Insights 102
Before we begin...
Before we begin with how to configure Red Hat Insights to be tailored to your needs (in terms of controlling what is sent to Red Hat servers and how it is sent) let me please remind you of the very basics of Red Hat Insights…
Can I control what Red Hat Insights is doing behind the curtains?
Absolutely!
Red Hat Insights collects metadata about the runtime configuration of a system. The data collected is 1% of what would be collected via sosreport during a support case. The data collected is a subset of an sosreport, so if a sosreport has been approved for usage, Insights data collection should also be acceptable.
The Red Hat Insights tool allows customers to review the data being collected by use of a --no-upload
parameter. This runs the Insights client & collection, but does not transmit it to Red Hat for analysis. This collection is stored locally in a temporary directory where it can be inspected.
# ls -lh /var/tmp/TAFHhW/insights-amaya-insights2-20180129165816.tar.gz
-rw-r--r--. 1 root root 138K Jan 29 16:58 /var/tmp/TAFHhW/insights-amaya-insights2-20180129165816.tar.gz
# ls -lh /var/tmp/sosreport-amaya-insights2-20180129165924.tar.xz
-rw-------. 1 root root 12M Jan 29 16:59 /var/tmp/sosreport-amaya-insights2-20180129165924.tar.xz
That data is sent to Red Hat’s servers over SSL and compared to our Support Knowledge Database, looking for matches, and results sent back to customer, in the form of actions, where they are displayed.
Insights on Red Hat Insights
Red Hat Insights requires Python-2.6.6-64 or later, being its main configuration file: /etc/redhat-access-insights/redhat-access-insights.conf
Red Hat Insights registration will auto-detect how the system is registered for software updates and can auto-configure the client based on that information. For auto-configuration, CERT is the default authmethod. Otherwise, authmethod can be set to BASIC, requiring a username and password for the target Insights server (Customer Portal or Satellite).
Red Hat Insights uses Satellite server as a Proxy to send diagnostic data to the Customer Portal so requires a connected environment.
Log files
The log file can be found at /var/log/redhat-access-insights/redhat-access-insights.log
. The logs rotate each time data is successfully collected, to .log.1,.2,.n,
so be aware that if an upload has occurred since the case was opened, relevant logs might now be in a different file.
The log file records the process of collecting data and uploading that data to the Insights server.
I still want to control more of it
Well, you can!
Insights can be configured by the customer to further restrict what's collected / sent, and optionally to obfuscate hostname and / or IP addresses from reports if desired. Customers can always look at the source code directly from the rpm - everything is made available for their perusal.
All data is trimmed down to the minimal necessary facts before being uploaded and encrypted both in transit and at rest. The customer may also choose to alter the name chosen to represent the system in the UI (eg,apache01.prod
instead of a fully qualified domain name).
Customers can opt-out of sending any data they wish to the service via a configuration blacklist. The service will continue to function, and only health checks which depend on that specific piece of data will be impacted.
The Insights client will enable customers to ignore any specific file, keyword or pattern, making data redaction easy to use.
The data collected is sent over a secure TLS / https connection. It's encrypted at rest on Red Hat's systems using LUKS encryption, and is kept only until the next report is received, which by default is 24 hours. If another report doesn't arrive in the scan interval period, the data on file (encrypted) is kept for a maximum of 2 weeks and then deleted from our systems.
The Red Hat Insights client also provides an easy parameter to obfuscate hostname and IP information. The actual hostname and IP information is replaced with consistent obfuscated names sufficient for rule analysis.
How is data collected?
As new Insights rules are identified, there may be a need for additional metadata collection for analysis and detection. The list of System Information collected by Red Hat Insights is updated on an as-needed basis. The Red Hat Insights client, upon running, pings Red Hat to determine if any additional metadata is needed for rules which have been introduced since the last run. For example, if a new malware check is added, Insights may need to inspect new data sources to determine if a system is impacted.
This automatic check is enabled by default to ensure customers get all new rules and proactive alerts for their system. This ping to Red Hat can be disabled and manually updated via rpm version; however, this may cause customers to miss out on new health checks which depend on new information.
When Red Hat updates the collection rules, the rules are GPG signed by the redhat-tools GPG key. The Insights client will immediately abort if this signature cannot be verified. This file is also manually inspected carefully before each update is released.
Some examples
These are some of the files Red Hat Insights collects and sends to be processed:
/etc/redhat-release
/proc/meminfo
/var/log/messages
Do not worry! we do not collect the entire messages file, but rather the lines that match a potential rule (i.e. page allocation failure).
Or some of the commands we run:
Commands:
/bin/rpm -qa
/bin/uname -a
/usr/sbin/dmidecode
If you want to know the whole list of commands run and data collected you can take a look at this document.
As said, main configuration file is /etc/redhat-access-insights/redhat-access-insights.conf
, and it’s a very usual ini type of file with # delimited comments, let’s take a brief look at it:
[root@server ~]# cat /etc/redhat-access-insights/redhat-access-insights.conf
# Example options in this file are the defaults
# Change log level, valid options DEBUG, INFO, WARNING, ERROR, CRITICAL. Default DEBUG
#loglevel=DEBUG
# Log each line executed
#trace=False
# Attempt to auto configure with Satellite server
#auto_config=True
# Change authentication method, valid options BASIC, CERT. Default BASIC
#authmethod=BASIC
# username to use when authmethod is BASIC
#username=
# password to use when authmethod is BASIC
#password=
[...]
To obfuscate your IP addresses, simply add the line:
obfuscate=True
Or to obfuscate hostnames, simply add the line:
obfuscate_hostname=True Blacklist
And addding items to the blacklist is as simple as using /etc/redhat-access-insights/remove.conf
Wrapping up...
We know you are concerned about the security of your data, yet there are times when it needs to be shared to provide the best capabilities for optimization and management. For this reason I wanted to let you know that the team here at Red Hat understands, and has worked hard to provide you with powerful tools that keep your data safe.
Wanna know more?? Find more info here.
Comments