Red Hat Insights is a Software-as-a-Service (SaaS) product that helps administrators report on applicable errata and known configuration issues as well as proactively identify security issues. Insights makes you aware of potential service-impacting problems before they happen, letting you plan how to address them before there is an issue that might affect production. Access to Red Hat Insights is included with every Red Hat Enterprise Linux (RHEL) subscription, so there is nothing extra to buy. This article covers the basics of how to register with Red Hat Insights, how to use it, and a couple of examples to demonstrate its remediation capabilities.
Installing Insights
To begin, the directions step you through the process of getting started with Insights. This interactive page asks you how you want to register your systems and provides appropriate guidance. The output below is from my server registered to the Red Hat customer portal. To begin with, make sure that the insights-client RPM is installed:
[root@opendemo ~]# rpm -q insights-client
insights-client-3.0.14-3.el7_9.noarch
That RPM is included in the base RHEL repo, and for RHEL 8 systems, it is typically already installed. However, if it isn't installed on your system, use this command to install it:
# yum install insights-client
[ You might also like: Red Hat Insights: Your very own security consultant ]
Registering the new system
Once the package is installed, you can manually register the system:
[root@opendemo ~]# insights-client --register
Successfully registered host opendemo
Automatic scheduling for Insights has been enabled.
Starting to collect Insights data for opendemo
Uploading Insights data.
Successfully uploaded report from opendemo to account <redacted>.
View the Red Hat Insights console at https://cloud.redhat.com/insights/
[root@opendemo ~]#
To see your system in the Insights console, go to Red Hat Insights and then click the link on the left side for the inventory. You just registered your system, so it should be at the top of the list, but if not, you can filter for the hostname. Clients can be registered directly to the Customer Portal, to a Red Hat Satellite server, or through a proxy server. Independent of where your client was registered, you will see it listed at cloud.redhat.com, as long as it has network connectivity to the public internet.
Remediating the system
At this point, you're ready to start investigating the findings and remediating what is appropriate. Look at the Insights dashboard to see the issues detected on the host you registered, and choose one that you want to fix. For this demonstration, I use the PassengerMinInstances setting for Apache that was detected by Insights. In this case, you see a misconfiguration not on RHEL but on one of the workloads running on a RHEL server, Red Hat Satellite. Insights Advisor service calls these topics. In this example, for Satellite, the Insights team has taken common best practices and built them into recommendations. Even though you're looking at this Satellite topic, there are also topics for other (Non-Red Hat) workloads such as AWS, Azure, SAP, and SQL.
To resolve this, check the box:
And then click the Remediate button at the top of the page:
You're presented with a screen to either add this to an existing playbook or create a new playbook. In this case, make a new playbook and then click Next:
A reboot is required, and so you need to approve that:
You can click the Remediations link on the left side of the page to review this new playbook and the previous playbook that you've created. At this point, you can download the playbook and run it using Ansible in any method you prefer. In this environment, I have Smart Management and Satellite. I've configured an optional component called Cloud Connector, which connects Satellite and cloud.redhat.com so I can fix issues right from within Insights. This requires some additional configuration that isn't mentioned in this article.
Since this is enabled, I have the Execute playbook button available.
Now it's time to run the remediation. Click the blue Execute playbook button and then click Execute playbook on 1 system. Optionally, click the Download playbook button if you want to review what will happen first. When you start the job, you'll see its status:
When it finishes, you'll see the updated status:
Using Satellite
The above steps have shown you how to register systems and then view them at cloud.redhat.com. To use Insights from within your Red Hat Satellite server, the process is similar. However, cloud.redhat.com has a variety of capabilities as part of Insights, but from inside of the Satellite, it has only the Advisor service. For this example, my client will be ansibleclient, and it is registered to my Satellite server opendemo. Just like having a client registered to the Customer Portal and using Insights there, my client needs to have the insights-client RPM installed and the insights-client --register command run.
If you deploy Insights at scale, there are Ansible playbooks and Puppet modules available to make this simpler than manually registering each system to Insights. Additionally, if you are a Satellite user, Satellite has a built-in Ansible role to deploy and register Insights to hosts. To use that, follow these steps.
First, be sure the Satellite has the correct repo enabled:
# subscription-manager repos --enable=rhel-7-server-extras-rpms
Then install the roles package:
# satellite-maintain packages install rhel-system-roles
At this point, you can see the roles in the Satellite system:
[root@opendemo ~]# ls /usr/share/ansible/roles/
linux-system-roles.kdump linux-system-roles.selinux project-receptor.satellite_receptor_installer rhel-system-roles.network rhel-system-roles.storage
linux-system-roles.network linux-system-roles.storage RedHatInsights.insights-client rhel-system-roles.postfix rhel-system-roles.timesync
linux-system-roles.postfix linux-system-roles.timesync rhel-system-roles.kdump rhel-system-roles.selinux theforeman.foreman_scap_client
[root@opendemo ~]#
In the WebUI of the Satellite, mouse over Configure and then click on Roles for Ansible. If you haven't imported any roles, you'll see a message saying that, and you'll need to click the blue button to import them:
After that, check the box for RedHatInsights.insights-client and then click Submit:
You can then assign the Ansible role to a client by editing the client:
After saving that, you can schedule a remote job to run the Ansible roles job. At that point, your client will get registered to Insights:
[root@ansibleclient ~]# insights-client --status
System is NOT registered locally via .registered file. Unregistered at 2020-11-30T09:25:46.771856
Insights API says this machine was unregistered at 2020-11-30T14:25:46.000Z
[root@ansibleclient ~]# insights-client --status
System is registered locally via .registered file. Registered at 2020-11-30T10:47:06.453351
Insights API confirms registration.
[root@ansibleclient ~]#
You can confirm the system has been registered with Insights in the Satellite server by hovering over Insights in the Satellite's WebUI and then clicking Inventory. Again, from inside of Red Hat Satellite, you see only the Advisor service. Other services, such as Vulnerability, Compliance, and Drift, are available from only cloud.redhat.com.
At this point, go to your Satellite's WebUI and then the Actions for Insights. Here, you can see that there is an action available for SMBloris:
Check the box and then click the dropdown for Actions:
Create a new plan and click Save. You can then see the targeted systems for this remediation, and if you want, you can download the playbook before running it:
When you click Run Playbook, you can see the task in Satellite:
After a minute or two, it shows a 100% Success message:
Confirm that the smb.conf file was corrected:
[root@ansibleclient ~]# diff /etc/samba/smb.conf /etc/samba/smb.conf-withsmbloris
16d15
< max smbd processes = 1000
[ Get this free book from Red Hat and O'Reilly - Kubernetes Operators: Automating the Container Orchestration Platform. ]
Wrap up
This article introduced you to registering systems to use the services at cloud.redhat.com and then one approach to applying remediations for various issues. Using Red Hat Insights, you will be better equipped to proactively keep your Red Hat Enterprise Linux environment compliant, stable, and secure. Some of the other services offered at cloud.redhat.com are Red Hat OpenShift Cluster Manager, Automation Analytics for Red Hat Ansible Automation Platform, Subscription Watch, and Cost Management for Red Hat OpenShift.
Additional information on getting started with Red Hat Insights is available at:
