux systems. These roles help simplify how the Organization Administrator creates groups and permissions for various levels of access to the Red Hat Lightspeed services. If you want to reduce the administrative effort required to manage user permissions and your use case aligns with the permissions included in these roles, select from the consolidated roles library.
The consolidated roles are as follows:
RHEL viewer: The RHEL viewer role provides users visibility without the ability to make changes. It allows read-only access to Red Hat Lightspeed. You can view system configurations, compliance reports, inventory data, patch information, vulnerabilities, and overall resource states and activities. The only action permitted with this role is to generate activation keys.
RHEL operator: The RHEL operator role allows active management of your Red Hat Lightspeed environment. With this role, you can edit system configurations, inventory details, policies, and notification/integration settings. The RHEL operator role allows many of the RHEL administrator role functions, but it is restricted from editing compliance policies, content source templates, policies, or tasks. In addition, the RHEL operator role cannot execute remediation plans.
RHEL administrator: The RHEL administrator role provides comprehensive administrative privileges across your RHEL systems and Red Hat Lightspeed. With this role, you can manage system configurations, inventory, compliance policies, notifications, patch management, remediations, malware detection, and advisor recommendations. The role can also view and modify all vulnerability settings.
ImportantTo use the consolidated roles effectively, you might need to remove the granular RHEL roles from the Default access group to prevent permission conflicts. This action automatically changes the name of the predefined Default access group to Custom default access group, after which, it is no longer automatically updated by Red Hat.
See Predefined User Access roles for a list of the roles included in the Default admin access group and a reference table that lists most of the predefined groups and roles that are available in the Red Hat Hybrid Cloud Console and the permissions included in each role.
- Granular roles
- The granular roles are specific roles for individual services that allow for fine-tuned control over specific features of Red Hat Lightspeed, for example, Inventory Hosts administrator or Compliance viewer. If you want to have more control over specific features of Red Hat Lightspeed and your use case does not align with the permissions included in the consolidated roles, use the granular predefined roles.
Across the Red Hat Lightspeed product documentation, the Prerequisites section for each procedure lists which predefined roles provide the permissions needed to use the features in that procedure. For example, if a procedure requires permissions to create and view remediations, the Prerequisites section for that procedure lists the Remediations user or other valid role as a recommended predefined role to use for that procedure.
2.5.4. Check your permissions
Verify your current permissions and the roles or groups assigned to you in the Red Hat Hybrid Cloud Console. Check your permissions to troubleshoot access issues or understand your level of access to Red Hat Lightspeed applications.
Only users with the Organization Administrator role can view the permissions of other users in the User Access settings and manage user permissions to Red Hat Lightspeed services. For more information, see the Configure user permissions section.
Prerequisites
- You are logged in to the Red Hat Hybrid Cloud Console.
Procedure
- In the Hybrid Cloud Console, click the Settings icon (⚙), then navigate to My User Access.
- Optional: If you require additional permissions, use the Red Hat Hybrid Cloud Console Virtual Assistant to ask "Contact my Organization Administrator". The assistant sends an email to the Organization Administrator on your behalf.
Results
All of the applications that you have permissions to access are listed on this page and are grouped by product, for example, RHEL, OpenShift Container Platform, and Ansible Automation Platform.
You can also filter your permissions by application, for example, by advisor, cost management, inventory, and remediations.
2.5.5. Configure user permissions
If you are an Organization Administrator, you can view and manage user permissions for all users in your organization. Control access to Red Hat Lightspeed and other Red Hat Hybrid Cloud Console services through the User Access interface.
If you are not an Organization Administrator, you will be unable to complete this task. However, you can check your own permissions for different applications by navigating to My User Access. Contact your Organization Administrator to request more permissions.
Prerequisites
- You have logged in to the Red Hat Hybrid Cloud Console as an Organization Administrator, or you have the required administrator User Access role permissions.
Procedure
- In the Hybrid Cloud Console, click the Settings icon (⚙), then navigate to Identity & Access Management > User Access.
Results
From here, you can create and manage:
2.5.6. User Access roles for permissions to malware detection features
Understand the predefined roles that control access to malware detection features in Red Hat Lightspeed. Use these role definitions to assign appropriate permissions to users based on their responsibilities.
There is no "default-group" role for malware detection service users.
To view data or control settings in the malware detection service, users must be members of the User Access group with one of the following roles:
| User Access role | Grants permissions to … |
|---|---|
| Malware detection administrator |
|
| Malware detection editor |
|
| Malware detection viewer |
|
| RHEL administrator |
|
| RHEL operator |
Note The RHEL operator role is restricted from editing compliance policies, content source templates, policies, or tasks. Also, the RHEL operator role cannot execute remediation plans. |
| RHEL viewer |
Note Cannot perform actions other than generating activation keys. |
2.6. Run a malware detection scan
Run the malware detection collector on a registered RHEL host when you need an on-demand scan. After the scan completes, review the results in the Red Hat Lightspeed malware detection service. Scan time depends on configuration, how much of the system is scanned, and processes included in the scan.
Prerequisites
- You have sudo access on the system when you run the insights-client command.
- You are logged in to the Red Hat Hybrid Cloud Console.
Procedure
2.7. View malware detection scan results in the Red Hat Hybrid Cloud Console
View results of system scans on the Red Hat Hybrid Cloud Console to see threats that are a risk to your systems.
Prerequisites
- YARA and the insights-client are installed and configured on the RHEL system.
- Optional: You have installed CrowdStrike signatures and completed the prerequisites for CrowdStrike.
- You have logged in to the Red Hat Hybrid Cloud Console as a user who is a member of a User Access group with at least the Malware detection viewer or RHEL viewer role.
Procedure
Verification
You can confirm that you are viewing the correct results for your system by checking the following:
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}