Red Hat Summit이 콘텐츠는 선택한 언어로 제공되지 않습니다.
Chapter 5. Red Hat Lightspeed client data obfuscation
IP addresses, Media Access Control (MAC) addresses, and hostnames are used to uniquely define a device on the internet. Red Hat Lightspeed has optional controls for excluding the IP address, Media Access Control (MAC) address, and hostname from the data file transmitted to Red Hat and to obfuscate the values within the user interface. This helps to protect the privacy of your systems and users by masking sensitive information.
5.1. Obfuscation overview
The Red Hat Lightspeed client obfuscation feature uses a Python data cleaning process, which you can optionally enable to replace the hostname, IP address, or MAC address with preset values when it processes the Red Hat Lightspeed archive. The processed archive file containing the obfuscated values is then sent to Red Hat Lightspeed. Obfuscation is disabled by default.
- The Python data cleaning process automatically generates the masked values. You cannot choose the values for obfuscation.
- The Red Hat Lightspeed compliance service uses OpenSCAP tools to generate compliance reports based on information from the host system. The collaboration with OpenSCAP prevents the compliance service’s ability to completely obfuscate or redact hostname and IP address data. Also, host information is sent to Red Hat Lightspeed when a compliance data collection job launches on the host system. Red Hat Lightspeed is working to improve obfuscation options for host information.
For information about how Red Hat Lightspeed handles data collection, see Red Hat Lightspeed Data & Application Security.
5.2. Enabling obfuscation in Red Hat Satellite
For more information about enabling obfuscation in Satellite, see the Red Hat Cloud settings chapter of the Administering Red Hat Satellite guide.
Double obfuscation is required if you use Red Hat Satellite to manage clients and register them on console.redhat.com. This means you must enable obfuscation in both the insights-client.conf file and on the Satellite web UI.
5.3. Obfuscating hostnames, IP addresses, and MAC addresses
Red Hat Lightspeed supports the obfuscation of the following internet connectivity protocols:
- IPv4
- IPv6
- Hostname
- MAC address
You can mask the IP address of a host in the archive file before it is sent to Red Hat Lightspeed by setting the obfuscation configuration option, obfuscation_list, in the /etc/insights-client/insights-client.conf file. You can also set a custom display name for the identification of obfuscated hosts to help you identify the host in the Red Hat Hybrid Cloud Console UI.
The following sections describe how to obfuscate the hostname, IP address, and MAC address of a system in Red Hat Lightspeed.
5.3.1. Obfuscating IPv6 IP addresses
If your hosts use IPv6 IP addresses, you can enable obfuscation of this data in the archive file before it is sent to Red Hat Lightspeed by setting an option in the insights-client configuration file. This helps to protect the privacy of your systems and users by masking sensitive information.
When you enable obfuscation, the original IP address of the host is replaced with a generated value in the archive file. This obfuscated value is used in the Red Hat Hybrid Cloud Console UI, logs, and any archive data files that Red Hat collects. However, you will still see the original IP address in the command-line output of some insights-client commands.
The obfuscation process uses a Python data cleaning process to generate a unique value for each host. You cannot configure the value provided for obfuscation. You also cannot obfuscate or select the portion of the host IP address to obfuscate.
Prerequisites
If you are using Red Hat Satellite to manage clients and register them on
console.redhat.com, you must also configure the Red Hat Cloud settings before you can enable obfuscation in Red Hat Lightspeed:- In the Satellite web UI, navigate to Administer > Settings > Red Hat Cloud and enable the required obfuscation settings that apply to your environment.
