Uploaded image for project: 'Red Hat Insights Engineering'
  1. Red Hat Insights Engineering
  2. RHINENG-8743

Compliance scanning overwrites obfuscated hostname for client

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Undefined Undefined
    • None
    • None
    • Insights Core

      ** Note that this is a public ticket, please refrain from adding any sensitive data. **

      Description of Problem

      Running a compliance scan on a client registered to insights with an obfuscated hostname results in the actual hostname leaking to the RH cloud console.

      How reproducible

      Always

      Steps to Reproduce

      1. Register host to insights with 
        insights-client --register --verbose > registration.out

        With conf file:

      [insights-client]
auto_update=True
obfuscate=True
obfuscate_hostname=True

      Check log files / RH cloud console. Confirm host is registered with obfuscated hostname.

      $ hostname_report=`cat registration.out | grep -E 'Hostname Report' | head -1 | awk '{print $9}'`

$ cat $hostname_report

Obfuscated Hostname,Original Hostname
4676545896eb.example.com,myHostsActualName
      $ cat /etc/rhsm/facts/insights-client.facts | jq -r '.["insights_client.hostnames"]'

[{"original": "myHostsActualName", "obfuscated": "4676545896eb.example.com"}]
      $ cat /var/lib/insights/host-details.json | jq .

# shortened for brevity
"results": [
  {
    "fqdn": "4676545896eb.example.com"
  ],
  "display_name": "4676545896eb.example.com",
  "ansible_host": "null"
}
      1. Assign host to compliance policy in RH console, then run insights compliance scan
      insights-client --compliance --verbose > compliance-scan.out

      Checking logs shows 'fqdn' sent to Red Hat contains actual hostname. 

      $ cat compliance-scan.out | grep -E 'Canonical facts collected' -A10 | grep fqdn

"fqdn": "myHostsActualName"
      $ cat /var/lib/insights/host-details.json | jq .

# shortened for brevity
"results": [
{
"fqdn": "myHostsActualName"
],
"display_name": "myHostsActualName",
"ansible_host": "null"
}

      In RH console, host is reporting it's non-obfuscated hostname under `Inventory -> Systems'. Drilling down on the host shows non-obfuscated hostname under 'hostname', 'Display name' and 'Ansible hostname'.

      1. Run an insights upload
      insights-client --verbose > upload.out

      Check logs, 'fqdn' and 'display_name' showing obfuscated values

       
$ cat /var/lib/insights/host-details.json | jq .

# shortened for brevity
"results": [
{
"fqdn": "4676545896eb.example.com"
],
"display_name": "4676545896eb.example.com",
"ansible_host": "null"
}

      Check RH cloud console, host showing obfuscated values for 'hostname', 'Display name' and 'Ansible hostname' again.

      Actual Behavior

      See above

      Expected Behavior

      Compliance scan should preserve obfuscated details and not leak actual clients hostname

      Business Impact / Additional info

      Additional info:

      Client is RHEL 8.6

      Insights versions:

      Client: 3.2.2

      Core: 3.3.11-1

      Insights data is being proxied via Satellite (with obfuscate hostname / ipv4 turned on. Auto inventory upload off). Satellite version is 6.13.5.

              Unassigned Unassigned
              bchamber@redhat.com Bryce Chambers
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: