The information below is specific to Red Hat Insights for Red Hat Enterprise Linux.
Information may be different for the other platforms that Red Hat Insights supports.
- Red Hat Insights Data & Application Security
- Register Systems
- Accessing Red Hat Insights Through a Firewall/Proxy
- Analyst paper: Save administrator time and effort by activating Red Hat Insights
- Analyst paper: IDC: Red Hat Insights predictive analytics for Red Hat Enterprise Linux
- Insights Product page
- Insights Intro Video
- Insights Blog
- Insights Webinar Library
- Red Hat Insights for Red Hat Ansible Automation Platform FAQ
Q: What is Red Hat Insights?
A: Red Hat Insights is a Red Hat software-as-a-service(SaaS) offering that helps IT teams proactively identify and remediate threats to security, performance, availability, and stability. Before subscribers need to come to Red Hat’s customer portal to troubleshoot, investigate, or learn how to avoid issues, outages, and unplanned downtime, Insights uses software to ensure their entire Red Hat Enterprise Linux environment is operating optimally. No other Linux provider offers this type of proactive, automated, and targeted resolution to ensure a secure, reliable, efficient, and scalable infrastructure environment.
Q: What capabilities are included with Insights?
A: Insights includes the following complimentary services: advisor (formerly known as Insights), vulnerability, compliance, patch, drift, and policies. More details about these capabilities are below. In addition, you can access subscription watch for subscription management from the Insights dashboard.
Let’s quickly review each of the services offered by Red Hat Insights:
Advisor identifies known configuration risks in the operating system, underlying infrastructure, or workloads that impact performance, stability, availability or security best practices. This previously was the single service known as Insights, renamed to Advisor.
Vulnerability assesses, remediates, and reports on CVEs that impact Red Hat Enterprise Linux environments in the cloud or on-premises.
Compliance analyzes the level of compliance of a Red Hat Enterprise Linux environment to an OpenSCAP policy, based on the corresponding and supported version of the SCAP Security Guide.
Patch determines which Red Hat product advisories apply to an organization’s specific Red Hat Enterprise Linux instances. It provides guidance for remediation either manually or via Ansible Playbooks for patching.
Drift compares systems to baselines, system histories and to each other to troubleshoot or identify differences.
Policies enable organizations to define and monitor for policies that are important internally, with alerts for environments that are not aligned to a policy.
Inventory lists the complete inventory of all hosts that are registered to Insights.
Remediations shows all Remediation playbooks that have been created for the purpose of simplifying remediation of issues found by Red Hat Insights.
Q: Does Insights work on all Linux distributions?
A: Insights only works for Red Hat Enterprise Linux, versions 6.4 and above including RHEL 7 and RHEL 8 versions.
Q: Is Insights included with all Red Hat Enterprise Linux versions, or are there exclusions?
A: Insights is available with all active RHEL subscriptions versions 6.4 and above. For versions of RHEL below version 8.x, you will install the Insights client, then register it. RHEL 8 includes the Insights client already, so you do not need to install it, but will need to register it. Note that embedded versions of Red Hat Enterprise Linux will not include Insights. See complete details on this page: Supported Versions of Red hat Enterprise Linux.
Q: Will Insights work in a disconnected or air-gapped environment?
A: No. Insights is only available as a Software-as-a-Service (SaaS) offering and requires a connection to the internet either directly or via a web proxy.
If connected via Satellite or a web proxy, then only the Satellite Server or the proxy server would need internet access.
Q: If I am using Insights through Satellite, do the hosts need an internet connection?
A: No. Hosts connected through Satellite use the Satellite Server as a web proxy by default.
However the Satellite Server DOES need internet connectivity. The Satellite Server does not perform any processing of Insights information- this is done exclusively on cloud.redhat.com
Q: How do I install and use Red Hat Insights?
A: The installation process generally follows three basic steps:
- Register your hosts or environments
- Review the analytics results
- Remediate issues
More information, including registration details, is available within Insights at Register Systems or at the Getting Started page.
While the Register Systems page is the more guided experience, both pages provide information on how to directly register hosts to Insights, how to use Satellite to register hosts to Insights, how to register Insights in public cloud providers like Azure and AWS, and even how to setup a brand new Red Hat account if you don’t have an existing account with Red Hat.
Q: Do any services need additional configuration?
A: Yes - Compliance and Policies require additional configuration or setup before results can be provided via Insights.
