Introduction to Red Hat Insights

Red Hat Insights is a SaaS application that is available free of charge to everyone with a valid Red Hat Enterprise Linux (RHEL) subscription.

This article provides a brief introduction to Red Hat Insights, shows how RHEL systems are integrated into the cloud service, and lists key documents and resources related to the service.

Author's note: I'm testing the service as part of my job at the Bielefeld IT Service Center (BITS) at Bielefeld University. This article reflects my personal view of Red Hat Insights. Furthermore, I would like to clarify that I am a member of the Red Hat Accelerators community.

What is Red Hat Insights?

Red Hat Insights, also referred to below as simply "Insights," is a cloud service offered by Red Hat for proactive analysis of Red Hat Enterprise Linux (RHEL) environments. It provides information about existing configuration problems, performance, compliance issues, and security vulnerabilities, as well as recommendations on how to resolve them.

Systems connected to Insights are scanned and matched against a set of rules by the locally installed Insights Client to identify and report potential risks to system performance, scalability, availability, and security. Red Hat strives to avoid the collection of personal information.

In addition to reporting, this service can also generate Ansible playbooks to mitigate identified problems. These playbooks could be executed via Ansible Engine on the individual server or through Ansible Tower. The set of rules is maintained and continuously expanded by Red Hat.

Since 2019, Insights has been included in all active Red Hat Enterprise Linux subscriptions. Thus, no additional costs arise from the use of the service. Insights can be used in RHEL installations, regardless of whether they are operated on-premise, in private, hybrid, or public clouds.

The product documentation and an FAQ section can be found at the following URLs 

• Product Documentation for Red Hat Insights
• Red Hat Insights Technical FAQ (Login required)
• System Information Collected by Red Hat Insights
• How can I see what data is collected by Red Hat Insights? (Login required)
• Red Hat Insights—Security Information

If you do not already have access to the above-linked sites, you can register for a free Red Hat Developer Subscription on the Red Hat Developer site. This subscription also gives you access to the Red Hat Knowledge Base.

Data protection and data security

Using a SaaS service like Insights does have a few challenges, particularly for the way our organization operates. If you read the above documentation carefully, you will realize that, in order to provide the service, each connected host collects a lot of data and transfers it to the cloud service. On the one hand, this is necessary for the service to work. Without data to be analyzed, there can be no advice and recommendations. On the other hand, it is possible to draw a fairly accurate map of the network infrastructure from the transferred data.

With the options "--no-upload" or "–-offline," the Insights Client offers the possibility to collect data locally without transferring it to the cloud service. This allows the sysadmin to inspect in advance which data has been collected. And there is the possibility to maintain a deny-list and to specify which data is to be excluded from collection and transfer.

If one imagines the operation of about 100 RHEL servers, which provide various services, it becomes clear that manual control and maintenance of individual deny-list are not affordable for all systems. Especially since the set of rules that determines the data to be collected changes dynamically, and a check would have to be performed before each upload.

Unfortunately, there is no on-premise appliance that allows the use of the service within our perimeter. Also, an allow-list for the Insights Client does not yet exist. The latter would give the users even more control over data collection/transfer. They would have to define what may be transmitted and would not have to fear that, a few days later, further data would be collected and transmitted without their knowledge.

I reported both the desire for an on-premise appliance and the suggestion for the introduction of a allow-list to the Insights team. And even if my greatest wish for the appliance will not be realized in the short or medium term, I feel that I am taken seriously as a user and feel that my feedback is welcome.

Red Hat describes in the documentation linked above that the service does not collect any personal information. Thus, /etc/{passwd,group,shadow} and /home are not included in the collected data. In general, Red Hat discloses a great deal of information about the service and is very transparent about its actions. The company is exemplary in this respect.

If a client stops submitting data, received data is automatically deleted after 14 days. If a client is removed from Insights, the data stored for that client is deleted immediately.

Nonetheless, you lose control over your data once it has been transferred. As with any SaaS, you have to trust the provider to keep its promises.

When trying out a new SaaS, try bringing in your security team early so that they can assess the data privacy and controls used.

Despite these concerns, Insights offers the chance to gain knowledge about problems and vulnerabilities that are unknown so far and pose a greater security risk than the regular data transfer to Insights. Whether the benefits outweigh the risks, however, is a matter for each organization to judge for itself.

Setting up Red Hat Insights on Red Hat Enterprise Linux

The following steps assume that your RHEL systems are registered and have a valid subscription.

Manual setup

To be able to use the full range of Insights functions, the following packages are going to be installed:

$ sudo yum -y install openscap-scanner scap-security-guide insights-client

Please note that the OpenSCAP installation is an optional step associated with the use of Compliance Services. As the Insights Client is already integrated into RHEL 8, it does not need to be installed separately here.

To complete the setup of the Insights Client and to transfer collected data to the SaaS service, just execute the following command:

$ sudo insights-client --register

Automated setup with Ansible

To avoid having to manually perform the necessary steps for setup on each host, the following Ansible Playbook can be used.

---
- hosts: rh-insights-poc # Group from the Ansible-Inventory
  tasks:

  - name: Make sure required packages are present
    yum:
      name:
        - openscap-scanner
        - scap-security-guide
        - insights-client
      state: latest

  - name: Register insights-client
    command: insights-client --register

For my purpose, the above playbook is sufficient. Alternatively, there is a role on Ansible Galaxy with much more functionality—redhatinsights.insights-client .

Once the systems are set up and registered, it is time to log in and explore the Insights Dashboard at https://cloud.redhat.com.

For part two of the series, continue reading here. 

Please look at the following pages for additional information and details:

• Red Hat Insights Technical FAQ (login required)
• Getting started with Insights

[ Want to test your sysadmin skills? Take a skills assessment today. ]