Chapter 6. Insights client data redaction

Red Hat Insights for Red Hat Enterprise Linux collects a minimal amount of data, including data that might contain personally identifiable information (PII). To prevent PII (or other configuration data) from being collected, apply data redaction.

6.1. Insights client data redaction options

The Insights client provides data redaction options. Depending on your version of RHEL, there are two methods for controlling data redaction.

Table 6.1. Data redaction and RHEL versions

RHEL VersionRedaction method

RHEL 6.9, 7.8, 8.2, and earlier

Configuration file

remove.conf

RHEL 6.10, 7.9, 8.3 and later

YAML files

file-redaction.yaml

file-content-redaction.yaml

Note

You must create the remove.conf configuration file or the YAML files. They are not installed by default.

Additional resources

6.2. Using remove.conf to redact data

When you use a configuration file for data redaction, the contents of the file control which data is redacted, as well as how it is redacted. The default configuration file is /etc/insights-client/remove.conf. As an option, you can also configure the Insights client to use a different redaction configuration file.

Based on your entries in the redaction configuration file, you can specify one or more of the following actions:

  • Eliminate specific files and their content from data collection
  • Eliminate selected command output from data collection
  • Eliminate information that matches a pattern
  • Substitute specific strings with a default keyword string

When you configure redaction by elimination, the redacted information is never recorded in the archive file. Redaction is performed by preprocessing the data before it is captured in the archive file.

For redaction by string substitution, the archive file is processed by a Python SoS process before it is sent to Red Hat Insights for Red Hat Enterprise Linux.

Note

The remove.conf file does not support regular expression matching.

You can use command line options to control the archive file output. For example, you can generate the archive file, but not send it to Red Hat Insights for Red Hat Enterprise Linux. You can inspect and verify the redaction results before sending the archive.

Note

When you redact files and command output, that information is not available to compare against the Insights for Red Hat Enterprise Linux rules. These omissions might cause Insights for Red Hat Enterprise Linux to not identify issues that apply to your system.

6.2.1. Configuring Insights data redaction using remove.conf

The /etc/insights-client/remove.conf file controls Insights client data redaction. You must manually create this file.

Use this redaction method if you are running Red Hat Enterprise Linux 6.9, 7.8, 8.2, and earlier.

Prerequisites

  • Root-level access to your system.

Procedure

  1. Use an editor to create the /etc/insights-client/remove.conf file template.

    [remove]
    files=/etc/cluster/cluster.conf,/etc/hosts
    commands=/bin/dmesg,/bin/hostname
    patterns=password,username
    keywords=super$ecret,ultra$ecret+
  2. Optional. Delete any lines in the file that you do not want to apply to Insights client redaction.
  3. Save the file and exit the editor.
  4. Use the command line to verify that the remove.conf file permissions are set for root owner only.

    [root@insights]# ll remove.conf
    -rw-------. 1 root root 145 Sep 25 17:39 remove.conf

6.2.2. Redacting specific file content

You can use the remove.conf file to select specific files to redact. The files that you select and their content are not included in the archive file.

Prerequisites

  • The /etc/insights-client/remove.conf file must exist. If you have not already created the remove.conf file, create it.
  • Root-level access to your system.

Procedure

  1. Open the /etc/insights-client/remove.conf file in an editor.

    [remove]
    files=/etc/cluster/cluster.conf,/etc/hosts
    commands=/bin/dmesg,/bin/hostname
    patterns=password,username
    keywords=super$ecret,ultra$ecret+
  2. On the files= line, add or remove the files that you want to redact from the archive file.

    Note

    Each file name is separated by a single comma. Do not use spaces.

  3. Optional. If you do not want to redact any files from the Insights client archive, remove the files= line.
  4. Save and close the file.

6.2.3. Redacting specific commands

You can use the remove.conf file to redact specific commands. The output of the redacted commands is not included in the archive file.

Prerequisites

  • The /etc/insights-client/remove.conf file must exist. If you have not already created the remove.conf file, create it.
  • Root-level access to your system.

Procedure

  1. Open the /etc/insights-client/remove.conf file in an editor.

    [remove]
    files=/etc/cluster/cluster.conf,/etc/hosts
    commands=/bin/dmesg,/bin/hostname
    patterns=password,username
    keywords=super$ecret,ultra$ecret+
  2. On the commands= line, add the commands that you want to redact from the archive file, or remove any that you do not want redacted.

    Note

    Separate each command with a single comma. Do not use spaces.