The compliance service needs each host to have the Openscap and RHEL security guide packages installed. Once a host is assigned to a policy the command insights-client --compliance will need to be run and scheduled to perform the evaluation and see results for assigned policies. For more information refer to the bottom of the Assessing and monitoring security policy compliance of RHEL systems page.
The Policies service will need you to create and configure a policy to monitor and react to system changes. For full information refer to the Monitoring and Reacting to configuration changes using Policies page.
Q: Where do I access Red Hat Insights?
A: Red Hat Insights is hosted on cloud.redhat.com/insights. Existing Insights users who have already installed the Insights client can proceed directly to the analytics dashboard on this cloud site. New users or existing users who want to register additional systems should begin on the Register Systems page for detailed instructions on registering hosts.
You can also access the Insights Advisor service inside the Red Hat Satellite UI. For more information, refer to the Smart Management with Satellite section.
Q: If I use RHEL from a public cloud provider can I still access Insights?
A: Yes. Insights is included with RHEL as a unique additional value to your subscription, which no other Linux provides, regardless of where you are running your RHEL workload. As long as your hosts have direct or proxied access to cloud.redhat.com on the internet you can utilize Insights.
You must have a Red Hat customer portal ID and a Red Hat account number to access Insights. Full details are available on the Public Cloud Usage - Get Started page.
Q: On which environments and cloud deployments does Red Hat Insights identify issues?
A: Insights works on any RHEL environment (except embedded RHEL) and identifies issues associated with this operating system as well as the underlying server or virtual machine across a range of deployment options including on-premises (including virtual) and public or private cloud.
Q: What are some general guidelines for getting started with Insights?
A: Here are a few guidelines for a successful start to using Insights:
We recommend you don't just set up a single system with Insights - a minimum of 10 systems will give you a start to see the kinds of results that Insights finds.
Ideally, setup 50-100+ range to start with Insights - Red Hat has automation available to assist with scaling out quickly.
Consider beginning with your pre-production (test, development) environments due to greater flexibility.
Using only the latest version of Red Hat Enterprise Linux systems won’t reveal as much interesting data - If you have older systems that have been running for a while, they will likely have more interesting findings
Start with Insights services based on your use cases that are most of interest
Advisor / Drift / Policies for host availability, maintenance, optimization and troubleshooting
Patch / Vulnerability for securing your hosts. These are also useful if your team interacts often with reports coming out of the security team and you have to spend time to validate their findings.
Compliance if adhering or looking to monitor industry compliance.
Q: Does Insights support Red Hat Enterprise Linux running on IBM Power Systems and IBM Z systems?
A:Yes, Insights works on these hardware platforms and provides an analysis of general RHEL operations on these platforms.
Q: Since Insights is SaaS - what country is the data stored in?
A: Insights runs in an OpenShift Dedicated Cluster running on the US East Coast. This is a fixed instance and cannot be changed or relocated in a different geography.
Q: Where can I get additional information about Red Hat Insights?
A: There are a range of internal and external resources on Red Hat Insights:
Q: If my organization doesn't use Ansible, can I still use Insights?
A: Yes. Insights provides remediation recommendations that can be scripted by users. For Advisor, Insights includes step-by-step directions on how to remediate issues. For most Insights services, an Ansible playbook can be dynamically generated to make it easier to remediate issues, but the use of Ansible is not required..
Q: Can Insights be turned off?
A: Yes - Insights registration is opt-in, via the registration command in the client or through the Web Console or installation GUI (as well as via Satellite and Ansible Automation Platform).
If you are using Insights on a host and wish to disable it (perhaps you are retiring a host) you can run the command insights-client --unregister
Q: Is it necessary to have Smart Management and Satellite to use Insights?
A: No. Insights is part of your RHEL subscription. No other subscription is required to use Insights. If you also have a Smart Management subscription (which includes Satellite) you can configure Cloud Connector in order to execute remediations from within Insights.
Q: Does Insights have APIs available?
A: Yes, Insights has a full set of APIs. Refer to the API documentation for full information [login required for API docs].
Q: What is the Advisor service?
A: Advisor identifies known configuration risks in the operating system, underlying infrastructure, or workloads that impact performance, stability, availability, or security best practices.
Q: Does Advisor have hardware-specific recommendations?
