Menu Close
Settings Close

Language and Page Formatting Options

Chapter 2. Get started using the Insights for RHEL malware-detection service

To begin using the malware-detection service, the following actions must be performed. Procedures for each action follow in this chapter.

Note

Some procedures require sudo access on the system and others require that the administrator performing the actions be a member of a User Access group with the Malware detection administrator role.

Table 2.1. Procedure and access requirements to set up malware-detection service.

ActionDescriptionRequired privileges

Install YARA and configure the Insights client

Install the YARA application and configure the Insights client to use the malware-detection service

Sudo access

Configure User Access on the Red Hat Hybrid Cloud Console

In Red Hat Hybrid Cloud Console > User Access > Groups, create malware-detection groups, and then add the appropriate roles and members to the groups

Organization Administrator on the Red Hat account

View results

See the results of system scans in the Hybrid Cloud Console

Membership in a User Access group with the Malware detection viewer role

2.1. Installing YARA and configuring the Insights client

Perform the following procedure to install YARA and the malware-detection controller on the RHEL system, then run test and full malware-detection scans and report data to the Insights for RHEL application.

Prerequisites

  • The system operating system version must be RHEL8 or RHEL9.
  • The administrator must have sudo access on the system.
  • The system must have the Insights client package installed, and be registered to Insights for RHEL.

Procedure

  1. Install YARA.

    Yara RPMs for RHEL8 and RHEL9 are available on the Red Hat Customer Portal:

    $ sudo yum install yara
    Note

    Insights for RHEL malware-detection is not supported on RHEL7.

  2. If not yet completed, register the system with Insights for RHEL.

    Important

    The Insights client package must be installed on the system and the system registered with Insights for RHEL before the malware-detection service can be used.

    1. Install the Insights client RPM.

      $ sudo yum install insights-client
    2. Test the connection to Insights for RHEL.

      $ sudo insights-client --test-connection
    3. Register the system with Insights for RHEL.

      $ sudo insights-client --register
  3. Run the Insights client malware-detection collector.

    $ sudo insights-client --collector malware-detection

    The collector takes the following actions for this initial run:

    • Creates a malware-detection configuration file in /etc/insights-client/malware-detection-config.yml
    • Performs a test scan and uploads the results

      Note

      This is a very minimal scan of your system with a simple test rule. The test scan is mainly to help verify that the installation, operation, and uploads are working correctly for the malware-detection service. There will be a couple of matches found but this is intentional and nothing to worry about. Results from the initial test scan will not appear in the malware-detection service UI.

  4. Perform a full filesystem scan.

    1. Edit /etc/insights-client/malware-detection-config.yml and set the test_scan option to false.

      test_scan: false

      Consider setting the following options to minimize scan time:

      • filesystem_scan_only - to only scan certain directories on the system
      • filesystem_scan_exclude - to exclude certain directories from being scanned
      • filesystem_scan_since - to scan only recently modified files
    2. Re-run the client collector:

      $ sudo insights-client --collector malware-detection
  5. Optionally, scan processes. This will scan the filesystem first, followed by a scan of all processes. After the filesystem and process scans are complete, view the results at Red Hat Enterprise Linux > Malware.

    Important

    By default, scanning processes is disabled. There is an issue with YARA and scanning processes on Linux systems that may cause poor system performance. This problem will be fixed in an upcoming release of YARA, but until then it is recommended to NOT scan processes.

    1. To enable process scanning, set scan_processes: true in /etc/insights-client/malware-detection-config.yml.

      scan_processes: true
Note

Consider setting these processes related options while you are there: processes_scan_only - to only scan certain processes on the system processess_scan_exclude - to exclude certain processes from being scanned processes_scan_since - to scan only recently started processes

  1. Save the changes and run the collector again.

    $ sudo insights-client --collector malware-detection

2.2. Configure malware-detection groups, roles, and members in User Access

An Organization Administrator must create malware-detection groups in Red Hat Hybrid Cloud Console > User Access > Groups and add the necessary malware-detection roles and members (registered users on the account).

Important

There is no "default-group" role for malware-detection service users. For users to be able to view data or control settings in the malware-detection service, they must be members of one or more User Access groups with one of the following roles:

  • Malware detection viewer
  • Malware detection administrator
Note

Currently there is no difference in the privileges conferred by those roles, but as new features emerge in the coming months, certain actions will only be available to admin users.

Resources

See the full documentation for configuring User Access on Red Hat Hybrid Cloud Console: User Access Configuration Guide for Role-based Access Control (RBAC).

2.2.1. Creating and configuring malware-detection groups in User Access

The following procedure shows how an Organization Administrator on the account creates a User Access group, and adds the Malware detection administrator role to the group, then adds members who will have administrator privileges in the malware-detection service.

Regardless of the purpose, roles, or members, the following instructions are the same for creating any group in User Access. The Organization Administrator should create one group for administrators and another group for viewers.

Important

Currently, there is no difference between the privileges conferred by the Malware detection administrator and viewer roles; however, this will change in a future release.

Prerequisites

You must be logged into your Red Hat Hybrid Cloud Console account as an Organization Administrator.

Procedure

  1. Click the gear icon in the upper right quadrant of the application window and select Settings

    img hcc toolbar settings

  2. Navigate to Red Hat Hybrid Cloud Console > User Access > Groups.
  3. Click Create group.
  4. Enter a group name, for example, Malware Administrators, and a description, then click Next.
  5. Select the role to add to this group, for example, Malware detection administrator. Click the checkbox for that role, then click Next.
  6. Add members to the group. Search for individual users or filter by username, email, or status. Check the box next to each intended member’s name and click Next.
  7. Review the details to make sure everything is correct. Click Back if you need to go back and change something.
  8. Click Submit to finish creating the group.

2.3. Viewing malware-detection scan results in the Red Hat Hybrid Cloud Console

View results of system scans on the Hybrid Cloud Console.

Prerequisites

  • YARA and the Insights client are installed and configured on the RHEL system using the procedures described in Chapter 2 of this document.
  • You must be logged into the Hybrid Cloud Console.
  • You are a member of a Hybrid Cloud Console User Access group with the Malware detection administrator or Malware detection viewer role.

Procedures

  1. Navigate to Red Hat Enterprise Linux > Malware > Systems.
  2. View the dashboard to get a quick synopsis of all of your RHEL systems with malware-detection enabled and reporting results.
  3. To see results for a specific system, use the Filter by name search box to search for the system by name.