Chapter 6. Insights client data redaction
Red Hat Insights for Red Hat Enterprise Linux collects a minimal amount of data, including data that might contain personally identifiable information (PII). To prevent PII (or other configuration data) from being collected, apply data redaction.
6.1. Insights client data redaction options
The Insights client provides data redaction options. Depending on your version of RHEL, there are two methods for controlling data redaction.
| RHEL Version | Redaction method |
|---|---|
| RHEL 6.9, 7.8, 8.2, and earlier | Configuration file
|
| RHEL 6.10, 7.9, 8.3 and later | YAML files
|
You must create the remove.conf configuration file or the YAML files. They are not installed by default.
Additional resources
- For information about how Red Hat Insights for Red Hat Enterprise Linux handles data collection, see Red Hat Insights Data & Application Security.
6.2. Using remove.conf to redact data
When you use a configuration file for data redaction, the contents of the file control which data is redacted, as well as how it is redacted. The default configuration file is /etc/insights-client/remove.conf. As an option, you can also configure the Insights client to use a different redaction configuration file.
Based on your entries in the redaction configuration file, you can specify one or more of the following actions:
- Eliminate specific files and their content from data collection
- Eliminate selected command output from data collection
- Eliminate information that matches a pattern
-
Substitute specific strings with a default
keywordstring
When you configure redaction by elimination, the redacted information is never recorded in the archive file. Redaction is performed by preprocessing the data before it is captured in the archive file.
For redaction by string substitution, the archive file is processed by a Python SoS process before it is sent to Red Hat Insights for Red Hat Enterprise Linux.
The remove.conf file does not support regular expression matching.
You can use command line options to control the archive file output. For example, you can generate the archive file, but not send it to Red Hat Insights for Red Hat Enterprise Linux. You can inspect and verify the redaction results before sending the archive.
When you redact files and command output, that information is not available to compare against the Insights for Red Hat Enterprise Linux rules. These omissions might cause Insights for Red Hat Enterprise Linux to not identify issues that apply to your system.
6.2.1. Configuring Insights data redaction using remove.conf
The /etc/insights-client/remove.conf file controls Insights client data redaction. You must manually create this file.
Use this redaction method if you are running Red Hat Enterprise Linux 6.9, 7.8, 8.2, and earlier.
Prerequisites
- Root-level access to your system.
Procedure
Use an editor to create the
/etc/insights-client/remove.conffile template.[remove] files=/etc/cluster/cluster.conf,/etc/hosts commands=/bin/dmesg,/bin/hostname patterns=password,username keywords=super$ecret,ultra$ecret+
- Optional. Delete any lines in the file that you do not want to apply to Insights client redaction.
- Save the file and exit the editor.
Use the command line to verify that the
remove.conffile permissions are set forrootowner only.[root@insights]# ll remove.conf -rw-------. 1 root root 145 Sep 25 17:39 remove.conf
6.2.2. Redacting specific file content
You can use the remove.conf file to select specific files to redact. The files that you select and their content are not included in the archive file.
Prerequisites
-
The
/etc/insights-client/remove.conffile must exist. If you have not already created theremove.conffile, create it. - Root-level access to your system.
Procedure
Open the
/etc/insights-client/remove.conffile in an editor.[remove] files=/etc/cluster/cluster.conf,/etc/hosts commands=/bin/dmesg,/bin/hostname patterns=password,username keywords=super$ecret,ultra$ecret+
On the
files=line, add or remove the files that you want to redact from the archive file.NoteEach file name is separated by a single comma. Do not use spaces.
-
Optional. If you do not want to redact any files from the Insights client archive, remove the
files=line. - Save and close the file.
6.2.3. Redacting specific commands
You can use the remove.conf file to redact specific commands. The output of the redacted commands is not included in the archive file.
Prerequisites
-
The
/etc/insights-client/remove.conffile must exist. If you have not already created theremove.conffile, create it. - Root-level access to your system.
Procedure
Open the
/etc/insights-client/remove.conffile in an editor.[remove] files=/etc/cluster/cluster.conf,/etc/hosts commands=/bin/dmesg,/bin/hostname patterns=password,username keywords=super$ecret,ultra$ecret+
On the
commands=line, add the commands that you want to redact from the archive file, or remove any that you do not want redacted.NoteSeparate each command with a single comma. Do not use spaces.