A: Yes. There is a series of recommendations designed to analyze the interaction between Red Hat Enterprise Linux and hardware including server, network, and storage devices as well as cloud platforms. Here are a few examples:
- Network interface card is not operating at maximum speed due to faulty cable, network interface card, switchport, SFP, etc.
- Unsupported kernel version on Intel Purley Platform with Intel Skylake CPU
- Kdump Does Not Work Due To XEN/AWS's Limitation
Q: Does Advisor have workload-specific recommendations?
A: Yes. There are recommendations for workloads such as SAP, Microsoft SQL, PostgreSQL, and Oracle Databases. There are also recommendations for hypervisors and for cloud providers such as AWS and Azure. There are also Red Hat specific recommendations for products such as OpenShift, OpenStack, and Satellite. These are listed in Advisor in the Topics submenu and are easily referenced.
Q: How many recommendations does Advisor include?
A: Advisor has over 1,000 recommendations and growing. New Recommendations are frequently added.
Q: Can I create my own recommendations?
A: Advisor recommendations are created by Red Hat. The Insights Policy service might meet your needs as it allows you to create your own custom internal policies.
Q: Are CVEs shown in Advisor?
A: No. All CVEs are shown in the Vulnerability service.
Q: Are there any workload-specific recommendations in Insights ?
A: Yes - There are a number of different workload Recommendations included with the Advisor service. These are easily visible in the Advisor service of Insights by clicking Topics then, for example, SAP or AWS. You may need to select "Show recommendations with no impacted systems" to see the full list of recommendations for a selected topic.
Q: What is the Vulnerability service?
A: Vulnerability assesses, remediates, and reports on CVEs that impact Red Hat Enterprise Linux environments in the cloud or on-premises.
Q: Will the vulnerability service ever show CVEs that DO NOT have errata?
A: Yes, there is a plan to eventually show CVEs that have been decided not to be addressed by Red Hat. No specific timeline can be given at this time.
Q: Can I integrate Vulnerability findings within my existing security reports / tools?
A: Yes, via APIs. All of the functionality within Insights Vulnerability service is accessible via REST APIs.
Q: Are there additional PDF reports available for the Vulnerability service?
A: Yes, custom PDF reports are available for the Vulnerability service in the Reports view.
Q: Are there any plans to make the Vulnerability functionality available within Satellite?
A: No, there are no plans to include this functionality in Satellite.
Q: Will the Vulnerability service start showing Errata/Advisories tied to the CVEs identified?
A: Yes, the Vulnerability service now shows errata/advisories associated with CVEs redirects users to the Patch service for deeper analysis.
Q: Does the Vulnerability service show Vulnerabilities from all repositories, or only enabled ones?
A: The Vulnerability service only shows vulnerabilities from the enabled repositories on a system. If the Vulnerability service showed results from all repositories the results would include irrelevant updates for a system.
Q: What is the Compliance service?
A: Compliance analyzes the level of compliance of a Red Hat Enterprise Linux environment to an OpenSCAP policy you have deployed based on the version of SCAP Security Guide (SSG) supported by Red Hat Enterprise Linux.
Q: Is there any way to define a custom compliance policy?
A: You can create new SCAP policies and edit/tailor them as needed within the Compliance service.
Q: Does Compliance support export and import a SCAP policy to let me edit and archive the policy easily?
A: Compliance makes it very easy to create a new policy directly within Insights and select/unselect rules. Compliance does not support any import/export functionality as of today.
Q: Compliance related to workloads like SAP, MSSQL, JBOSS EAP are common across customers. Do we have any template of compliance for these workloads?
A: Compliance leverages the existing capabilities available with OpenSCAP - we haven't created any specific templates for use, but allow existing ones to be leveraged and tailored.
Q: Does the compliance service require additional configuration?
A: Yes - each host will need the OpenSCAP and RHEL security guide packages installed. Once a host is assigned to a policy the command insights-client --compliance will need to be run and scheduled to perform the evaluation and see results for assigned policies. For step-by-step instructions see the Getting Started page
Q: Are there any considerations that I need to be aware of for the Compliance service?
A: Yes - Accurate compliance reporting requires that you use the supported version of the Scap Security Guide (SSG) for the minor version of RHEL you are using. Using an unsupported version of SSG on RHEL results in an unsupported configuration, which will be reflected in results for the policy displayed in the compliance service. Refer to the Supported configurations section of the Compliance documentation for more information.
