Opting Out of Sending Metadata from Red Hat Lightspeed (Insights) Client

Updated -

The future of exclusion of specific data is being enhanced, and eventually will replace the remove.conf . For more information please see Yaml-style Denylist configuration for Red Hat Lightspeed (Insights) Client

The Red Hat Lightspeed (Insights) collection agent has the ability to exclude (deny) entire files, specific commands, specific patterns, and specific keywords from the data that is sent to Red Hat.

To enable these exclusions, you must create a file called /etc/insights-client/remove.conf and specify this file in the remove_file line of /etc/insights-client/insights-client.conf, as in the following example:

remove_file=/etc/insights-client/remove.conf

Within the remove.conf file, there are four options available to control the types of information that is sent to Red Hat.

  • files: A comma-separated list of files to be excluded. Each element in the list of files must be the absolute path to the file. To ensure exclusion, file names listed here must match exactly what is shown in the collection rules.
  • commands: A comma-separated list of commands that should not be executed and whose output should not be sent. To ensure exclusion, command names listed here must match exactly what is shown in the collection rules.
  • patterns: A comma-separated list of patterns that should not be sent. Importantly, patterns affect entire lines so any line that includes a matching pattern will not be sent.
  • keywords: A comma-separated list of keywords that should not be sent. Matching keywords will be replaced with the literal keyword. For this option to take effect, the obfuscate option must be set to True in the /etc/insights-client/insights-client.conf file.

NOTE: Regular expression is not supported for all values of these options

The structure of the remove.conf file must match what is shown below.

[remove]
files=/etc/cluster/cluster.conf,/etc/hosts
commands=/bin/dmesg
patterns=password,username
keywords=super$ecret,ultra$ecret

You can validate that your exclusions are having an effect with the insights-client --no-upload command. This command will perform a test run and save the output to a local temporary directory. The contents of this directory show all the data that will be sent to Red Hat and can be inspected to ensure satisfactory denylisting results.

# insights-client --no-upload
Attempting to download collection rules from https://cert-api.access.redhat.com/r/insights/v1/static/uploader.json
Successfully downloaded collection rules
Attempting to download collection rules GPG signature from https://cert-api.access.redhat.com/r/insights/v1/static/uploader.json.asc
Successfully downloaded GPG signature
Verifying GPG signature of Insights configuration
Starting to collect Insights data
See Insights data in /var/tmp/dJmbXS/insights-localhost-20151113145133.tar.gz

For more information on what metadata Red Hat Lightspeed (Insights) collects, see System Information Collected by Red Hat Lightspeed (Insights).

Related Resources

Red Hat Lightspeed (Insights) Security - Data Collection & Controls

Comments