1rho(1) rho User Commands rho(1)
2
6 rho - Discover and manage product entitlement metadata on your network.
7
9 rho command subcommand [options]
10
12 Rho, and the rho command, is a network discovery and inspection tool to
13 identify environment data, or facts, such as the number of physical and
14 virtual systems on a network, their operating systems and other config‐
15 uration data, and versions of some key packages and products for almost
16 any Linux or UNIX version. The ability to discover and inspect the
17 software and systems that are running on the network improves your
18 ability to understand and report on your entitlement usage. Ultimate‐
19 ly, this discovery and inspection process is part of the larger system
20 administration task of managing your inventories.
21 Rho uses two types of profiles to manage the discovery and inspection
23 process. An authentication profile contains credentials such as the
24 username and password or SSH key of the user that runs the discovery
25 and inspection process. A network profile defines the network, such as
26 a host, subnet, or network that is being monitored, plus includes one
27 or more authentication profiles to use to access that network during
28 the discovery and inspection process. You can save multiple authenti‐
29 cation profiles and network profiles to use with Rho in various combi‐
30 nations as you run discovery and inspection processes, or scans.
31 By default, the authentication profiles and network profiles that are
33 created when using Rho are stored in encrypted files. The files are
34 encrypted with AES-256 encryption and are decrypted when the rho com‐
35 mand runs, by using a vault password to access the files.
36 Rho is an agentless discovery and inspection tool, so there is no need
38 to install the tool on multiple systems. Discovery and inspection for
39 the entire network is centralized on a single machine.
40 This man page describes the commands, subcommands, and options for the
42 rho command and includes basic usage information. For more detailed
43 information and examples, including best practices, see the Rho README
44 file.
45
47 rho performs four major tasks:
48 · Creating authentication profiles:
50 rho auth add ...
52 · Creating network profiles:
54 rho profile add --name=X --hosts X Y Z --auth A B
56 · Running a scan:
58 rho scan --profile=X --reportfile=Y
60 · Working with facts that are gathered in a scan:
62 rho fact ...
64 The following sections describe these commands, their subcommands, and
66 their options in more detail.
67
69 Use the rho auth command to create and manage authentication profiles.
70 An authentication profile defines a set of user credentials to be used
72 during a scan. These user credentials include a username and a pass‐
73 word or SSH key. Rho uses SSH to connect to servers on the network and
74 uses authentication profiles to obtain the user credentials that are
75 required to access those servers.
76 When a scan runs, it uses a network profile that contains the host
78 names or IP addresses to be accessed. The network profile also con‐
79 tains references to the authentication profiles that are required to
80 access those systems. A single network profile can contain a reference
81 to multiple authentication profiles as needed to connect to all systems
82 in that network.
83 Creating and Editing Authentication Profiles
85 To create an authentication profile, supply SSH credentials as either a
86 username-password pair or a username-key pair. Rho stores each set of
87 credentials in a separate authentication profile entry.
88 rho auth add --name= name --username= username (--password | --sshkey‐
90 file= key_file ) [--sudo-password] [--vault= vault_file ]
91 --name=name
93 Required. Sets the name of the new authentication profile. For
95 the value, use a descriptive name that is meaningful to your or‐
96 ganization. For example, you could identify the user or server
97 that the authentication profile relates to, such as admin12 or
98 server1_jdoe. Do not include the password as part of this val‐
99 ue, because the value for the --name option might be logged or
100 printed during rho execution.
101 --username=username
103 Required. Sets the username of the SSH identity that is used to
105 bind to the server.
106 --password
108 Prompts for the password for the --username identity. Mutually
110 exclusive with the --sshkeyfile option.
111 --sshkeyfile=key_file
113 Sets the path of the file that contains the private SSH key for
115 the --username identity. Mutually exclusive with the --password
116 option.
117 --sudo-password
119 Prompts for the password to be used when running a command that
121 uses sudo on the systems to be scanned.
122 --vault=vault_file
124 Contains the path of the file that contains the vault password.
126 The vault password is the password that controls access to the
127 encrypted Rho data such as authentication and network profiles,
128 scan data, and other information. If you do not have a file to
129 use as the value for this option, do not use the option. You
130 are then prompted to enter the vault password or to create a new
131 vault password if one does not exist. At any time, you can save
132 this password in a file such as a text file. You can then use
133 the --vault option in subsequent Rho commands. Because the en‐
134 crypted Rho data could contain sensitive information, make sure
135 that this vault password file is stored in a location that has
136 limited access.
137 The information in an authentication profile, such as a password, sudo
139 password, SSH keys, or even the username, might change. For example,
140 network security might require passwords to be updated every few
141 months. Use the rho auth edit command to change the SSH credential in‐
142 formation in an authentication profile. The parameters for
143 rho auth edit are the same as those for rho auth add.