If you use an unsupported combination of RHEL and the SCAP security guide, then your system will be listed as being in an unsupported status.
Q: I set up compliance but the report is showing my system as unsupported. What does that mean?
A: This likely indicates that you are using an unsupported version of the Scap Security Guide (SSG) for the RHEL minor version running on the system. The security guide version can either be too old or too new for you to be in a supported state.
Refer to the Supported configurations section of the compliance documentation for more information.
Q:Can I upload OpenSCAP reports that I have manually run or from Satellite?
A: No - Compliance policies must be created in the Insights compliance service. While the compliance service uses OpenSCAP to perform a system evaluation, reports from OpenSCAP outside of Insights cannot be uploaded to Insights.
Q: What is the Patch service?
A: Patch determines which Red Hat product advisories apply to an organization’s specific Red Hat Enterprise Linux instances. It provides guidance for remediation either manually or via Ansible Playbooks for patching.
Q: How does the Insights Patch service work in conjunction with Satellite?
A: The Patch service in Insights is independent of Satellite. The Patch service is closer to what you might see on https://access.redhat.com/management/errata but with a centralized view of the impact of your entire estate that is registered to Insights.
Satellite will continue to have robust content management and lifecycle management that is not offered as part of Insights.
These two (Insights Patch service and Red Hat Satellite) would likely not be used to manage the same set of systems.
Q: What benefits are there, if any, to patching via Satellite vs patching via Patch on cloud.redhat.com?
A: Satellite has robust content and lifecycle management and is purpose built for patching (and provisioning, etc) of RHEL. Satellite centralizes all of the content within your infrastructure and organizes it into lifecycles such as test, prod, etc. and can use Content Views to filter and curate available packages in Red Hat, 3rd party, and custom repositories.
The patch service in Insights is more like using subscription manager or yum, providing access to all appropriate packages on the Red Hat CDN.
Q: In the Vulnerability service we have all Common Vulnerabilities and Exposures (CVEs) and remediation steps are based on these CVEs. In the Patch service we have Red Hat Security Advisories (RHSA) and their remediation steps. RHSA often have CVE's attached. Why are we reporting RHSA in the patch service?
A: Patch is focused on yum-level updates available for each system and is focused on users who are most interested in the software on the system more than a specific security workflow. You may have situations where security staff don't want to expose all of the vulnerability information to system owners, but want to point them to Patch and say, "You have packages that need updating for security and bugfixes. Please apply these fixes."
Q: What is the Drift service?
A: Drift compares systems to baselines, system histories and to each other to troubleshoot or identify differences.
Q: How long in time can I go back to for my RHEL configuration comparisons?
A: Insights currently keeps 7 days of data for historical system comparison. This means Drift is able to perform RHEL configuration comparisons between insights-client playloads uploaded within the last 7 days.
Additionally, baselines can be created to define system configurations and used as standard/guideline for system comparison. The 7 day limit does not apply to baselines.
Q: Where can I find information about each configuration fact?
A: System facts are documented in Drift documentation under Available Facts and Their Functions.
Q: Can I add my own facts using the Drift service?
A: Drift comparisons can be performed on configuration facts and tags collected by Insights. As such, additional metadata associated to systems as a tag can be compared using Drift.
Q: Is Drift for the whole system or only for configuration files?
A: Drift uses the facts collected by Insights to compare facts to other systems or to a baseline. This could be things like identifying differences in kernel or package versions, running services, or bios/RAM/CPU
Q: For baselines, if you delete or edit facts can you get those back?
A: If you delete a fact, it is removed from the Insights DB and not available. If you want to change what is included as part of a baseline it is best to duplicate an existing Baseline to keep history/versioning. You can also manage baselines as JSON files and upload them using Insights REST APIs. See Drift API documentation.
Q: Can I access comparison results without logging in and manually selecting systems/baselines?
A: All operations in Drift service are accessible via REST APIs (e.g. requesting a comparison report, CRUD operations on baselines, etc). For full information refer to the Documentation which also includes specific examples for Drift API.
Q: What is the Policies service?
A: The Policies service enables organizations to define and monitor for policies that are important internally, with alerts for environments that are not aligned to a policy.
Q: How can we reduce the number of emails received from the Policies service?
A: Each user can adjust notifications settings in the User Preferences page. For Policies, users can subscribe to receive instant notifications and/or daily summaries.