-
Optional. If you do not want to redact any files from the Insights client archive, remove the
files=line. - Save and close the file.
6.2.4. Redacting string patterns
You can use the remove.conf file to redact specific string patterns from the archive file.
If you specify a string pattern to redact, the process redacts all the lines in the archive file that contain that pattern. For example, if the string pattern is name, that pattern matches and redacts hostname, filename, username.
Regular expressions and wildcard matching (egrep) are not supported.
Prerequisites
-
The
/etc/insights-client/remove.conffile must exist. If you have not already created theremove.conffile, create it. - Root-level access to your system.
Procedure
Open the
/etc/insights-client/remove.conffile in an editor.[remove] files=/etc/cluster/cluster.conf,/etc/hosts commands=/bin/dmesg,/bin/hostname patterns=password,username keywords=super$ecret,ultra$ecret+
On the
patterns=line, add any string patterns that you want to redact from the archive file.NoteSeparate each string pattern with a single comma. Do not use spaces.
-
Optional. If you do not want to redact any patterns from the archive file, remove the
patterns=line. - Save and close the file.
6.2.5. Redacting keywords
You can use the remove.conf file to redact specific keywords. The Python SoS process replaces the keywords you select with keyword0, keyword1, keyword2, etc., in the archive file.
Prerequisites
-
The
/etc/insights-client/remove.conffile must exist. If you have not already created theremove.conffile, create it. - Root-level access to your system.
Procedure
Open the
/etc/insights-client/remove.conffile in an editor.[remove] files=/etc/cluster/cluster.conf,/etc/hosts commands=/bin/dmesg,/bin/hostname patterns=password,username keywords=super$ecret,ultra$ecret+
On the
keywords=line, add any keywords that you want to redact from the archive file.NoteSeparate each string pattern with a single comma. Do not use spaces.
-
Optional. If you do not want to redact any keywords from the archive file, remove the
keywords=line. - Save and close the file.
6.2.6. Validating the remove.conf file
You can validate the remove.conf file to make sure its syntax is correct before using it for redaction.
Prerequisites
-
The
/etc/insights-client/remove.conffile must exist. If you have not already created theremove.conffile, create it. - Root-level access to your system.
Procedure
Enter the
insights-clientcommand with the--validateoption.[root@insights]# insights-client --validate
- Correct any errors that the command displays.
6.3. Using YAML files for redaction
When you use YAML files for redaction, two files control the redaction actions:
-
file-redaction.yaml -
file-content-redaction.yaml
You can use one or both files, depending on the content you want to redact. When the Python SoS process runs, it redacts the specified content before it can be captured in the archive file.
Use this redaction method if you are running Red Hat Enterprise Linux 6.10, 7.9, 8.3 and later.
How the YAML files work
The /etc/insights-client/file-redaction.yaml lists commands and files that you want redacted. When the process runs, it redacts the output of the listed commands and files.
The /etc/insights-client/file-content-redaction.yaml defines pattern redaction and keyword replacement. For pattern redaction, the process redacts patterns or regular expressions that match those specified in the YAML file. For keyword replacement, the process replaces the specified keywords with generic identifiers.
6.3.1. Configuring the YAML command for file redaction
The /etc/insights-client/file-redaction.yaml file lists the commands and system files that you want redacted. When the Python SoS process runs, it does not include the output of the listed commands or files in the uploaded archive file.
Prerequisites
- You must be familiar with the basics of YAML syntax. Explaining YAML is beyond the scope of this procedure.
- You must have root-level access to the system.
Procedure
Use an editor to create the
/etc/insights-client/file-redaction.yamlfile.Example
# file-redaction.yaml --- # Exclude the entire output of commands # Specify the full command path or the symbolic name in .cache.json commands: - /bin/rpm -qa - /bin/ls - ethtool_i # Exclude the entire output of files # Specify the full filename path or the symbolic name in .cache.json files: - /etc/audit/auditd.conf - cluster_conf
Verify that the
file-redaction.yamlfile permissions are set forrootowner only.[root@insights]# ll file-redaction.yaml -rw-------. 1 root root 145 Sep 25 17:39 file-redaction.yaml
6.3.2. Configuring YAML pattern and keyword redaction
The /etc/insights-client/file-content-redaction.yaml file redacts files using two methods: pattern redaction and keyword replacement. Pattern redaction uses either a pattern match or regular expression match. In keyword replacement, a Python SoS process replaces the keyword with a generic identifier.