144 rho auth edit --name= name --username= username (--password | --sshkey‐
146 file= key_file ) [--sudo-password] [--vault= vault_file ]
147 Listing and Showing Authentication Profiles
149 The rho auth list command returns the details for every authentication
150 profile that is configured for Rho. This output includes the name,
151 username, password, SSH keyfile and sudo password for each entry.
152 Passwords are masked if provided, if not, they will appear as null.
153 rho auth list [--vault= vault_file ]
155 --vault=vault_file
157 Contains the path of the file that contains the vault password.
159 Because the encrypted Rho data could contain sensitive informa‐
160 tion, make sure that this vault password file is stored in a lo‐
161 cation that has limited access.
162 The rho auth show command is the same as the rho auth list command, ex‐
164 cept that it returns details for a single specified authentication pro‐
165 file.
166 rho auth show --name= name [--vault= vault_file ]
168 --name=name
170 Required. Contains the authentication profile entry to display.
172 --vault=vault_file
174 Contains the path of the file that contains the vault password.
176 Because the encrypted Rho data could contain sensitive informa‐
177 tion, make sure that this vault password file is stored in a lo‐
178 cation that has limited access.
179 Clearing Authentication Profiles
181 As the network infrastructure changes, it might be necessary to delete
182 some authentication profiles. Use the clear subcommand to delete au‐
183 thentication profiles.
184 IMPORTANT: Remove or change the authentication profile from any network
186 profile that uses it before clearing an authentication profile. Other‐
187 wise, any attempt to use the network profile to run a scan runs the
188 command with a nonexistent authentication profile, an action that caus‐
189 es the rho command to fail.
190 rho auth clear (--name name | --all) [--vault= vault_file ]
192 --name=name
194 Contains the authentication profile to clear. Mutually exclu‐
196 sive with the --all option.
197 --all
199 Clears all stored authentication profiles. Mutually exclusive
201 with the --name option.
202 --vault=vault_file
204 Contains the path of the file that contains the vault password.
206 Because the encrypted Rho data could contain sensitive informa‐
207 tion, make sure that this vault password file is stored in a lo‐
208 cation that has limited access.
209
211 Use the rho profile command to create and manage network profiles.
212 A network profile defines a collection of network information, includ‐
214 ing IP addresses or host names, SSH ports, and SSH credentials. The
215 SSH credentials are provided through reference to one or more authenti‐
216 cation profiles. A discovery and inspection scan can reference a net‐
217 work profile so that the act of running the scan is automatic and re‐
218 peatable, without a requirement to reenter network information for each
219 scan attempt.
220 Creating and Editing Network Profiles
222 To create a network profile, supply one or more host names or IP ad‐
223 dresses to connect to with the --hosts option and the authentication
224 profiles needed to access those systems with the --auth option. The
225 rho profile command allows multiple entries for each of these options.
226 Therefore, a single network profile can access a collection of servers
227 and subnets as needed to create an accurate and complete scan.
228 rho profile add --name= name --hosts ip_address --auth auth_profile
230 [--sshport= ssh_port ] [--vault= vault_file ]
231 --name=name
233 Required. Sets the name of the new network profile. For the
235 value, use a descriptive name that is meaningful to your organi‐
236 zation, such as APSubnet or Lab3.
237 --hosts ip_address
239 Sets the host name, IP address, or IP address range to use when
241 running a scan. You can also provide a path for a file that
242 contains a list of host names or IP addresses or ranges, where
243 each item is on a separate line. The following examples show
244 several different formats that are allowed as values for the
245 --hosts option:
246 · A specific host name:
248 --hosts server.example.com
250 · A specific IP address:
252 --hosts 192.0.2.19
254 · An IP address range:
256 --hosts 192.0.2.[0:255] or --hosts 192.0.2.0/24
258 · A file:
260 --hosts /home/user1/hosts_file
262 --auth auth_profile
264 Contains the name of the authentication profile to use to au‐
266 thenticate to the systems that are being scanned. If the indi‐
267 vidual systems that are being scanned each require different au‐
268 thentication credentials, you can use more than one authentica‐
269 tion profile. To add multiple authentication profiles to the
270 network profile, separate each value with a space, for example:
271 --auth first_auth second_auth
273 IMPORTANT: An authentication profile must exist before you at‐
275 tempt to use it in a network profile.
276 --sshport=ssh_port
278 Sets a port to be used for the scan. This value supports dis‐
280 covery and inspection on a non-standard port. By default, the
281 scan runs on port 22.
282 --vault=vault_file
284 Contains the path of the file that contains the vault password.
286 Because the encrypted Rho data could contain sensitive informa‐
287 tion, make sure that this vault password file is stored in a lo‐
288 cation that has limited access.