Q: How do I stop being spammed by instant email notifications?
A: Each user can adjust notifications settings in the User Preferences page. For Policies, users can subscribe to receive instant notifications and/or daily summaries.
Q: Where can I find the Hooks notifications in Policies?
A: The Hooks notification] functionality used by Policies is configured in the settings area. Refer to the Hooks notification documentation for full details.
Q: Can we include policies as part of a compliance report or compliance alert ?
A: At this time the Policies service does not trigger on compliance events.
Q: What is the Inventory service?
A: The Inventory service lists all of the hosts that are registered to Insights.
Q: Can I resolve issues on a specific host from the Inventory view?
A: Yes - when you select a specific host from the Inventory you can see results from some of the Insights services from the system view. From within the tabs of the services, such as Advisor, you can select and create a remediation playbook right from the system view.
Q: What is the Remediations service?
A: The Remediations service lists all of the remediation plans created from Insights in a single place. You can download the remediation plans from this service or if you also have Smart Management with Cloud Connector configured you can execute the playbook directly from the Remediations service.
Q: How does remediation with Ansible work?
A: When Red Hat Insights identifies an issue an Ansible playbook is often included. If you have a Smart Management subscription, you can optionally execute this playbook to remediate the issue, or you can use the provided remediation guidance to resolve an issue manually or to create your own playbook to execute with Ansible Tower. If you use Insights inside of Satellite, you can use Satellite to run it.
Q: Can Ansible Playbooks be run if the hostname is obfuscated?
A: Playbooks rely on the hostname. If the hostname is obfuscated, you will need to edit the playbook to set the hostname before you can run them.
Alternatively, within the Insights UI you can find the host and manually set the "Ansible hostname" to a name that Ansible recognizes. When a playbook is generated it will use this name inside of the playbook.
You can also optionally set the Ansible hostname at the time of registration using the command:
insights-client --register --ansible-host <NAME>
You may also set this after registration using the command:
insights-client --ansible-host <NAME>
Q: Can I remediate Insights issues from within Satellite?
A: Yes. Insights can integrate with Red Hat Satellite allowing you to see and remediate issues that the Insights Advisor service identified as you work within the Satellite UI. Either using optional dashboard widgets or the Insights menu item on the left hand navigation bar, you can review the identified risks and create a playbook to perform remediation. If you are resolving a recommendation for which Insights has an Ansible playbook that can be dynamically generated, the playbook can be generated and run from within the Satellite user interface. This allows you to find and fix the issue inside of Satellite. Satellite uses built-in Ansible technology to perform the remediation. The Red Hat Satellite documentation has additional information on this topic, or you can watch a video.
Note: only the Advisor service is available inside of the Satellite user interface.
Q: Does Insights use Ansible runner to execute remediation on end nodes?
A: With Smart Management and Cloud Connector, yes as Satellite 6.7 uses Ansible Runner. Without Satellite and Smart Management, Insights users can only download the playbook and then run the playbook using your preferred means.
Q: Will I need to have a Smart Management subscription to access remediations?
A: No. With Insights you have the ability to see step-by-step remediations and the ability to dynamically create a playbook to help automate remediations. However, you still have to download the playbook and take it to a system with Ansible to run it. With Smart Management and Cloud Connector you have a remediate playbook button, and the Satellite Server can run the playbook at the click of a button on connected hosts.
Q: What is Cloud Connector?
A: Cloud Connector is included as part of the Smart Management subscription and creates a connection between Satellite Servers and cloud.redhat.com for the purpose of remediating playbooks created on cloud.redhat.com using your Satellite and Capsule infrastructure. Multiple Satellites can be connected to cloud.redhat.com. For full information, refer to the document on Using Cloud Connector to remediate issues across your Red Hat Satellite infrastructure.
Q: Using Cloud Connecter can I run playbooks on hosts not registered to the Satellite?
A: No. Cloud Connector requires the hosts to be connected to a Satellite Server, version 6.7 or higher. If a host is not connected to a Satellite Server you will need to download the playbook and run it or manually perform the remediation steps.
Q: What is Subscription Watch?
A: Subscription Watch provides unified reporting of Red Hat subscription usage and utilization for easier and more efficient management of subscriptions to Red Hat Enterprise Linux and the Red Hat OpenShift Platform. For convenience, Subscription Watch is included in the Insights dashboard. Head over to the Subscription Watch FAQ for more information.