  3. Optional. If you do not want to redact any files from the Insights client archive, remove the files= line.
  4. Save and close the file.

6.2.4. Redacting string patterns

You can use the remove.conf file to redact specific string patterns from the archive file.

If you specify a string pattern to redact, the process redacts all the lines in the archive file that contain that pattern. For example, if the string pattern is name, that pattern matches and redacts hostname, filename, username.

Note

Regular expressions and wildcard matching (egrep) are not supported.

Prerequisites

  • The /etc/insights-client/remove.conf file must exist. If you have not already created the remove.conf file, create it.
  • Root-level access to your system.

Procedure

  1. Open the /etc/insights-client/remove.conf file in an editor.

    [remove]
    files=/etc/cluster/cluster.conf,/etc/hosts
    commands=/bin/dmesg,/bin/hostname
    patterns=password,username
    keywords=super$ecret,ultra$ecret+
  2. On the patterns= line, add any string patterns that you want to redact from the archive file.

    Note

    Separate each string pattern with a single comma. Do not use spaces.

  3. Optional. If you do not want to redact any patterns from the archive file, remove the patterns= line.
  4. Save and close the file.

6.2.5. Redacting keywords

You can use the remove.conf file to redact specific keywords. The Python SoS process replaces the keywords you select with keyword0, keyword1, keyword2, etc., in the archive file.

Prerequisites

  • The /etc/insights-client/remove.conf file must exist. If you have not already created the remove.conf file, create it.
  • Root-level access to your system.

Procedure

  1. Open the /etc/insights-client/remove.conf file in an editor.

    [remove]
    files=/etc/cluster/cluster.conf,/etc/hosts
    commands=/bin/dmesg,/bin/hostname
    patterns=password,username
    keywords=super$ecret,ultra$ecret+
  2. On the keywords= line, add any keywords that you want to redact from the archive file.

    Note

    Separate each string pattern with a single comma. Do not use spaces.

  3. Optional. If you do not want to redact any keywords from the archive file, remove the keywords= line.
  4. Save and close the file.

6.2.6. Validating the remove.conf file

You can validate the remove.conf file to make sure its syntax is correct before using it for redaction.

Prerequisites

  • The /etc/insights-client/remove.conf file must exist. If you have not already created the remove.conf file, create it.
  • Root-level access to your system.

Procedure

  1. Enter the insights-client command with the --validate option.

    [root@insights]# insights-client --validate
  2. Correct any errors that the command displays.

6.3. Using YAML files for redaction

When you use YAML files for redaction, two files control the redaction actions:

  • file-redaction.yaml
  • file-content-redaction.yaml

You can use one or both files, depending on the content you want to redact. When the Python SoS process runs, it redacts the specified content before it can be captured in the archive file.

Note

Use this redaction method if you are running Red Hat Enterprise Linux 6.10, 7.9, 8.3 and later.

How the YAML files work

The /etc/insights-client/file-redaction.yaml lists commands and files that you want redacted. When the process runs, it redacts the output of the listed commands and files.

The /etc/insights-client/file-content-redaction.yaml defines pattern redaction and keyword replacement. For pattern redaction, the process redacts patterns or regular expressions that match those specified in the YAML file. For keyword replacement, the process replaces the specified keywords with generic identifiers.

6.3.1. Configuring the YAML command for file redaction

The /etc/insights-client/file-redaction.yaml file lists the commands and system files that you want redacted. When the Python SoS process runs, it does not include the output of the listed commands or files in the uploaded archive file.

Prerequisites

  • You must be familiar with the basics of YAML syntax. Explaining YAML is beyond the scope of this procedure.
  • You must have root-level access to the system.

Procedure

  1. Use an editor to create the /etc/insights-client/file-redaction.yaml file.

    Example

    # file-redaction.yaml
    ---
    # Exclude the entire output of commands
    #   Specify the full command path or the symbolic name in .cache.json
    
     commands:
    - /bin/rpm -qa
    - /bin/ls
    - ethtool_i
    
    # Exclude the entire output of files
    #  Specify the full filename path or the symbolic name in .cache.json
    
    files:
    - /etc/audit/auditd.conf
    - cluster_conf

  2. Verify that the file-redaction.yaml file permissions are set for root owner only.

    [root@insights]# ll file-redaction.yaml
    -rw-------. 1 root root 145 Sep 25 17:39 file-redaction.yaml

6.3.2. Configuring YAML pattern and keyword redaction

The /etc/insights-client/file-content-redaction.yaml file redacts files using two methods: pattern redaction and keyword replacement. Pattern redaction uses either a pattern match or regular expression match. In keyword replacement, a Python SoS process replaces the keyword with a generic identifier.