Procedure
-
Open the
/etc/insights-client/insights-client.conffile with an editor. Locate the following section:
Specify which will be obfuscated in the data collection, empty by default, and supported options are: ipv4, ipv6, hostname, mac (comma separated list) obfuscation_list=
# Specify which will be obfuscated in the data collection, # empty by default, and supported options are: ipv4, ipv6, hostname, mac # (comma separated list) # obfuscation_list=Copy to Clipboard Copied! Toggle word wrap Toggle overflow Remove the preceding hash (
#) character, beforeobfuscation_list=and add the following line:obfuscation_list=ipv6
obfuscation_list=ipv6Copy to Clipboard Copied! Toggle word wrap Toggle overflow If your configuration file contains the older
obfuscate=Trueorobfuscate=FalseRed Hat Lightspeed obfuscation setting, remove that line of configuration.ImportantThe
obfuscateandobfuscate_hostnameoptions are deprecated and will be removed in a future release of Red Hat Lightspeed. If your configuration file containsobfuscation_listand the deprecated obfuscation options, theobfuscation_listconfiguration takes precedence and you will see a warning message in the output.-
Save and close the
/etc/insights-client/insights-client.conffile.
Result
When obfuscation is successfully enabled, the original IPv6 address is masked in the console UI, logs, and in any archive data files that Red Hat collects, as shown in the following example.
After you enable obfuscation, you will continue to see the original IP address in the command-line output of some insights-client commands.
Example
Original host system IPv6 addresses:
ff00:f800:f801:f802::f806 ff00:f800:f801:f802:f00:f803:f804:f805 ff01::f00:f803:f804:f805
ff00:f800:f801:f802::f806 ff00:f800:f801:f802:f00:f803:f804:f805 ff01::f00:f803:f804:f805Copy to Clipboard Copied! Toggle word wrap Toggle overflow Obfuscated host IPv6 addresses:
fc47:d0f1:5ae7:e4e9::0477, fc47:d0f1:5ae7:e4e9:fee:3939:5b4a:2c55, 70f1::fee:3939:5b4a:2c55,
fc47:d0f1:5ae7:e4e9::0477, fc47:d0f1:5ae7:e4e9:fee:3939:5b4a:2c55, 70f1::fee:3939:5b4a:2c55,Copy to Clipboard Copied! Toggle word wrap Toggle overflow The following image shows a screen capture of the example obfuscated IPv6 IP addresses in the Red Hat Hybrid Cloud Console UI:
When you enable obfuscation on multiple systems, the same obfuscated IP address gets generated. Therefore, in the scenario provided, when you search or filter by IP address in the Red Hat Lightspeed UI on the Hybrid Cloud Console you might see several instances of 70f1::fee:3939:5b4a:2c55. This is because the Python data cleaning process that the Red Hat Lightspeed obfuscation feature uses, can generate the same obfuscated IP address in the archive file.
5.3.2. Obfuscating IPv4 IP addresses
If your hosts use IPv4 IP addresses, you can enable obfuscation of this data in the archive file before it is sent to Red Hat Lightspeed by setting an option in the insights-client configuration file. This helps to protect the privacy of your systems and users by masking sensitive information.
When you enable obfuscation, the original IP address of the host is replaced with a generated value in the archive file. This obfuscated value is used in the Red Hat Hybrid Cloud Console UI, logs, and any archive data files that Red Hat collects. However, you will still see the original IP address in the command-line output of some insights-client commands.
The obfuscation process uses a Python data cleaning process to generate a unique value for each host. You cannot configure the value provided for obfuscation. You also cannot obfuscate or select the portion of the host IP address to obfuscate.
Prerequisites
If you are using Red Hat Satellite to manage clients and register them on
console.redhat.com, you must also configure the Red Hat Cloud settings before you can enable obfuscation in Red Hat Lightspeed:- In the Satellite web UI, navigate to Administer > Settings > Red Hat Cloud and enable the required obfuscation settings that apply to your environment.
Procedure
-
Open the
/etc/insights-client/insights-client.conffile with an editor. Locate the following section:
Specify which will be obfuscated in the data collection, empty by default, and supported options are: ipv4, ipv6, hostname, mac (comma separated list) obfuscation_list=
# Specify which will be obfuscated in the data collection, # empty by default, and supported options are: ipv4, ipv6, hostname, mac # (comma separated list) # obfuscation_list=Copy to Clipboard Copied! Toggle word wrap Toggle overflow Remove the preceding hash (
#) character, beforeobfuscation_list=and add the following line:obfuscation_list=ipv4
obfuscation_list=ipv4Copy to Clipboard Copied! Toggle word wrap Toggle overflow If your configuration file contains the older
obfuscate=Trueorobfuscate=FalseRed Hat Lightspeed obfuscation setting, remove that line of configuration.ImportantThe
obfuscateandobfuscate_hostnameoptions are deprecated and will be removed in a future release of Red Hat Lightspeed. If your configuration file containsobfuscation_listand the deprecated obfuscation options, theobfuscation_listconfiguration takes precedence and you will see a warning message in the output.-
Save and close the
/etc/insights-client/insights-client.conffile.
