Red Hat Security: Linux in Physical, Virtual, and Cloud
- Section Red Hat Insights and Security
- Guided Exercise: Registering Systems with Red Hat Insights
- Creating and Reviewing Red Hat Insights Reports
- Guided Exercise: Creating and Reviewing Red Hat Insights Reports
- Running OpenSCAP Reports from Red Hat Insights
- Guided Exercise: Running OpenSCAP Reports from Red Hat Insights
- Integrating Red Hat Insights and Automation Controller
- Guided Exercise: Integrating Red Hat Insights and Automation Controller
- Summary
Abstract
| Goal |
Identify, detect, and correct common issues and security vulnerabilities with Red Hat Enterprise Linux systems by using Red Hat Insights. |
| Sections |
|
Review what Red Hat Insights is, how it is relevant to security, and how to register RHEL systems to use it.
Red Hat Insights is a predictive analytics tool to help you identify and remediate threats to security, performance, availability, and stability on systems that run Red Hat products in your infrastructure. Insights is delivered as a Software-as-a-Service (SaaS) product, so you can deploy and scale Insights quickly with no additional infrastructure requirements. In addition, you can immediately take advantage of the latest recommendations and updates from Red Hat that are specific to your deployed systems.
Red Hat regularly updates the knowledge base that Insights uses, based on common support risks, security vulnerabilities, insecure configurations, and other issues that are identified by Red Hat. Red Hat validates and verifies the actions to mitigate or remediate these issues. These updates allow you to proactively identify, prioritize, and resolve issues before they become a larger problem.
Insights tailors recommendations for each system that is registered to the service.
You can install an agent on client systems that collects metadata about the runtime configuration of your systems.
This data is a subset of what you would provide to Red Hat Support by using the sosreport utility.
You can further limit or obfuscate the data that your clients send, but this obfuscation might prevent certain analytics from operating, depending on what you limit.
You can begin using Insights immediately after the initial steps to register the system and to synchronize its metadata. Depending on how your systems are registered, you can access this interface through the Red Hat Customer Portal or through your Satellite Server. Insights can recommend next actions that are tailored for each of your systems, and even automate tasks with Ansible Playbooks.
OpenSCAP scanning and Insights are complementary tools.
Instead of reactively resolving issues that you find in OpenSCAP scans, you can use Insights to proactively address emerging security threats, misconfigurations, or other risks that are identified by Red Hat. When security researchers identify new threats, such as software configuration issues or even hardware microarchitecture issues like the Spectre and Meltdown vulnerabilities, updates to Insights can help you to quickly detect issues and mitigate or remediate them. Insights recommendations provide materials such as Ansible Playbooks and human-readable recommendations so that you can implement mitigation and remediation. In addition, Insights provides information about other issues with your systems that might impact your system's performance, availability, or stability. Insights also provides estimates of the risk that is presented by those issues.
You can register a client system to Insights through the Customer Portal Subscription Management service, or through a Red Hat Satellite Server that is connected to Insights. When you register a client, the client provides Insights with metadata about the runtime configuration of the system. Client systems send this metadata to Insights by using TLS encryption. The client anonymizes the data and sends it to Insights for analysis. The Customer Portal or Satellite Server web UI displays the recommendations that the Insights rule engine provides.
To configure Insights for Red Hat Enterprise Linux servers, install the insights-client package on the system.
Red Hat Enterprise Linux 8 and later versions include the client agent preinstalled.
If your system is registered for software entitlements through the Customer Portal Subscription Management service, then you can activate Insights with one command.
Use the insights-client --register command to register the system.
[root@host ~]# insights-client --registerIn this configuration, your system's Insights reports are accessible by your account at the https://console.redhat.com/insights/ portal.
Note
To register your system through your Red Hat Satellite Server, you must configure Satellite Server to allow the Insights service, and you must register your client for Subscription Management service through Satellite. This process is discussed in more detail in a later chapter.
The Insights client periodically updates the metadata that is provided to Insights.
Use the insights-client command to upload the client's metadata at any time.
[root@host ~]#insights-clientStarting to collect Insights data for host.lab.example.com Uploading Insights data. Successfully uploaded report from773b351b-dfb1-4393-afa8-915cc2875e06to accountXXXXX.
You can configure the Insights client to restrict the data that it sends to Insights.
You can exclude specific configuration files, commands, patterns, and keywords.
To enable data restriction, first configure the Insights client with an exclusion file that describes the restrictions.
Edit the /etc/insights-client/insights-client.conf file to include a remove_file parameter that specifies the location of the exclusion file, typically the /etc/insights-client/remove.conf file.
remove_file=/etc/insights-client/remove.conf
The Insights client can also filter metadata before uploading it.
The /etc/insights-client/insights-client.conf file contains two obfuscation options:
To obfuscate IP addresses and keywords, set the
obfuscateparameter to theTruevalue.To obfuscate hostnames, set the
obfuscate_hostnameparameter to theTruevalue.
You can provide a comma-separated list of files, commands, patterns, and keywords to exclude in the remove_file parameter.
[remove] files=/etc/passwd,/etc/hosts commands=/bin/dmesg patterns=password,username keywords=password$ecret
You can also review the data that the client uploads to Insights.
Use the insights-client --no-upload command to collect the data, but prevent it from being uploaded.
[root@host ~]# insights-client --no-upload
Starting to collect Insights data
See Insights data in /var/tmp/oLUbKq/insights-demo-20180810110933.tar.gzThe client archives and stores the collected data. To inspect the collected data, extract the archive and review the files.
References
The insights-client(8) and insights-client.conf(5) man pages
For more information, refer to the Getting Started with Red Hat Insights guide at https://access.redhat.com/documentation/en-us/red_hat_insights/2023/html-single/getting_started_with_red_hat_insights
For more information about exclusions and obfuscations, refer to the Opting Out of Sending Metadata from Red Hat Insights Client article at https://access.redhat.com/articles/2025273
For more information about the data collected by the Red Hat Insights client, refer to the System Information Collected by Red Hat Insights article at https://access.redhat.com/articles/1598863