Prerequisites
- You must be familiar with the basics of YAML syntax. Explaining YAML is beyond the scope of this procedure.
- You must have root-level access to the system.
Procedure
Use an editor to create the
/etc/insights-client/file-content-redaction.yamlfile.Example
# file-content-redaction.yaml --- # Pattern redaction per matching line # Lines that match a pattern are excluded from files and command output. # Patterns are processed in the order that they are listed. # Example patterns: - "a_string_1" - "a_string_2" # Regular expression pattern redaction per line # Use "regex:" to wrap patterns with regular expressions" # Example patterns: regex: - "abc.*def" - "localhost[[:digit:]]" # Keyword replacement redaction # Replace keywords in files and command output with generic identifiers # Keyword does not support regex # Example keywords: - "1.1.1.1" - "My Name" - "a_name"
Make sure the
file-content-redaction.yamlfile permissions are set forrootowner only.[root@insights]# ll file-content-redaction.yaml -rw-------. 1 root root 145 Sep 25 17:39 file-content-redaction.yaml
6.4. Verifying the Insights client archive
You can verify the contents of the archive file. By inspecting the archive file, you can confirm what data is sent to Red Hat Insights for Red Hat Enterprise Linux.
If you use obfuscation or redaction, you can inspect the archive before it is sent. If you want to preserve the archive file, you can keep it on your system.
6.4.1. Verifying the archive before uploading
To inspect the archive before the Python SoS script uploads it to Red Hat Insights for Red Hat Enterprise Linux, run Insights client and then save the file without uploading it. This allows you to view the information that the client sends to Insights for Red Hat Enterprise Linux, and to verify your obfuscation or redaction settings.
The archive file is stored in the /var/tmp/ directory. When insights-client completes, it displays the file name.
Prerequisites
-
If you use redaction, make sure the
/etc/insights-client/remove.conffile is properly configured. -
If you use obfuscation, make sure the
/etc/insights-client/insights-client.conffile is properly configured.
Procedure
Enter the
insights-clientcommand with the--no-uploadoption.[root@insights]# insights-client --no-upload
The command displays informational messages when redaction or obfuscation is applied.
WARNING: Excluding data from files Starting to collect Insights data for ITC-4 WARNING: Skipping patterns found in remove.conf WARNING: Skipping command /bin/dmesg WARNING: Skipping command /bin/hostname WARNING: Skipping file /etc/cluster/cluster.conf WARNING: Skipping file /etc/hosts Archive saved at /var/tmp/qsINM9/insights-ITC-4-20190925180232.tar.gz
Navigate to the temporary storage directory as shown in the
Archive saved atmessage.[root@insights]# cd /var/tmp/qsINM9/
Unpack the compressed
tar.gzfile.[root@insights]# tar -xzf insights-ITC-4-20190925180232.tar.gz
The script creates a new directory that contains the files.
6.4.2. Verifying the Insights client archive after uploading
To keep a copy of the archive for inspection after the Python SoS script uploads it to Red Hat Insights for Red Hat Enterprise Linux, run insights-client and then save the file. This allows you to verify the information that the client sends to Insights for Red Hat Enterprise Linux, and to verify your obfuscation or redaction settings.
Prerequisites
-
If you use redaction, make sure the
/etc/insights-client/remove.conffile is properly configured. -
If you use obfuscation, make sure the
/etc/insights-client/insights-client.conffile is properly configured.
Procedure
Enter the
insights-clientcommand with the--keep-archiveoption.[root@insights]# insights-client --keep-archive
The command displays informational messages.
Starting to collect Insights data for ITC-4 Uploading Insights data. Successfully uploaded report from ITC-4 to account 6229994. Insights archive retained in /var/tmp/ozM8bY/insights-ITC-4-20190925181622.tar.gz
Navigate to the temporary storage directory displayed in the
Insights archive retained inmessage.[root@insights]# cd /var/tmp/ozM8bY/
Unpack the compressed
tar.gzfile.[root@insights]# tar -xzf insights-ITC-4-20190925181622.tar.gz
The script creates a new directory that contains the files.