Result
When obfuscation is successfully enabled, the original IPv4 address is masked in the console UI, logs, and in any archive data files that Red Hat collects, as shown in the following example.
After you enable obfuscation, you will continue to see the original IPv4 address in the command-line output of some insights-client commands.
Example
The original host system IP address:
192.168.0.24
192.168.0.24Copy to Clipboard Copied! Toggle word wrap Toggle overflow The obfuscated host IP address
10.230.230.1
10.230.230.1Copy to Clipboard Copied! Toggle word wrap Toggle overflow The following screenshot provides an example of an obfuscated IPv4 IP address in the Red Hat Hybrid Cloud Console UI:
When you enable obfuscation on multiple systems, the same obfuscated IP address gets generated. Therefore, in the example scenario provided, when you search or filter by IP address in the Red Hat Lightspeed UI on the Hybrid Cloud Console you might see several instances of 10.230.230.1. This is because the Python data cleaning process that the Red Hat Lightspeed obfuscation feature uses, can generate the same obfuscated IP address in the archive file.
5.3.3. Obfuscating MAC addresses
You can mask the Media Access Control (MAC) addresses of your hosts in the archive file before it is sent to Red Hat Lightspeed by enabling obfuscation.
The obfuscation process uses a Python data cleaning process to generate a unique value for each host. You cannot configure the value provided for obfuscation. You also cannot obfuscate or select the portion of the host MAC address to obfuscate.
Prerequisites
If you are using Red Hat Satellite to manage clients and register them on
console.redhat.com, you must also configure the Red Hat Cloud settings before you can enable obfuscation in Red Hat Lightspeed:- In the Satellite web UI, navigate to Administer > Settings > Red Hat Cloud and enable the required obfuscation settings that apply to your environment.
Procedure
-
Open the
/etc/insights-client/insights-client.conffile with an editor. Locate the following section:
Specify which will be obfuscated in the data collection, empty by default, and supported options are: ipv4, ipv6, hostname, mac (comma separated list) obfuscation_list=
# Specify which will be obfuscated in the data collection, # empty by default, and supported options are: ipv4, ipv6, hostname, mac # (comma separated list) # obfuscation_list=Copy to Clipboard Copied! Toggle word wrap Toggle overflow Remove the preceding hash (
#) character, beforeobfuscation_list=and add the following line:obfuscation_list=mac
obfuscation_list=macCopy to Clipboard Copied! Toggle word wrap Toggle overflow If your configuration file contains the older
obfuscate=Trueorobfuscate=FalseRed Hat Lightspeed obfuscation setting, remove that line of configuration.ImportantThe
obfuscateandobfuscate_hostnameoptions are deprecated and will be removed in a future release of Red Hat Lightspeed. If your configuration file containsobfuscation_listand the deprecated obfuscation options, theobfuscation_listconfiguration takes precedence and you will see a warning message in the output.-
Save and close the
/etc/insights-client/insights-client.conffile.
Result
When obfuscation is successfully enabled, the original MAC address is masked in the console UI, logs, and in any archive data files that Red Hat collects, as shown in the following example.
After you enable obfuscation, you will continue to see the original MAC address in the command-line output of some insights-client commands.
