Red Hat Insights second malware scan not updating in dashboard

Many thanks Christian, much appreciated!

I actually saw your messages this morning, and tried afterwards to get more info or hopefully clear the issue by trying a simple move - remove insghts-client and install it again, sorry for not having tried it before :) - but two things happened :

1°) Before uninstalling the insights-client package, I ran 3 scans and the last one returned the following error message:

$ sudo insights-client --collector malware-detection Unable to fetch egg url https://cert-api.access.redhat.com/r/insights/platform/module-update-router/v1/channel?module=insights-core: 403: Forbidden. Defaulting to /release

The scan nevertheless proceeded but, as for the two previous ones today, the scan reports didn't appear in the dashboard, even after sometime and reloading the dashboard.

Since we last spoke here, as promised, I moved, for my daily RHEL config, from the STIG/FIPS one backto CIS workstation 2.

2°) After removing insights-client with dnf, I reinstalled it but this time, the "-- collector malware-detection" argument wasn't recognised in the CLI.

$ sudo insights-client --collector malware-detection usage: insights-client [-h] [--ansible-host ANSIBLE_HOST] [--checkin] [--compliance] [--conf CONF] [--disable-schedule] [--display-name DISPLAY_NAME] [--enable-schedule] [--group GROUP] [--keep-archive] [--list-specs] [--logging-file LOGGING_FILE] [--net-debug] [--no-upload] [--offline] [--output-dir OUTPUT_DIR] [--output-file OUTPUT_FILE] [--quiet] [--register] [--force-reregister] [--retry RETRIES] [--show-results] [--silent] [--status] [--support] [--test-connection] [--unregister] [--validate] [--verbose] [--version] [--payload PAYLOAD] [--content-type CONTENT_TYPE] [--diagnosis [DIAGNOSIS]] insights-client: error: unrecognized arguments: --collector malware-detection

Just removed/re-installed insights-client, and it looks the "--collector" is still not displayed at the moment.

Kind regards,

Alex

Hi again Christian,

Just ran the work around you shared and Inisights is back : a first scan was completed and I can see it in the dashboard - many thanks for having dealt with this so quickly !

For information on this workaround, the first and the last files could be removed, the other files in my computer were already removed so the command said the files were not there. I am going to do the full scan (not the initial one) later today and will share an update here - but again, many thanks !

Hi Christian,

I am back online : so...in fact, the workaround cleaned the situation and re-enabled the package to work properly - no more issue with the argument "--collector" - but it looks that the scan results don't get in the dashboard, except for the first one.

To recap, my initial installation was done following the guide Assessing and Reporting Malware Signatures on RHEL Systems with the Insights for RHEL Malware Service. I checked the command history and it looks it was all done, including the config file n /etc.

Here, I followed all the steps again, the issue with the argument is solved, the first initial scan appeared in the dashboard, that's ok. The config file has been changed so that test_scan is set to false, the scan is run and the CLI mentions that the results are being uploaded, but they don't appear in the dashboard.

Two things that I can think of that may have a link: - last week I installed Maldet to but it was quickly uninstalled it (removed all files) - since this reinstall, the registration for software subscription seems a bit unstable for some reason : I had to re-register the system once or twice, and even when it seems ok, notifications are being displayed from time to time a,d saying the registration is successful, while the system was already supposed to be registered.

Just in case it might bring some useful info.

Kind regards

Hi Christian,

Many thanks for the update, for the above message too and for sharing the link to the bug filed on Red Hat bugzilla: I joined and also added myself to the cc list, thanks for the info :)

This looks indeed to be the same issue/bug so I'll stay posted.

Best regards,

Alex (nb: typo edited...)

Hi again Christian,

Just back on this thread please, as I wonder if that issue with Insights, met on my computer and a few other ones (cf the bug in bugzilla) may not have a link with the status of registration / subscription management / system purpose etc.

Occasionally, I noticed that my system was getting notifications that my Red Hat workstation can't received updates, and then that the OS is registered again, without me doing anything about it in between.

I have tried to dig a little bit into that this morning, and noticed there were some mismatches between the status of my computer as to what's visible in CLI and what was visible in the subscription management console.

There was also a mismatch between the license usage (none visible while one was being used). That mismatch could be solved but still the status of "subscription management" and "system purpose" appear as unknown or not specified.

Then, even after updating the system status in CLI, it didn't appear as updated neither on the console nor when checking that with another CLI command.

For instance : in the subscription console, the system purpose is displayed as unknown, so I have updated this in CLI with

$ sudo subscription-manager syspurpose role --list
+-------------------------------------------+
               Available role
+-------------------------------------------+
 - Red Hat Enterprise Linux Workstation
 - Red Hat Enterprise Linux Server
 - Red Hat Enterprise Linux Compute Node

$ sudo subscription-manager status
+-------------------------------------------+
   System Status Details
+-------------------------------------------+
Overall Status: Disabled
Content Access Mode is set to Simple Content Access. This host has access to content, regardless of subscription status.

System Purpose Status: Disabled            

$ sudo subscription-manager syspurpose role --set="Red Hat Enterprise Linux Workstation"
role set to "Red Hat Enterprise Linux Workstation" 

However, after this command, the console still displays the system purpose as unknown (in the RH portal then systems > details), but also in CLI, as :

$ sudo subscription-manager status
+-------------------------------------------+
   System Status Details
+-------------------------------------------+
Overall Status: Disabled
Content Access Mode is set to Simple Content Access. This host has access to content, regardless of subscription status.

System Purpose Status: Disabled  

$sudo subscription-manager list --consumed
No consumed subscription pools were found.

$ sudo subscription-manager list --available --all
No available subscription pools to list

That looks a bit similar to the issue about system purpose mismatch reported on Red Hat 7 in 2020 here but using the CLI to set purpose doesn't seem to update this status.

Wondering please if there is a way to re-baseline the subscription management & system purpose settings post-installation ? I checked the RHEL 9 installation guide and the basic administration guide, but still, not too sure how see the right status for subscription status or the system purpose in the local web console.

I also wonder if the Simple Content Access should be enabled or disabled? At the moment, it is enabled (this morning, I disabled it, then re-enabled).

What I would like to do is to make sure that everything is clean on my system from a subscription / purpose perspective, and then see if there is a match between settings seen via CLI and those on the Red Hat subscription portal, if the un-registering/re-registering of subscription stops, and then see if there is a change with the display of malware scans in the Insights portal. Hoping not missing something too obvious there :-)

Kind regards,

Alex