How to Buy / Prerequisites
Q: How do I buy Insights?
A: Insights is included with all RHEL subscriptions, RHEL 6.4+. There is no separate item to buy. The benefits of Insights are only available with RHEL.
Q: Does Insights work with CentOS / Fedora / Ubuntu / Windows / etc?
A: No. Insights is only available with Red Hat Enterprise Linux. There are no plans to support other Linux distributions.
Q: Is the purchase of the Ansible Automation Platform subscription required for Insights?
A: No. Ansible is not required for use with Insights however it is extremely complimentary to be able to act on Insights findings at scale.
Q: Is the purchase of the Smart Management subscription required for Insights?
A: No. Smart Management is not required for use with Insights however it complements Insights by allowing action and remediation at scale.
Q: Is Insights available for PAYG (Pay As You Go) RHEL Instances from any CCSP (Certified Cloud Service Provider)?
A: Yes - Insights is included with all RHEL subscriptions (6.4+). To use Insights a Red Hat account is needed. There is a "Public Cloud Usage" tab on the getting started page that has full instructions
Data Handling and Privacy
Q: What is the design principle behind data collection in Insights?
A: The design principle with Insights is simple: collect only the minimum data that is needed for analysis, issue identification, and remediation. Complete volumes of system information such as core dumps or full log files are not collected. Insights, by default, does not collect personal information.
Q: What information does Red Hat Insights collect?
A: Red Hat Insights collects metadata about the runtime configuration of a system. The data collected is a fraction of what would be collected through an sosreport during a support case. Examples of information that may be collected includes a line of a log file matching a recommendation, host configuration metadata, and runtime information.
Q: How can I see what information has been collected?
A: Before any data is sent, you have the option to inspect and redact data. The insights-client -- no-upload command lets you view the metadata that has been collected. This will let you look at the exact information that Insights is sending to Red Hat. Details are available in these two articles:
Q: Can some information be excluded from collection?
A: Yes - you have full control over the data collected by Insights.
One of the most common requests is to Obfuscate IP Addresses and Host Names in Red Hat Insights.
If you need to block further information, review the article on setting up a YAML-style denylist configuration for Red Hat Insights Client.
Keep in mind that the more information you redact from Insights, the less valuable the findings become.
Q: How long does Red Hat retain the data collected by Red Hat Insights?
A: By default, the Red Hat Insights client collects and uploads the data once a day. Hence, the collected data will normally be kept for 24 hours. Data uploaded by previous runs will be deleted when the same client uploads new data as part of the daily run. Data from Insights clients that no longer upload new data will be deleted after 14 days from the date of the last data upload.
When Red Hat processes the upload, there may be certain “recommendations hits” or issues identified. These recommendation hits are retained for historical reporting purposes and may be used by Red Hat as input into feature enhancements.
Q: What is the impact of the Insights agent and the data collection process on my systems?
A: The Insights agent is designed to be lightweight. It runs as a daily cron job or systemd timer that installs with a default schedule. It also has capabilities that let you customize the schedule for when the data collection agent runs and when the data is uploaded to the Insights service to minimize impacts on your networks and workloads. Note, however, that the collection process is lightweight and the data sets are small.
Q: How does Red Hat Insights secure my data?
A: Your data is encrypted in three key ways: on your host system at the point of collection; in transit across the network; and when it is at rest on Red Hat infrastructure that supports the Insights service. In addition, you may also choose to alter the name chosen to represent the system (eg, apache01.prod instead of a fully qualified domain name). A few other points to note:
- All communication with Red Hat occurs over encrypted channels using Transport Layer Security (TLS).
- All TLS traffic with Red Hat servers is verified with a trusted certificate that is bundled with the application, ensuring that communications can not be intercepted, such as by a “man in the middle” attack.
- The default communication model from client systems to Red Hat servers occurs with mutual TLS or two-way authentication using digital certificates.
- All volumes containing your data at rest are encrypted with Linux Unified Key Setup (LUKS) encryption. More details are available in this Red Hat Insights - Security Information article.
Q: Is the data collected by Insights static or dynamic?
A: As new Insights recommendations are identified, there may be a need for additional metadata collection to meet the information requirements of the recommendation, so it is dynamic. The Red Hat Insights client, upon running, downloads the json configuration file to determine what new metadata is needed for recommendations. This process can be disabled and instead manually updated via rpm version; however, this may cause you to miss out on new health checks which depend on recently added recommendations and information required for that recommendation until you perform a manual update.
