Registering Systems with Red Hat Insights
Objectives
After completing this section, students should be able to explain what Red Hat Insights is and how it complements OpenSCAP, and register a Red Hat Enterprise Linux server with Red Hat Insights.
Introducing Red Hat Insights
Red Hat Insights is a predictive analytics tool to help you identify and remediate threats to security, performance, availability, and stability to systems running Red Hat products in your infrastructure.
Red Hat Insights is delivered as a Software-as-a-Service (SaaS) product, so you can deploy and scale it quickly with no additional infrastructure requirements.
In addition, this means you can immediately take advantage of the latest recommendations and updates from Red Hat specific to your deployed systems.
Red Hat regularly updates the knowledge base used by Red Hat Insights based on common support risks, security vulnerabilities, known-bad configurations, and other issues identified by Red Hat.
Actions to mitigate or remediate these issues are validated and verified by Red Hat.
This allows you to proactively identify, prioritize, and resolve issues before they become a larger problem.
Red Hat Insights recommendations are tailored to each system registered to the service.
Client systems are installed with an agent that collects metadata about the runtime configuration of your system.
This data is a subset of what you would provide to Red Hat Support using sosreport.
You can further limit or obfuscate the data that your clients send, but with the consequence that certain analytics will not be able to operate, depending on what you limit.
Almost immediately after registration and the initial system metadata synchronization, you should be able to see your system in the Red Hat Insights interface.
Depending on how your systems are registered, you can access this interface through the Red Hat Customer Portal or, starting with Red Hat Satellite 6.3, through your Satellite Server.
Red Hat Insights can recommend next actions tailored for each of your systems, and even automate tasks with Ansible Playbooks.
Red Hat Insights currently provides predictive analytics and recommendations for these Red Hat products:
Red Hat Enterprise Linux 6.4 and later
Red Hat Enterprise Linux 7 and later
Red Hat Virtualization 4 and later
Red Hat OpenShift Container Platform
Red Hat Cloud Suite 6 and Red Hat Cloud Infrastructure 6 and later
OpenSCAP and Red Hat Insights
OpenSCAP scanning and Red Hat Insights are complementary tools.
OpenSCAP allows you to set a compliance policy based on certain standard rules.
You can then use OpenSCAP to ensure that machines meet that compliance policy, and use materials such as Ansible Playbooks, shell scripts, and human-readable recommendations provided by the policy to remediate noncompliant machines.
In contrast, Red Hat Insights allows you to react proactively to emerging security threats, misconfigurations, or other risks identified by Red Hat.
If new risks are identified, whether software configuration issues or even hardware micro-architecture issues such as Spectre and Meltdown, updates to Red Hat Insights can help you quickly detect them and mitigate or remediate them.
The Insights recommendations may provide materials such as Ansible Playbooks and human-readable recommendations to implement mitigation and remediation.
In addition, Red Hat Insights may provide information about other issues with your systems that may impact your performance, availability, or stability.
It also provides estimates of the risk presented by those issues.
Details of the Red Hat Insights Architecture
A client may be registered to Red Hat Insights through the Customer Portal Subscription Management service or through a Red Hat Satellite Server that is connected to Red Hat Insights.
When the client is registered, it provides Red Hat Insights with metadata about the runtime configuration of the system.
The data is sent to Red Hat Insights using TLS encryption.
It is anonymized before it sent to Red Hat Insights for analysis.
Based on the recommendations provided by the Red Hat Insights rule engine, results are sent back to the customer and are displayed on the Red Hat Insights interface on the Customer Portal or the Satellite Server web UI.
Installing Red Hat Insights Clients
To configure Red Hat Insights for Red Hat Enterprise Linux servers, install the insights-client package on the system.
Important
The insights-client package replaces the older redhat-access-insights package starting with Red Hat Enterprise Linux 7.5.
If your system is registered for software entitlements through the Customer Portal Subscription Management service, you can activate Red Hat Insights with one command.
Use the insights-client --register command to register the system.
[root@demo ~]# insights-client --register
In this configuration, your system's Red Hat Insights reports will be accessible to your account on https://access.redhat.com/insights/.
Note
If you want to register through your Red Hat Satellite Server, you need to make sure that the Satellite Server is configured to allow Insights service and that your client is registered for Subscription Management service through the Satellite.
This is discussed in more detail later in this section.
The Insights client periodically updates the metadata provided to Red Hat Insights.
Use the insights-client command to upload the client's metadata at any time.
[root@demo ~]# insights-client
Starting to collect Insights data for demo.lab.example.com
Uploading Insights data.
Successfully uploaded report from 773b351b-dfb1-4393-afa8-915cc2875e06 to account XXXXX.
Registering a RHEL 7 System with Red Hat Insights in the Customer Portal
To register a RHEL system to Red Hat Insights using the Insights Customer Portal, the overall process is as follows:
Interactively register a Red Hat Enterprise Linux 7 system with the Red Hat Subscription Management service on the Customer Portal.
[root@demo ~]# subscription-manager register --auto-attach
A valid entitlement for Red Hat Insights must be attached to the system, which you might receive as part of a Smart Management subscription.
The standard RHEL 7 Server package channels must also be enabled.
Install the insights-client package on the system.
This package is in the rhel-7-server-rpms channel.
[root@demo ~]# yum install insights-client
Use the insights-client --register command to register the system with the Red Hat Insights service and upload initial system metadata.
[root@demo ~]# insights-client --register
Verify that the system is visible at https://access.redhat.com/insights on the Red Hat Insights portal.
Integrating Insights with Red Hat Satellite
Red Hat Insights can be integrated with your Red Hat Satellite Server.