289 The information in a network profile might change as the structure of
291 the network changes. Use the rho profile edit command to edit a net‐
292 work profile to accommodate those changes.
293 Although rho profile options can accept more than one value, the
295 rho profile edit command is not additive. To edit a network profile
296 and add a new value for an option, you must enter both the current and
297 the new values for that option. Include only the options that you want
298 to change in the rho profile edit command. Options that are not in‐
299 cluded are not changed.
300 rho profile edit --name name [--hosts ip_address ] [--auth auth_profile
302 ] [--sshport= ssh_port ] [--vault= vault_file ]
303 For example, if a network profile contains a value of server1creds for
305 the --auth option, and you want to change that network profile to use
306 both the server1creds and server2creds authentication profiles, you
307 would edit the network profile as follows:
308 rho profile edit --name=myprofile --auth server1creds server2creds
310 TIP: After editing a network profile, use the rho profile show command
312 to review those edits.
313 Listing and Showing Network Profiles
315 The rho profile list command returns the details for all configured
316 network profiles. The output of this command includes the host names,
317 IP addresses, or IP ranges, the authentication profiles, and the ports
318 that are configured for each network profile.
319 rho profile list [--vault= vault_file ]
321 --vault=vault_file
323 Contains the path of the file that contains the vault password.
325 Because the encrypted Rho data could contain sensitive informa‐
326 tion, make sure that this vault password file is stored in a lo‐
327 cation that has limited access.
328 The rho profile show command is the same as the rho profile list com‐
330 mand, except that it returns details for a single specified network
331 profile.
332 rho profile show --name= profile [--vault= vault_file ]
334 --name=profile
336 Required. Contains the network profile to display.
338 --vault=vault_file
340 Contains the path of the file that contains the vault password.
342 Because the encrypted Rho data could contain sensitive informa‐
343 tion, make sure that this vault password file is stored in a lo‐
344 cation that has limited access.
345 Clearing Network Profiles
347 As the network infrastructure changes, it might be necessary to delete
348 some network profiles. Use the rho profile clear command to delete
349 network profiles.
350 rho profile clear (--name= name | --all) [--vault= vault_file ]
352 --name=name
354 Contains the network profile to clear. Mutually exclusive with
356 the --all option.
357 --all
359 Clears all stored network profiles. Mutually exclusive with the
361 --name option.
362 --vault=vault_file
364 Contains the path of the file that contains the vault password.
366 Because the encrypted Rho data could contain sensitive informa‐
367 tion, make sure that this vault password file is stored in a lo‐
368 cation that has limited access.
369
371 Use the rho fact command to view information that can be reported in a
372 scan or to alter the contents of a report that is created from the
373 rho scan command.
374 Listing Facts
376 To generate a list of facts that can be gathered during the discovery
377 and inspection scanning process, use the rho fact list command.
378 rho fact list [--filter= reg_ex ]
380 --filter=reg_ex
382 Optional. Contains a regular expression to use to provide a
384 filtered view of the list of facts. For example, the uname.*
385 string returns only those facts that contain that string in the
386 fact name.
387 Hashing Facts
389 To encrypt sensitive facts within the comma separated values (CSV) file
390 output of a scan, use the rho fact hash command. The sensitive facts
391 that are hashed with this command are connection.host, connection.port,
392 uname.all, and uname.hostname.
393 rho fact hash --reportfile= file [--outputfile= path ]
395 --reportfile=file
397 Contains the path of the comma-separated values (CSV) report
399 file to read as input.
400 --outputfile=path
402 Contains the path of the comma-separated values (CSV) report
404 file to be written as output. Creates a new report with the
405 sensitive facts encrypted.
406
408 Use the rho scan command to run discovery and inspection scans on the
409 network. This command scans all of the host names or IP addresses that
410 are defined in the supplied network profile, and then writes the report
411 information to a comma separated values (CSV) file. Note: Any ssh-agent
412 connection setup for a target host '
413 'will be used as a fallback if it exists.
414 rho scan --profile= profile_name --reportfile= file [--facts file or
416 list of facts ] [--scan-dirs= file or list of remote directories ]
417 [--cache] [--vault= vault_file ] [--logfile= log_file ] [--ansi‐
418 ble-forks= num_forks ]
419 --profile=profile_name
421 Contains the name of the network profile to use to run the scan.
423 --reportfile=file
425 Sets the path of the report file to create from the scan output.
427 This file is saved in the comma-separated values (CSV) format.
428 --facts fact1 fact2
430 Contains the list of facts that are returned in the scan report.
432 You can provide multiple values for this option, with each value
433 separated by a space, or provide a path to a file that contains
434 a list of facts, where each fact is on a separate line. The
435 list below is included as an example and is not exhaustive. Use
436 the rho fact list command to get the full list of available
437 facts.