Q: What connectivity does the server need to use Insights?
A: Ensure active network connection to:
- https://cert-api.access.redhat.com:443 [needed for Insights data upload]
- https://cert.cloud.redhat.com:443. [needed for Inventory upload and Cloud Connector connection]
If the system is already registered to RHSM or Red Hat Satellite, there should be no additional steps needed. Note that each system can also be proxied through an http proxy. Details on configuring direct or http proxy connections can be found in Accessing Red Hat Insights Through a Firewall/Proxy.
Q: How to make sure that data at rest and transit to Red Hat Insights is secure?
A: This is the default behavior of Insights - data is encrypted before it leaves the host and remains encrypted while in transit and at rest.
Q: Can I use two-factor authentication?
A: Red Hat Insights leverages the existing Red Hat SSO mechanisms on cloud.redhat.com and the customer portal. It is currently possible to use a two-factor authentication using OTP or Google Authentication, please see the following for implementation details Two Factor authentication (2FA) for Red Hat Customer Portal.
Q: I have multiple Red Hat account numbers. How do I enable multi-tenancy with Insights so I can see all account numbers in a single view?
A: This is not possible today. Insights leverages Red Hat Single Sign On (SSO) and the tenancy is based on the individual Red Hat account number. If Red Hat SSO enables the ability for users to log in to multiple account numbers, then Insights can inherit that functionality.
Q: When I delete a system from my environment, is the system removed from Insights as well?
A: This may depend on how you delete the system. Red Hat recommends that you add to any automation or manual steps the “insights-client --unregister” command when you are removing systems. This will properly unregister a system from Insights.
When a system is removed from the Insights Inventory, all of its data is deleted from Insights. Systems that stop checking into our service (which default is daily) will be automatically removed after 14 days of not checking in to the service.
Q: Will regular RHEL subscriptions have access to Ansible playbooks for remediation via Insights?
A: Yes, Ansible playbook downloading will continue to be available through "Advisor" as it is today.
Q: Can the Insights 14 day data retention policy be adjusted?
A: No. By default, the Red Hat Insights client collects and uploads the data once a day. Hence, the collected data will normally be kept for 24 hours. Data uploaded by previous runs will be discarded when the same client uploads new data as part of the daily run. This can be configured for you to decide when your data is uploaded.
Data from Red Hat Insights clients that no longer upload new data will be discarded after two weeks from the date of the last data upload. This is not adjustable.
Q: How does Insights receive updated system information? Are we required to run the command in a cron job or is that automated?
A: insights-client must be installed on all RHEL systems to collect information and is installed automatically on RHEL8. At registration, a cron job/timer is enabled on the system and runs daily.
Q: What does the impact of the Insights client on system resources?
A: The insights client is intended to use a minimal amount of system resources. The insights client by default is a systemd process that runs once per day then turns off once completed.
To help prevent any runaway processes, in the short time that it runs the Insights client is capped at consuming an absolute max of 30% of CPU and 2GB RAM.
Integrations with other products (Smart Management / Ansible Automation Platform)
Smart Management with Satellite
Q: Does a machine registered to Satellite using insights register automatically or show up on cloud.redhat.com so that it can be managed from the cloud?
A: Setting up Insights is an opt-in service. If you have chosen to register a system with Satellite, that system will then be available for use in Insights on cloud.redhat.com. If you wish to use Cloud Connector to act on issues directly from the cloud.redhat UI, that is an additional optional step
Q: Do hosts have to be registered directly to the Satellite to use this cloud connector feature or can it also go to clients on Capsule servers?
A: Cloud Connector will be able to execute remediations on hosts that are registered to the Satellite. Multiple Satellites are also supported. Capsules are part of the Satellite infrastructure, so the remote execution job is at the end executed on the Capsule.
Q: Does the Insights GUI in Satellite provide the same capabilities as the one cloud.redhat.com?
A: No - cloud.redhat.com has the full set of Insights services. The Satellite user interface only shows the Advisor service.
It may be worth noting, although not an exact match with what Insights offers, Satellite does have some CVE and Compliance capabilities natively in the Satellite product.
Q: Are there plans to show other Insights services like Drift and Policies inside of the Satellite user interface?
A: No - The Satellite user interface (UI) only shows the Advisor service. There are no plans to add additional services into the Satellite UI.