This allows you to access Red Hat Insights reports for your clients through a menu in the Red Hat Satellite Server's web UI.
The Satellite Server must still get this information from the Red Hat Insights service on the Red Hat Customer Portal.
Before setting this up, any Satellite Organizations on your Red Hat Satellite Server that use Red Hat Insights for their hosts need to be running in Connected mode.
The Satellite Server must also be able to communicate with https://cert-api.access.redhat.com using the HTTPS protocol on TCP port 443.
To enable the Red Hat Insights integration with the Satellite Server, you need to go to the menu and select .
On the page that opens, you need to make sure that Enable Service is selected in the Access Insights Service Configuration section.
In the Insights Engine Connection section, you should see a status Connected.
Click Check Connection to retest the connectivity to the Insights API endpoint.
Subscribe your Red Hat Enterprise Linux systems to the Satellite Server, and register them with Red Hat Insights.
You can do this manually in the usual way.
Alternatively, you can automate the installation and registration of the Red Hat Insights client for an entire host group by applying the access_puppet_clients Puppet class to those hosts.
By default, only the Satellite Server administrators can view the Red Hat Insights report and configuration screens on your server.
You can assign predefined roles to the Satellite Server users to grant them access to these screens.
Table 11.1. Red Hat Insights Roles in Satellite Server
| Role | Permissions provided by role |
|---|
Access Insights Admin
|
View, add, and edit Red Hat Insights rules.
Can use → and other configuration screens.
|
Access Insights Viewer
|
View Red Hat Insights reports and rules.
|
Watch this video as the instructor shows how to register a Red Hat based system to Red Hat Insights using the Satellite Server.
Demonstration: Registering a RHEL System to Red Hat Insights using Satellite Server
Log in to the Satellite Server's web UI as a user with the Access Insights Admin role.
Verify that the Satellite Server can successfully communicate with Red Hat Insights.
In the Satellite Server's web interface, navigate to → .
Verify that the engine connection status is Connected and the account number displayed is correct for your organization.
Navigate to → .
Click the host group org-hostgroup1 to open the group for editing.
In the Edit org-hostgroup1 page, click the Puppet Classes tab.
Click the + to add the access_insights_clients Puppet class listed under the access_insights_clients Puppet module.
Click Submit.
Register a Red Hat Enterprise Linux system to that host group on the Satellite Server.
The insights-client package should automatically be installed, and the system should automatically register with Red Hat Insights.
From the Satellite Server's web interface, verify that the host successfully registered.
In the Satellite UI, navigate to → .
Verify that the host is listed in the NEWEST SYSTEMS section.
Verify that the host is also visible in Red Hat Insights on the Customer Portal at https://access.redhat.com/insights.
This is configurable on the Customer Portal on the Configuration tab under Settings.
Important
You can configure Red Hat Insights results for systems registered to Red Hat Satellite so that they must be viewed on the Satellite Server, or so that they may be viewed on both the Satellite Server and in your account on the Customer Portal.
You need to have Organization Administrator rights for your organization on the Customer Portal to configure this.
Log in to Red Hat Insights through the Customer Portal, and on the Configuration tab, select Settings and ensure that Show Satellite Systems is selected or cleared based on your preferences.
More information is available in the Knowledgebase article "Viewing Satellite-managed systems in Red Hat Insights Customer Portal".
Controlling Data Sent to Red Hat Insights
Red Hat is committed to protecting the security of the metadata Red Hat Insights processes, to limiting the data we collect and how long it is retained, and ensuring the secure transmission, processing, and analysis of the data by this tool.
Information on some of the steps that Red Hat takes is available at "Red Hat Insights Security" and "System Information Collected by Red Hat Insights".
These steps include ensuring that Red Hat Insights is an opt-in feature and that you have control of the information that is monitored.
The Red Hat Insights client can be configured to restrict the data sent to Red Hat Insights.
You can exclude specific configuration files, commands, patterns, and keywords.
To enable this, first configure insights-client with an exclusion file that contains information about what to exclude.
Edit the /etc/insights-client/insights-client.conf file so that it includes a remove_file parameter to specify the location of the exclusion file.
This file is normally called /etc/insights-client/remove.conf.
remove_file=/etc/insights-client/remove.conf
The Red Hat Insights client can also filter the metadata before uploading it.
The /etc/insights-client/insights-client.conf file contains two options for obfuscating data before uploading:
To obfuscate IP addresses, set the obfuscate parameter to True.
This will also enable obfuscation of keywords configured in the exclusion file.
To obfuscate host names, set the obfuscate_hostname parameter to True.
Next, edit the /etc/insights-client/remove.conf file (or whatever file remove_file specifies) to indicate a comma-separated list of files to exclude, commands not to run, patterns not to send, and keywords to obfuscate (if obfuscate is set to True in the insights-client.conf file).
[remove]
files=/etc/passwd,/etc/hosts
commands=/bin/dmesg
patterns=password,username
keywords=password$ecret
You can also review the data that the client uploads to Red Hat Insights.
Use the following steps to collect the data but prevent the client from uploading it.
Use the insights-client --no-upload command to collect the data but prevent it from being uploaded.
The data collected is archived and stored on the client.
[root@demo ~]# insights-client --no-upload
Starting to collect Insights data
See Insights data in /var/tmp/oLUbKq/insights-demo-20180810110933.tar.gz
To inspect the data collected, extract the files from the archive and review them.
The System Information Collected by Red Hat Insights Knowledgebase article documents the list of commands that are executed by the Red Hat Insights client and the data it collects.