438 · cpu.count: number of processors
440 · cpu.cpu_family: cpu family
442 · cpu.model_name: cpu model name
444 · cpu.vendor_id: cpu vendor name
446 · dmi.bios-vendor: bios vendor name
448 · etc-release.etc-release: contents of /etc/release (or equivalent)
450 · instnum.instnum: installation number
452 · connection.uuid: unique id associate with scan
454 · connection.ip: ip address
456 · connection.port: ssh port
458 · redhat-release.name: name of package that provides 'redhat-release'
460 · redhat-release.release: release of package that provides 'redhat-re‐
462 lease'
463 · redhat-release.version: version of package that provides 'redhat-re‐
465 lease'
466 · systemid.system_id: Red Hat Network system id
468 · systemid.username: Red Hat Network username
470 · virt.virt: host, guest, or baremetal
472 · virt.type: type of virtual system
474 · uname.all: uname -a (all)
476 · uname.hardware_platform: uname -i (hardware_platform)
478 · uname.hostname: uname -n (hostname)
480 · uname.kernel: uname -r (kernel)
482 · uname.os: uname -s (os)
484 · uname.processor: uname -p (processor)
486 --scan-dirs dir1 dir2
488 Contains the list of directories on remote systems to scan for
490 products. This option is intended to help scope a scan for sys‐
491 tems with a very large file system under the root directory.
492 You can provide multiple values for this option, with each value
493 separated by a space, or provide a path to a file that contains
494 a list of directories, where each directory is on a separate
495 line.
496 --cache
498 Restricts the scope of the scan to the hosts that were discov‐
500 ered in the previous scan. Use this option to discover software
501 on hosts that were discovered in a previous scan. Do not use
502 this option to scan for new hosts.
503 --vault=vault_file
505 Contains the path of the file that contains the vault password.
507 Because the encrypted Rho data could contain sensitive informa‐
508 tion, make sure that this vault password file is stored in a lo‐
509 cation that has limited access.
510 --logfile=log_file
512 Contains the path of the log file for this instance of the
514 rho scan command.
515 --ansible-forks=num_forks
517 Sets the number of systems to scan in parallel. The default
519 number is 50 concurrent connections.
520
522 The following options are available for every Rho command.
523 --help
525 Prints the help for the rho command or subcommand.
527 -v
529 Enables the verbose mode. The -vvv option increases verbosity
531 to show more information. The -vvvv option enables connection
532 debugging.
533
535 Creating a new authentication profile with a keyfile
536 rho auth add --name=new-creds --username=rho-user --sshkey‐
537 file=/etc/ssh/ssh_host_rsa_key
538 Creating a new authentication profile with a password
540 rho auth add --name=other-creds --username=rho-user-pass --pass‐
541 word
542 Creating a new profile
544 rho profile add --name=new-pro‐
545 file --hosts 1.192.0.19 --auth new-creds
546 Editing a profile
548 rho profile edit --name=new-pro‐
549 file --hosts 1.192.0.[0:255] --auth new-creds other-creds
550 Running a scan with a profile
552 rho scan --profile=new-profile --reportfile=/home/jsmith/Desk‐
553 top/output.csv
554
556 The authentication profile credentials that are used to access servers
557 are stored with the network profile configuration in an AES-256 en‐
558 crypted configuration file. A vault password is used to access this
559 file. The vault password and decrypted file contents are in the system
560 memory, and could theoretically be written to disk if memory swapping
561 is enabled.
562 Although you can run the rho command without prompts (such as schedul‐
564 ing a cron job) by using a file to pass the vault password, the use of
565 a file for vault password storage is not without risk; therefore, its
566 use requires caution. The vault password allows access to encrypted
567 Rho data that could contain sensitive information. Make sure that this
568 vault password file, if used, is stored in a location that has limited
569 access.
570
572 The rho tool was originally written by Adrian Likins <alikins-at-red‐
573 hat.com>, Devan Goodwin <dgoodwin-at-redhat.com>, Jesus M. Rodriguez
574 <jesusr-at-redhat.com>, and Chris Snyder <<csnyder@redhat.com>> of Red
575 Hat, Inc. rho has been continued to be enhanced by Karthik Harihar
576 Reddy Battula <<karthikhhr@gmail.com>>, Chris Hambridge <<chambrid@red‐
577 hat.com>>, and Noah Lavine <<nlavine@redhat.com>>.
578
580 (c) 2017 Red Hat, Inc. Licensed under the GNU Public License version
581 2.
582version 0.0.34 May 28, 2018 rho(1)