Q: Will the Insights view inside of Satellite be removed?
A: The Insights menu in Satellite is planned to remain, though no major enhancements are planned either at this time.
Q: Can Satellite use the Insights services without having a connection to the internet?
A: No - Red Hat Insights is only offered as a Software-as-a-Service solution with no plans to provide an on-premise disconnection option. Customers who are willing to use this SaaS service do have various options available to them. Insights client does have proxy support, enabling the Satellite as a proxy or supporting custom HTTP proxies.
If your environment is fully disconnected, there are no options to use Insights within that individual environment, however we have had organizations in this situation successfully adopt Insights in development or pre-production environments where they can be connected and may have more relaxed restrictions.
Q: Will the OpenSCAP report in Satellite be deprecated in favor of Insights Compliance?
A: There are no plans to remove that support for now. Neither are there plans to have parity between the Compliance service within Insights and Satellite.
Q: CVE list, OpenSCAP compliance, and config comparison were part of Smart Management only. Have they been rolled into the RHEL subscription now, or still only for Smart Management subs?
A: Insights now contains Advisor, Drift, Vulnerability, Compliance, Patch and Policies, all included as part of the RHEL value of subscription. Smart Management is only required if you wish to use Cloud Connector being demoed and is recommended for use for acting on Insights remediations at scale
Q: When patching from Insights, is there any means to trigger a Content View (CV) update if the applicable errata are not in the current CV?
A: The Insights patch service does not leverage the content management features of Satellite - it is completely independent. As such Insights cannot affect a CV in any way. Insights patch service is a CDN download only. If you want content management this is where Satellite is a better choice.
Q: If I don't have a Smart Management subscription, will I be able to use the Execute Playbook button? If not, what options do I have to run remediation?
A: A Smart Management subscription is required to setup Cloud Connector which connects Satellite to cloud.redhat.com. If you are a Satellite user, then you have Smart Management. Configuring Cloud Connector enables the Execute Playbook button.
If you do not have a Smart Management subscription, some of the Insights services provide step-by-step remediation instructions that can be followed. Many issues that Insights finds also enabled you to generate a playbook via the remediation service. You can still download the generated playbook even if you don’t have a Smart Management subscription.
Q: If I have all of my servers behind Satellite then can I do all this activity from the Insight menu inside of the Satellite web interface?
A: The Insights integration inside of the Satellite web interface only provides Advisor recommendations. For the full capabilities of Insights (Compliance, Vulnerability, Advisor, Drift, Policies and Patch) we recommend cloud.redhat.com with the optional cloud connector setup
Q: Does Cloud Connector use ansible-playbook or ansible-runner, and should I care?
A: Cloud Connector uses ansible-runner, no subscription required.
Q: If I have the Smart Management subscription and a Satellite that is connected to Insights, should I just use the Insights interface instead of Satellite?
A: In this situation, it would be recommended to access Insights from cloud.redhat.com as it provides the complete experience (Vulnerability, Compliance, Drift, Patch, Policies) as compared to Satellite which is limited to only the Advisor service.
Q: Can Insights from within Satellite work in disconnected mode without requiring an active internet connection?
A: No. Insights is provided as a Software-as-a-Service (SaaS) offering. An internet connection is required. The default behavior is for hosts registered to Satellite the data is automatically proxied through the Satellite Server. Insights will not work in a completely disconnected environment.
Q: Does Cloud Connector work in disconnected Satellite environments?
A: There will be a connection needed from Insights to the Satellite for Cloud Connector to function. This happens over port 443.
Ansible Automation Platform
Q: Do I need an Ansible Automation Platform subscription to use Insights?
A: No. Insights is included with the Red Hat Enterprise Linux subscription.
Q: Is Insights integrated with Ansible Tower?
A: Yes. Remediations can be acted on via optional Ansible Tower integration. Refer to the Ansible Tower documentation on Setting up an Insights Project for full details.
Q: Can I use Ansible to leverage Insights on non-RHEL operating systems?
A: No. Red Hat Insights is included as part of the value of the RHEL subscription and is not supported on other operating systems.
Q: Is there a similar Execute Playbook available with Ansible Tower?
A: Cloud Connector currently only supports Smart Management with Satellite.
Ansible Tower users can leverage the existing Insights integration available today to create a remediation within cloud.redhat and pull that into Tower.