Example
The original host system MAC address:
08:00:27:7c:fc:0f
08:00:27:7c:fc:0fCopy to Clipboard Copied! Toggle word wrap Toggle overflow The obfuscated host MAC address
1e:fb:bc:2e:4a:6d
1e:fb:bc:2e:4a:6dCopy to Clipboard Copied! Toggle word wrap Toggle overflow The following image shows a screen capture of the example obfuscated MAC address in the Red Hat Hybrid Cloud Console UI:
When you enable obfuscation on multiple systems, the same obfuscated MAC address gets generated. Therefore, in the example scenario provided, when you search or filter by MAC address in the Red Hat Lightspeed UI on the Hybrid Cloud Console you might see several instances of 1e:fb:bc:2e:4a:6d. This is because the Python data cleaning process that the Red Hat Lightspeed obfuscation feature uses, can generate the same obfuscated MAC address in the archive file.
5.3.4. Obfuscating hostnames
When you obfuscate the hostnames of your systems in Red Hat Lightspeed, the value of the hostname configured in /etc/hostname is masked in the console GUI and in the archive file before it is sent to Red Hat. When obfuscation is enabled, the hostname value in /etc/hostname changes to a 12-character UUID that is automatically generated by the Python data cleaning process.
An obfuscated hostname can be difficult to recognize. Setting a display name can help you to more easily identify your obfuscated hosts. The display name does not get obfuscated and displays in the Red Hat Lightspeed console UI. Only the value of /etc/hostname gets obfuscated.
Prerequisites
If you are using Red Hat Satellite to manage clients and register them on
console.redhat.com, you must also configure the Red Hat Cloud settings before you can enable obfuscation in Red Hat Lightspeed:- In the Satellite web UI, navigate to Administer > Settings > Red Hat Cloud and enable the required obfuscation settings that apply to your environment.
Procedure
-
Open the
/etc/insights-client/insights-client.conffile with an editor. Locate the following section:
obfuscation_list=
obfuscation_list=Copy to Clipboard Copied! Toggle word wrap Toggle overflow Add the following line to the
obfuscation_listsection to enable hostname obfuscation:obfuscation_list=hostname
obfuscation_list=hostnameCopy to Clipboard Copied! Toggle word wrap Toggle overflow NoteTo add multiple obfuscation options, separate them with commas. For example, to obfuscate the hostname and an IPv6 IP address, you would add:
obfuscation_list=hostname,ipv6
obfuscation_list=hostname,ipv6Copy to Clipboard Copied! Toggle word wrap Toggle overflow If your configuration file contains the older
obfuscate_hostname=Trueorobfuscate_hostname=FalseRed Hat Lightspeed obfuscation setting, remove that line of configuration.ImportantThe
obfuscateandobfuscate_hostnameoptions are deprecated and will be removed in a future release of Red Hat Lightspeed. If your configuration file containsobfuscation_listand the deprecated obfuscation options, theobfuscation_listconfiguration takes precedence and you will see a warning message in the output.Optional: Assign a display name to your system so that you can more easily find and manage your obfuscated hosts in the Red Hat Lightspeed console UI by adding the following line:
display_name=example-display-name
display_name=example-display-nameCopy to Clipboard Copied! Toggle word wrap Toggle overflow NoteYou can also set a display name by using the following command:
insights-client --display-name ITC-4
[root@rhlightspeed]# insights-client --display-name ITC-4Copy to Clipboard Copied! Toggle word wrap Toggle overflow -
Save and close the
/etc/insights-client/insights-client.conffile.
Result
When obfuscation is successfully enabled, the hostname gets masked in the Red Hat Lightspeed console UI, logs, and any archive data files that Red Hat collects.
- If you configure hostname obfuscation on more than one system, you might see multiple systems with the same hostname in the Red Hat Lightspeed GUI as a result of obfuscation.
-
After you enable obfuscation, there might be instances where the original hostname displays in the command-line output of some
insights-clientcommands.
Example
The original hostname of the system in
/etc/hostname:RTP.data.center.01
RTP.data.center.01Copy to Clipboard Copied! Toggle word wrap Toggle overflow The obfuscated
/etc/hostnameas it displays in Red Hat Lightspeed:90f4a9365ce0.example.com
90f4a9365ce0.example.comCopy to Clipboard Copied! Toggle word wrap Toggle overflow The following screenshot of the Red Hat Hybrid Cloud Console UI shows an example of a system whose hostname and IP address are obfuscated:
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}