Prerequisites

  • You must be familiar with the basics of YAML syntax. Explaining YAML is beyond the scope of this procedure.
  • You must have root-level access to the system.

Procedure

  1. Use an editor to create the /etc/insights-client/file-content-redaction.yaml file.

    Example

    # file-content-redaction.yaml
    ---
    # Pattern redaction per matching line
    #  Lines that match a pattern are excluded from files and command output.
    #  Patterns are processed in the order that they are listed.
    # Example
    
    patterns:
     - "a_string_1"
     - "a_string_2"
    
    # Regular expression pattern redaction per line
    #  Use "regex:" to wrap patterns with regular expressions"
    # Example
    
    patterns:
     regex:
     - "abc.*def"
     - "localhost[[:digit:]]"
    
    
    # Keyword replacement redaction
    #  Replace keywords in files and command output with generic identifiers
    #  Keyword does not support regex
    # Example
    
    keywords:
    - "1.1.1.1"
    - "My Name"
    - "a_name"

  2. Make sure the file-content-redaction.yaml file permissions are set for root owner only.

    [root@insights]# ll file-content-redaction.yaml
    -rw-------. 1 root root 145 Sep 25 17:39 file-content-redaction.yaml

6.4. Verifying the Insights client archive

You can verify the contents of the archive file. By inspecting the archive file, you can confirm what data is sent to Red Hat Insights for Red Hat Enterprise Linux.

If you use obfuscation or redaction, you can inspect the archive before it is sent. If you want to preserve the archive file, you can keep it on your system.

6.4.1. Verifying the archive before uploading

To inspect the archive before the Python SoS script uploads it to Red Hat Insights for Red Hat Enterprise Linux, run Insights client and then save the file without uploading it. This allows you to view the information that the client sends to Insights for Red Hat Enterprise Linux, and to verify your obfuscation or redaction settings.

The archive file is stored in the /var/tmp/ directory. When insights-client completes, it displays the file name.

Prerequisites

  • If you use redaction, make sure the /etc/insights-client/remove.conf file is properly configured.
  • If you use obfuscation, make sure the /etc/insights-client/insights-client.conf file is properly configured.

Procedure

  1. Enter the insights-client command with the --no-upload option.

    [root@insights]# insights-client --no-upload

    The command displays informational messages when redaction or obfuscation is applied.

    WARNING: Excluding data from files
    Starting to collect Insights data for ITC-4
    WARNING: Skipping patterns found in remove.conf
    WARNING: Skipping command /bin/dmesg
    WARNING: Skipping command /bin/hostname
    WARNING: Skipping file /etc/cluster/cluster.conf
    WARNING: Skipping file /etc/hosts
    Archive saved at /var/tmp/qsINM9/insights-ITC-4-20190925180232.tar.gz
  2. Navigate to the temporary storage directory as shown in the Archive saved at message.

    [root@insights]# cd /var/tmp/qsINM9/
  3. Unpack the compressed tar.gz file.

    [root@insights]# tar -xzf insights-ITC-4-20190925180232.tar.gz

    The script creates a new directory that contains the files.

6.4.2. Verifying the Insights client archive after uploading

To keep a copy of the archive for inspection after the Python SoS script uploads it to Red Hat Insights for Red Hat Enterprise Linux, run insights-client and then save the file. This allows you to verify the information that the client sends to Insights for Red Hat Enterprise Linux, and to verify your obfuscation or redaction settings.

Prerequisites

  • If you use redaction, make sure the /etc/insights-client/remove.conf file is properly configured.
  • If you use obfuscation, make sure the /etc/insights-client/insights-client.conf file is properly configured.

Procedure

  1. Enter the insights-client command with the --keep-archive option.

    [root@insights]# insights-client --keep-archive

    The command displays informational messages.

    Starting to collect Insights data for ITC-4
    Uploading Insights data.
    Successfully uploaded report from ITC-4 to account 6229994.
    Insights archive retained in /var/tmp/ozM8bY/insights-ITC-4-20190925181622.tar.gz
  2. Navigate to the temporary storage directory displayed in the Insights archive retained in message.

    [root@insights]# cd /var/tmp/ozM8bY/
  3. Unpack the compressed tar.gz file.

    [root@insights]# tar -xzf insights-ITC-4-20190925181622.tar.gz

    The script creates a new directory that contains the files.